Privacy Policy
Last updated: April 2026
Data Controller
Diffract is published by Théo Fourcat, sole proprietor (auto-entrepreneur), SIRET 921 112 462 00012, Lyon, France. For any questions: [email protected].
Data Collected
We collect the following categories of data:
- Account information,email address and name
- Brand content,visual elements and guidelines you provide
- Media files,images and videos you upload
- Social accounts,Instagram and Facebook connection data (username, profile ID, OAuth tokens) used to publish on your behalf
- Created content,posts, conversations, and content generated through the service
- Usage data,anonymized service usage statistics
Processing Purposes
- Deliver the Diffract service: content creation, scheduling, and publishing
- Maintain your brand identity consistency
- Publish to your social media with your authorization
- Improve the service
Legal Basis
Your data is processed on the basis of contract performance (GDPR Article 6.1.b) for delivering the service, and consent (Article 6.1.a) for optional features.
Third-Party Processors
To deliver our service, your data may be processed by the following sub-processors:
- Google (Gemini),AI content generation,United States
- Amazon Web Services (ECS, S3, SES),application hosting, media storage, and email delivery,European Union (eu-central-1)
- Neon,database (accounts, social connections, and OAuth tokens),European Union (eu-central-1)
- Cloudflare,hosting and content delivery,United States
- Meta Platforms,social media publishing,United States
- Amazon Web Services (Cognito),authentication,European Union (eu-central-1)
- Stripe,payment processing,United States (we do not store payment details)
- OpenAI,image generation,United States
International Transfers
Some of our sub-processors are located in the United States (Google, OpenAI, Meta Platforms, Stripe, Cloudflare). These transfers are governed by EU Standard Contractual Clauses (SCCs) pursuant to GDPR Article 46.2.c, ensuring an adequate level of protection for your personal data.
Data Retention
Your data is retained for the duration of your active account. Upon account deletion, all personal data is permanently removed within 30 days.
Your Rights
Under GDPR, you have the following rights:
- Right of access,obtain a copy of your personal data
- Right to rectification,correct inaccurate data
- Right to erasure,request deletion of your data
- Right to portability,receive your data in a machine-readable format
- Right to restriction,limit the processing of your data
- Right to object,object to the processing of your data
- Right to withdraw consent,where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
To exercise your rights: [email protected]. You may also file a complaint with the CNIL (www.cnil.fr).
Cookies
Diffract uses cookies that are strictly necessary for the service to function (security, session, and saving your cookie choices). With your consent, we also use advertising-measurement cookies (Meta Pixel and Conversions API) to evaluate and improve our advertising campaigns. For audience measurement we use a privacy-friendly, EU-hosted analytics tool (PostHog) configured without cross-site tracking cookies. You can change or withdraw your consent at any time via the “Cookie settings” link in the footer.
Data Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls limited to authorized personnel, and regular security reviews of our infrastructure.
Minors
The Diffract service is not intended for users under the age of 16. We do not knowingly collect personal data from minors. If we become aware that personal data from a minor has been collected, we will delete it promptly.
Data Breach Notification
In the event of a personal data breach, the CNIL will be notified within 72 hours in accordance with GDPR Article 33. Affected users will be notified without undue delay in accordance with GDPR Article 34, when the breach is likely to result in a high risk to their rights and freedoms.
Meta Data Deletion
If you connected your Instagram or Facebook account to Diffract, you can request deletion of all associated data through Meta's settings. When Meta sends us a deletion request, all data linked to your Meta account is automatically removed from our systems. This process completes within 48 hours.
Account Deletion
You can delete your account at any time from your dashboard. Deletion permanently removes all your personal data, content, and files. This action is irreversible.
Changes
This policy may be updated at any time. Any changes will be published on this page.