Carapace privacy@carapace.capital

Legal

Privacy Policy

Effective date: 1 May 2026  ·  Last updated: 11 May 2026

Short version: Carapace Capital Ltd operates BotOffice, a social media scheduling service. We collect what's needed to run the service, store OAuth tokens encrypted, never sell your data, and will delete everything on request. For questions: privacy@carapace.capital.

1. Data Controller

The data controller for all processing described in this policy is:

Carapace Capital Ltd
Company registration: HE 483413
Jurisdiction: Republic of Cyprus (European Union)
Contact: privacy@carapace.capital

References to "Carapace", "we", "us", or "our" in this policy all refer to Carapace Capital Ltd.

2. Scope of This Policy

This policy applies to personal data processed through:

  • carapace.capital — this website
  • post.botoffice.io — the BotOffice social media post scheduler, a self-hosted instance of the Postiz open-source platform operated by Carapace
  • Any other Carapace products or services that link to this policy

It does not apply to third-party platforms (such as Meta, X, LinkedIn) that you connect to through our service. Those platforms process your data under their own privacy policies.

3. Data We Collect

Account data

When you register for BotOffice, we collect your email address and a hashed password. If you are onboarded by an administrator, we may also store your name as provided during the invitation process.

Connected social media accounts

When you authorise BotOffice to publish on your behalf, we receive and store:

  • OAuth access tokens and (where issued) refresh tokens — stored encrypted at rest using AES-256
  • Platform-issued account identifiers (page IDs, profile IDs, channel IDs)
  • Display names and profile pictures as returned by the platform API, used solely for account identification within the app

Content and media

Post content (text, images, video) that you upload or schedule through the service is stored temporarily until the scheduled publication date and for a reasonable period afterwards for audit purposes.

Usage data

We collect standard server logs (IP address, request timestamps, HTTP method and URL, user-agent string) to maintain service security and diagnose errors. Logs are retained for a maximum of 30 days.

Payment data

If you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We receive a customer identifier and subscription status from Stripe but do not store your full card number, CVV, or bank account details. See Section 6.

4. Purposes and Legal Basis for Processing

Purpose Legal basis (GDPR Art. 6)
Providing the scheduling service — authenticating you, storing your connected accounts, and publishing posts on your behalf Performance of a contract (Art. 6(1)(b))
Sending transactional emails (account invitations, password resets, scheduling confirmations) Performance of a contract (Art. 6(1)(b))
Security logging and fraud prevention Legitimate interests (Art. 6(1)(f)) — maintaining service integrity
Billing and subscription management Performance of a contract / Legal obligation (Art. 6(1)(b)(c))
Compliance with legal obligations (e.g., data subject requests, regulatory requirements) Legal obligation (Art. 6(1)(c))

We do not use your data for advertising, profiling, or any purpose not listed above.

5. Social Media Platform and API Data

BotOffice connects to social media platforms on your behalf using official platform APIs. The platforms we currently support include: Meta (Facebook Pages and Instagram Business), X (formerly Twitter), LinkedIn, TikTok, YouTube, Pinterest, Reddit, and Bluesky.

What we store

  • OAuth access tokens — encrypted at rest (AES-256). Required to publish posts on your behalf.
  • Refresh tokens — where issued by the platform, to maintain access without requiring you to re-authenticate. Also encrypted.
  • Account identifiers — platform-issued IDs for connected pages, profiles, and channels.
  • Scheduled post content — text and media you upload for future publication.

What we do not do

  • We do not share your OAuth tokens or social media account data with any third party beyond what is technically required to fulfil the publishing service (i.e., making the API call to the relevant platform on your behalf).
  • We do not use your connected social media accounts or their data for advertising, profiling, analytics resale, or any purpose other than delivering the scheduling service you requested.
  • We do not read, store, or analyse content from your social media timelines, followers, or messages beyond what you explicitly schedule through our interface.

Token lifecycle

OAuth tokens are subject to each platform's own expiration policy. When a token expires, you will be prompted to re-authenticate. Tokens are permanently and irreversibly deleted when you disconnect the associated account through the app, or when you request account deletion.

Platform terms

Use of connected social media platforms through BotOffice is also governed by each platform's own terms of service and developer policies. By connecting a platform account you confirm you are authorised to do so.

6. Payments

Payments for paid plans are processed by Stripe, Inc. (1 Global Payments, Dublin, Ireland / San Francisco, CA). When you subscribe, you are directed to Stripe's hosted payment interface. Stripe is certified to PCI DSS Level 1.

We store from Stripe: your Stripe Customer ID, subscription plan and status, and billing history (invoice amount and date). We do not store or process raw card data.

Stripe's privacy policy is available at stripe.com/privacy.

7. Data Sharing

We share personal data only in the following circumstances:

Recipient Purpose Safeguard
Social media platforms (Meta, X, LinkedIn, TikTok, YouTube, Pinterest, Reddit, Bluesky) Publishing posts on your behalf via official APIs Only your OAuth token and post content are transmitted; platforms' own developer agreements apply
Stripe, Inc. Payment processing Standard Contractual Clauses (SCCs); PCI DSS Level 1
Resend, Inc. Transactional email delivery (invitations, password resets) Data Processing Agreement; email addresses only
Hetzner Online GmbH Cloud hosting (server located in Falkenstein, Germany, EU) EU-based; GDPR-compliant hosting contract

We do not sell personal data. We do not share data with data brokers, advertising networks, or analytics providers.

8. International Data Transfers

Our primary server infrastructure is hosted at Hetzner Online GmbH in Germany (EU/EEA). Some of our sub-processors — including Stripe and Resend — are headquartered in the United States.

For transfers of personal data from the EU/EEA to the United States or other third countries, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Article 46(2)(c), and where applicable on the EU–US Data Privacy Framework.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@carapace.capital.

9. Data Retention

Data type Retention period
Account data (email, hashed password) Duration of active account + 30 days after deletion request
OAuth tokens and social account identifiers Until account disconnection or deletion request — then permanently deleted
Scheduled post content and media Until published + 90 days, or until account deletion
Server access logs 30 days maximum
Billing records 7 years (legal accounting obligation under Cyprus law)

10. Your Privacy Rights

Rights under GDPR (EU/EEA residents)

You have the following rights under the General Data Protection Regulation:

  • Right to access (Art. 15) — request a copy of the personal data we hold about you
  • Right to rectification (Art. 16) — request correction of inaccurate data
  • Right to erasure (Art. 17) — request deletion of your data
  • Right to restriction of processing (Art. 18) — request that we limit how we use your data
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@carapace.capital. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority; in Cyprus this is the Office of the Commissioner for Personal Data Protection.

Rights under CCPA/CPRA (California residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know — request disclosure of the categories and specific pieces of personal information we collect, use, and share
  • Right to delete — request deletion of your personal information
  • Right to correct — request correction of inaccurate personal information
  • Right to opt-out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

To submit a CCPA request, email privacy@carapace.capital with "CCPA Request" in the subject line. We will respond within 45 days.

11. Minors

BotOffice is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a minor, please contact us at privacy@carapace.capital and we will promptly delete it.

12. Cookies and Tracking

Our website (carapace.capital) does not use tracking cookies, analytics scripts, or advertising pixels. We do not use any third-party analytics services on this site.

The BotOffice application (post.botoffice.io) uses a single session cookie required for authentication. This cookie is strictly necessary for the service to function and does not track you across other sites.

13. Security

We implement industry-standard security measures including:

  • TLS encryption in transit for all connections (enforced by Caddy reverse proxy)
  • AES-256 encryption at rest for OAuth tokens
  • Bcrypt password hashing
  • Network isolation — the application server is not directly accessible from the public internet except via the TLS proxy
  • Regular dependency updates

No method of transmission or storage is 100% secure. If you believe you have found a security vulnerability, please disclose it responsibly to privacy@carapace.capital.

14. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, notify you by email. Continued use of the service after the effective date of an update constitutes acceptance of the updated policy.

Previous versions of this policy are available on request.

15. Contact Us

For any privacy-related questions, data subject requests, or complaints:

Carapace Capital Ltd
Email: privacy@carapace.capital

For account deletion and social media token removal, you may also visit: carapace.capital/legal/data-deletion/