Privacy Policy
Last updated: 23 February 2026
This Privacy Policy explains how Fulcrank (“we”, “us”, or “our”) collects, uses, stores, and shares your personal data when you use our platform at www.fulcrank.com and related services (collectively, the “Service”). Fulcrank is a social media management platform that helps you create AI-generated content, schedule posts to Instagram, and track analytics.
We are the data controller for the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018). If you have any questions about this policy or our data practices, contact us at support@fulcrank.com.
1. Data We Collect
The data we collect depends on how you interact with the Service. We do not collect shipping addresses, phone numbers, or passwords — authentication is handled via third-party OAuth providers.
Account Data
When you sign up via GitHub or Google OAuth, we receive and store your name, email address, and profile image. We do not receive or store your password.
Instagram Account Data
When you connect an Instagram account through our integration partner Late (getlate.dev), we receive your Instagram username, profile image, and platform identifier. This allows us to schedule and publish posts on your behalf.
Brand and Content Preferences
During onboarding and in your settings, you provide brand information (brand name, logo, visual preferences) and content preferences (tone of voice, niche, hashtag preferences, CTA style, posting schedule, and timezone). This data is used to personalise AI-generated content for your account.
AI-Generated Content
When you use the Service to generate posts, we store the AI-generated captions, images, and videos created on your behalf. This content is generated by our AI content partner (Instabot, hosted on Modal) using your brand data and preferences.
Usage and Credit Data
We track your credit balance, credit consumption, and content generation history to manage your subscription and provide usage analytics within your dashboard.
Billing Data
Payments are processed by Stripe. We store your Stripe customer ID, subscription status, and billing plan. We do not store your credit card number, CVV, or full payment details — these are held securely by Stripe.
Analytics and Engagement Data
We retrieve follower counts, engagement metrics, and post performance data from Instagram via the Late API to display analytics in your dashboard.
Technical and Usage Data
We automatically collect device information, browser type, pages visited, and interactions with the Service through Vercel Analytics and Vercel Speed Insights. Error reports and crash data are collected via Sentry, which may include your user ID and email for debugging purposes.
Cancellation Feedback
If you cancel your subscription, we may collect a cancellation reason and optional feedback to improve the Service.
2. Legal Basis for Processing
Under UK GDPR, we process your personal data on the following legal bases:
- Performance of a contract — Processing necessary to provide the Service to you, including account management, content generation, post scheduling, and billing.
- Consent — Where you have given specific consent, such as for marketing communications or non-essential cookies. You may withdraw consent at any time.
- Legitimate interests — For purposes such as improving the Service, analytics, fraud prevention, and security monitoring, where our interests do not override your rights and freedoms.
- Legal obligation — Where we are required to retain data for tax, accounting, or regulatory purposes.
3. How We Use Your Data
- Service delivery — Generating AI content, scheduling posts, displaying analytics, managing credits and subscriptions.
- Account management — Authentication, profile management, and customer support.
- Communications — Transactional emails (post approvals, subscription confirmations, cancellation receipts) and, with your consent, marketing communications.
- Analytics and improvement — Understanding how the Service is used, identifying errors, and improving features.
- Security — Rate limiting, fraud prevention, and abuse detection.
4. Third-Party Data Processors
We share your data with the following third-party service providers who process it on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Late API (getlate.dev) | Instagram account access, post scheduling, analytics | Instagram credentials, post content, schedule data |
| Instabot (Modal-hosted) | AI content generation (captions, images, videos) | Brand data, content preferences, logo |
| Stripe | Payment processing, subscription management | Email, billing plan, payment information |
| Resend | Transactional email delivery | Email address, email content |
| Sentry | Error monitoring and reporting | User ID, email, error context, device info |
| Vercel (Analytics & Speed Insights) | Usage analytics, performance monitoring | Page views, device info, performance metrics |
| Upstash (Redis) | Rate limiting | IP address, user identifiers |
| GitHub / Google | OAuth authentication | Name, email, profile image (received from provider) |
5. International Data Transfers
Some of our third-party processors are based outside the United Kingdom, primarily in the United States (including Vercel, Stripe, Sentry, and Resend). Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:
- Transfers to countries with an adequacy decision from the UK Secretary of State.
- Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO).
- The processor's binding corporate rules or equivalent safeguards.
6. Data Retention
We retain your personal data as follows:
- Active account — Data is retained for the duration of your account.
- After cancellation — Your Instagram connection is disconnected immediately. Scheduled posts are cancelled and credits are zeroed. Brand settings and content history are retained for 30 days to allow reactivation, then permanently deleted.
- Billing records — Retained for up to 7 years as required by UK tax and accounting law.
- Error and analytics data — Automatically expired according to each processor's retention policy (typically 30–90 days).
You may request deletion of your data at any time by contacting support@fulcrank.com.
7. Automated Decision-Making and AI
Fulcrank uses artificial intelligence to generate content suggestions (captions, images, and videos) based on your brand data and content preferences. This is automated processing, but it does not produce legal or similarly significant effects — by default, generated content is published automatically on your chosen schedule. You may enable an optional approval mode so that each post requires your explicit approval via email before it goes live. You always have full control over your publishing preferences.
8. Cookies
We use cookies and similar technologies for essential functionality (such as authentication sessions) and, with your consent, for analytics and error monitoring. For full details on the cookies we use and how to manage your preferences, see our Cookie Policy.
9. Your Rights Under UK GDPR
Under UK data protection law, you have the following rights in relation to your personal data:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete personal data.
- Right to erasure — Request deletion of your personal data, subject to legal retention requirements.
- Right to restrict processing — Request that we limit the processing of your personal data in certain circumstances.
- Right to data portability — Receive your personal data in a structured, commonly-used, machine-readable format.
- Right to object — Object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at support@fulcrank.com. We will respond within one month of receiving your request.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, providing details of the breach and the steps we are taking.
11. Children
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@fulcrank.com and we will delete the data promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our practices or legal requirements. We will post the updated policy on this page and update the “Last updated” date. For material changes, we will notify you by email or through a notice on the Service at least 30 days before the changes take effect.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:
Fulcrank
Email: support@fulcrank.com
You also have the right to contact the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection, at ico.org.uk.