GDPR Compliance
Effective date: 1 April 2026 · www.thesocialforks.com
GDPR Summary
TheSocialForks is designed with GDPR compliance at its core. As a self-hosted platform, the operator is the data controller. We process data only as necessary, encrypt sensitive data at rest, and provide full data subject rights mechanisms.
1. Data Controller & Processor
| Role | Party |
|---|---|
| Data Controller | TheSocialForks Operator (the person who installs and manages the platform) |
| Data Processor (AI) | Anthropic (Claude API) — for AI content generation only |
| Sub-processors | Connected social platforms (LinkedIn, Meta, Reddit, etc.) per their own DPAs |
2. Lawful Bases for Processing
Under Article 6 of the GDPR, we rely on the following lawful bases:
- Contract (Art. 6(1)(b)): Processing necessary to provide the platform service to you
- Legitimate Interests (Art. 6(1)(f)): Security logging, analytics for platform improvement, fraud prevention
- Consent (Art. 6(1)(a)): Non-essential cookies and optional features
- Legal Obligation (Art. 6(1)(c)): Compliance with law enforcement requests where required
3. Your Data Subject Rights
Right of Access (Art. 15)
Request a copy of all personal data we hold about you
→ Email legal@thesocialforks.com
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data
→ Update in Settings or email us
Right to Erasure (Art. 17)
"Right to be forgotten" — delete your account and all associated data
→ Settings → Delete Account, or email us
Right to Portability (Art. 20)
Receive your data in JSON/CSV format
→ Email legal@thesocialforks.com
Right to Restriction (Art. 18)
Limit how we process your data while disputes are resolved
→ Email legal@thesocialforks.com
Right to Object (Art. 21)
Object to processing based on legitimate interests
→ Email legal@thesocialforks.com
Right to Withdraw Consent
For cookie consent or any consent-based processing
→ Use cookie banner or email us
Right to Lodge a Complaint
Complain to your national data protection authority
→ ICO (UK), CNIL (France), etc.
All requests are responded to within 30 calendar days as required by the GDPR.
4. Data Security Measures
Encryption at rest
All OAuth tokens encrypted with AES-256-GCM. Passwords hashed with bcrypt.
Encryption in transit
All connections use TLS 1.2+. HTTPS enforced on all endpoints.
Access control
Role-based access control (OWNER, ADMIN, EDITOR, VIEWER). TOTP 2FA required for OWNER role.
Audit logging
Every data mutation writes an immutable audit log entry in the same database transaction.
Token isolation
OAuth tokens decrypted only in worker memory at publish time — never logged.
Proxy isolation
Each social account uses its own dedicated residential proxy — accounts never share an IP.
Session security
HTTP-only, Secure, SameSite=Strict cookies. No localStorage for sensitive tokens.
5. Data Transfers Outside the EEA
When you publish content to social platforms (LinkedIn, Meta, Reddit, X, etc.) or use AI content generation (Anthropic Claude), data is transferred to servers potentially located outside the EEA. These transfers are subject to the respective platform's Standard Contractual Clauses (SCCs) and GDPR adequacy decisions where applicable.
The TheSocialForks platform itself stores all data on your self-hosted server. You control where that server is located.
6. Data Retention
| Data type | Retention period |
|---|---|
| User accounts | Until deletion request. Removed within 30 days of request. |
| Social OAuth tokens | Deleted immediately when account is disconnected. |
| Post content & drafts | 2 years, then anonymised. |
| Analytics / click logs | 2 years, then aggregated anonymously. |
| Security audit logs | 1 year. |
| Server access logs | 30-day rolling window. |
| Cookie consent records | 13 months from consent date. |
7. Children's Privacy
TheSocialForks is not directed at persons under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately at legal@thesocialforks.com.
8. Contact & DPO
For all GDPR-related enquiries, data subject requests, or to report a potential data breach: