Privacy Policy
How Merkflow collects, uses, and protects your personal data.
Who we are
Merkflow is an AI-powered social media management platform operated by Niels van Haren Holding B.V. (trading as Merkflow), a company registered in the Netherlands (Chamber of Commerce: 73338397).
For the purposes of the General Data Protection Regulation (GDPR), we are the data controller for the personal data described in this policy.
Saltshof 2014
6604 ES Wijchen
The Netherlands
Email: support@merkflow.eu
Website: https://www.merkflow.eu
Data we collect
We collect only the data necessary to provide the Merkflow service.
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, profile photo | Google OAuth, LinkedIn OAuth, or email/password registration |
| Password (if applicable) | Hashed password (bcrypt/argon2 — never stored in plaintext) | Provided at registration; only applies to email/password accounts |
| Social media tokens | OAuth access & refresh tokens for LinkedIn, Instagram, Facebook, X | Platform OAuth flows; encrypted at rest |
| Brand data | Website URLs, onboarding answers, post content you create or approve | Provided directly by you |
| AI-generated content | Post drafts, captions, hashtags generated by the AI | Created by Merkflow on your behalf |
| Analytics data | Impressions, reach, engagement metrics per post | Fetched from social platform APIs |
| Usage data | Posts generated, platforms connected, workspace activity | Automatically collected |
| Technical data | IP address, browser type, device type, session identifiers | Automatically collected |
| Payment data | Subscription plan, billing history | Mollie (we never store card numbers) |
We do not collect special categories of personal data (Article 9 GDPR) such as health, religion, or biometric data.
Why we collect it
| Purpose | Description |
|---|---|
| Authentication | To sign you in securely via Google OAuth, LinkedIn OAuth, or email/password, and to maintain your session. For email/password accounts, your password is hashed before storage using a one-way algorithm and is never readable by us. |
| Social publishing | To publish posts to your connected LinkedIn, Instagram, Facebook, and X accounts on your behalf. |
| AI content generation | To generate post drafts using your brand knowledge as context. Your brand data is sent as prompt input to our AI provider (Anthropic). |
| Analytics | To display post performance metrics fetched from social platform APIs within your dashboard. |
| Product notifications | To send you service-related emails (e.g. publishing errors, weekly digests). You can unsubscribe at any time. |
| Platform improvement | Aggregated, anonymised usage data helps us understand which features are used and where to invest. No individual users are identified in this analysis. |
| Security & fraud prevention | To detect and prevent abuse, unauthorised access, and technical failures. |
| Legal compliance | To fulfil our obligations under applicable law, including GDPR and Dutch law. |
Legal basis for processing
Under GDPR Article 6, we rely on the following legal bases:
| Legal basis | When we rely on it |
|---|---|
| Contract (Art. 6(1)(b)) | Processing necessary to provide the Merkflow service you signed up for — including authentication, publishing, and analytics. |
| Legitimate interest (Art. 6(1)(f)) | Security, fraud prevention, and aggregated product improvement. We have balanced these interests against your rights and concluded they do not override your fundamental interests. |
| Consent (Art. 6(1)(a)) | Marketing emails and newsletters. You can withdraw consent at any time by clicking “Unsubscribe” in any email or emailing us. |
| Legal obligation (Art. 6(1)(c)) | Retention of certain records required by Dutch law (e.g. financial records, consent audit logs). |
Third parties we work with
We share data with the following sub-processors to deliver the service. We have a Data Processing Agreement (DPA) with each.
| Provider | Role | Location |
|---|---|---|
| Anthropic | AI content generation. Your brand context and approved post content is sent as prompt input. Anthropic does not use API inputs to train models by default. | United States (SCCs in place) |
| Meta (Facebook / Instagram) | Post publishing and analytics retrieval via the Meta Graph API. | United States (SCCs in place) |
| Post publishing and analytics retrieval via the LinkedIn API. | United States (SCCs in place) | |
| Authentication (OAuth). We receive your name, email, and profile photo only. | United States (SCCs in place) | |
| Hetzner Online GmbH | Cloud infrastructure. All servers are located in Germany (EU). | Germany, EU |
| Mollie | Payment processing. We never store card or payment details; Mollie handles all payment data. Mollie is headquartered in Amsterdam, the Netherlands. | Netherlands, EU |
| fal.ai | AI image generation (Pro and Agency plans only). | United States (SCCs in place) |
We do not sell your data. We do not share your personal data with advertisers, data brokers, or any other third parties except those listed above for the stated purposes.
Data retention
We keep your data for as long as necessary to provide the service or meet legal obligations.
| Data type | Retention period |
|---|---|
| Account & brand data | Until account deletion |
| Published post content | Until account deletion |
| Post analytics (impressions, reach, etc.) | 90 days rolling |
| Connected Products API events | 365 days rolling |
| Failed publish reasons | 30 days (then anonymised) |
| OAuth tokens (social platforms) | Deleted immediately when you disconnect a platform |
| Consent audit logs | 7 years (legal requirement) |
| Account deletion request records | 7 years (legal requirement) |
| Anonymised usage data | Indefinitely (no individual can be identified) |
When you delete your account, all personal data is permanently erased within 30 days of the deletion request. A confirmation email will be sent when deletion is complete.
Your rights under GDPR
As a data subject under the GDPR, you have the following rights. These can be exercised free of charge and we will respond within 30 days.
Request a copy of all personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Request permanent deletion of your personal data (“right to be forgotten”).
Receive your data in a structured, machine-readable format (JSON/CSV).
Ask us to pause processing of your data while a dispute is resolved.
Object to processing based on legitimate interests or for direct marketing.
Withdraw consent for marketing emails at any time without affecting prior processing.
Merkflow does not make solely automated decisions that produce legal or similarly significant effects.
To exercise any of these rights, or to download or delete your data directly, log in to your account and go to Settings → Privacy & Data, or email us at support@merkflow.eu.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
Security
Encryption at rest: All OAuth access tokens and refresh tokens are encrypted using AES-256-GCM before being stored in the database. The encryption key never leaves the application layer.
Encryption in transit: All data is transmitted over HTTPS/TLS. Unencrypted connections are rejected.
Infrastructure: The platform runs on Hetzner servers in Germany (EU). No personal data is stored outside the EU by default.
Password security: Passwords (for email/password accounts) are hashed using a one-way algorithm (bcrypt/argon2) and are never stored in readable form — not even by us.
Access control: Access to production systems is restricted to authorised personnel via key-based authentication.
Incident response: In the event of a personal data breach, we will notify the Autoriteit Persoonsgegevens within 72 hours and affected users without undue delay, as required by GDPR Article 33–34.
International data transfers
Our infrastructure is hosted in Germany (EU). However, some of our sub-processors are based in the United States. We ensure adequate protection for these transfers through:
Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914) are in place with all US-based sub-processors, including Anthropic, Meta, LinkedIn, Google, and fal.ai.
These transfers are made in accordance with GDPR Chapter V and the Schrems II ruling requirements, including a Transfer Impact Assessment (TIA) where appropriate.
LinkedIn & Meta platform compliance
LinkedIn data: We access your LinkedIn profile, organisation pages, and post analytics solely to provide the Merkflow service. We do not store LinkedIn member data beyond what is necessary for the service. We comply with the LinkedIn API Terms of Use and the LinkedIn Privacy Policy. LinkedIn member data is not used for advertising, re-sold, or shared with third parties beyond the processors listed in Section 5.
Meta (Facebook & Instagram) data: We access your Facebook Pages, Instagram Professional accounts, and post metrics solely to publish content and display analytics within Merkflow. We comply with Meta’s Platform Policy and Data Policy. Meta user data is not used for advertising, profiling, or any purpose beyond the stated service.
Data deletion callback: Meta requires that we provide a mechanism for users to request deletion of data associated with their Facebook login. You can request deletion of all your Merkflow data (including any data obtained via Facebook) by:
- Visiting Settings → Privacy & Data → Delete Account in your Merkflow dashboard, or
- Emailing support@merkflow.eu with the subject line “Data Deletion Request”, or
- Removing Merkflow from your Facebook app settings at facebook.com/settings, which triggers an automatic deletion request.
Upon receiving a deletion request through any of the above channels, all data associated with your account will be permanently deleted within 30 days. You will receive a confirmation email when deletion is complete.
Note for Meta App Review: The data deletion callback URL for the Merkflow Facebook application is: https://www.merkflow.eu/data-deletion. This endpoint processes signed deletion requests from Facebook and confirms deletion within 30 days.
Children
Merkflow is a professional B2B platform intended for adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has created an account, please contact us at support@merkflow.eu and we will delete the account promptly.
Changes to this policy
We may update this privacy policy from time to time. For any material changes — changes that meaningfully affect your rights or how we use your data — we will notify you by email at least 14 days before the change takes effect.
The “Last updated” date at the top of this policy reflects the most recent revision. The current version is always available at https://www.merkflow.eu/privacy-policy/.
Continued use of Merkflow after a change takes effect constitutes acceptance of the updated policy, where permitted by law.
Contact
If you have questions about this privacy policy, want to exercise your data rights, or have a complaint, please contact us:
Saltshof 2014
6604 ES Wijchen
The Netherlands
Email: support@merkflow.eu
We aim to respond to all privacy-related requests within 30 days in accordance with GDPR Article 12(3). If your request is complex or numerous, we may extend this by a further two months and will inform you accordingly.
2509 AJ Den Haag
The Netherlands
autoriteitpersoonsgegevens.nl