Privacy Policy

Last updated: April 4, 2026

GDPR Compliant · LOPDGDD (Spain)

1. Controller

WeeBee Design S.L.
Calle Gremi de Fusters 33, Local 6
07009 Palma de Mallorca, Spain
Email: fabian@hiddin.app
Tax ID: ESB01597624

2. What Data We Collect

We collect the following personal data when you use Hiddin:

• Restaurant owners: Name, email address, business name, address, phone number, payment information (via Stripe)
• Influencers: Name, email address, TikTok profile data (display name, follower count, avatar), Instagram profile data, bank account details (IBAN) for payouts
• Newsletter subscribers: Email address, first name, city (optional), preferred language, subscription source
• All users: IP address, device information, usage data, cookies

3. TikTok Integration

When you connect your TikTok account to Hiddin, we access the following data via the TikTok Login Kit API:

• user.info.basic: Your TikTok display name and profile picture. Used to display your influencer profile within Hiddin.
• user.info.stats: Your follower count, following count, and likes. Used to calculate your Hiddin Score and verify eligibility for restaurant campaigns.

We do not post content on your behalf. We do not store your TikTok credentials. You can disconnect your TikTok account at any time in your Hiddin profile settings.

4. Instagram Integration (Instagram Graph API)

When you connect your Instagram Business or Creator account to Hiddin, we access the following data via the Instagram Graph API (Facebook Login for Business):

• instagram_basic: Your Instagram username, profile picture, account type (Business/Creator) and media list. Used to display your verified influencer profile inside Hiddin.
• instagram_manage_insights: Follower count, reach, impressions, story-views and engagement-rate over the last 30 days. Used to calculate your "Hiddin Score" (0–100) which restaurant owners see when browsing the influencer marketplace. Restaurants never see raw insight data — only the aggregated score.
• pages_show_list: The list of Facebook Pages you manage. Required by Meta to discover which Page is linked to your Instagram Business Account.
• pages_read_engagement: Basic Page-Engagement signals tied to your Instagram Business Account. Required by Meta because Instagram Business permissions flow through the connected Facebook Page.

What we do NOT do: We do not post on your behalf, we do not read your DMs, we do not access your contacts, we do not manage ads on your account. We do not sell your data to third parties.

Storage & Refresh: Access tokens are encrypted (AES-256-CBC) and stored only on our EU-hosted backend. Insights are refreshed at most every 7 days and cached on our servers. Tokens are valid for 60 days and can be revoked at any time.

Disconnect: You can disconnect your Instagram account at any time inside Hiddin (Settings → Social Media → Instagram → "Trennen") or via your Facebook Settings → Apps and Websites → Hiddin → Remove. We then permanently delete all Instagram data within 30 days, as confirmed by our Data Deletion Callback.

5. Legal Basis for Processing

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Hiddin service
• Legitimate interests (Art. 6(1)(f) GDPR): Fraud prevention, platform security, analytics
• Consent (Art. 6(1)(a) GDPR): Newsletter subscriptions, marketing cookies, social media connections
• Legal obligation (Art. 6(1)(c) GDPR): Tax records, invoicing

6. How We Use Your Data

• Providing and improving the Hiddin platform
• Matching influencers with restaurant campaigns
• Processing payments and payouts
• Sending transactional emails (password reset, payout notifications, invoices)
• Sending newsletter campaigns (only with explicit double opt-in consent)
• Fraud prevention and platform security
• Legal compliance and tax obligations

7. Data Sharing

We share your data only with:

• Stripe: Payment processing (USA — Standard Contractual Clauses apply)
• Resend: Email delivery (EU — based in EU, GDPR-compliant)
• Anthropic: AI-powered features (USA — Standard Contractual Clauses apply)
• OpenAI: Voice transcription (USA — Standard Contractual Clauses apply)
• Wise / PayPal: Payouts to influencers (EU/USA — Standard Contractual Clauses apply)
• Meta Platforms: Analytics and advertising (USA — Standard Contractual Clauses apply)

We never sell your personal data to third parties.

8. Data Retention

• Account data: Retained for the duration of your account + 3 years after deletion
• Invoice and payment data: 10 years (Spanish tax law requirement)
• Newsletter subscriptions: Until you unsubscribe or request deletion
• Server logs: 90 days

9. Your Rights

Under GDPR and LOPDGDD, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a machine-readable format
• Objection: Object to certain types of processing
• Restriction: Request restricted processing

To exercise your rights, contact us at fabian@hiddin.app or use our Data Deletion Request page.

You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es

10. Cookies

We use the following cookies:

• Essential: Required for the platform to function (session, authentication)
• Analytics: Anonymous usage statistics to improve the platform (only with consent)
• Marketing: Meta Pixel for advertising measurement (only with consent, Pixel ID: 808552888395713)

11. Contact

For any privacy-related questions:
Email: fabian@hiddin.app
Address: WeeBee Design S.L., Calle Gremi de Fusters 33, 07009 Palma de Mallorca, Spain