Privacy Policy
CenBur · cenbur.com
Last updated: 7 May 2026
Effective date: 7 May 2026
1. Introduction
CenBur (“we”, “us”, “our”) is a business operating system for small and medium-sized enterprises, provided by Dominik Mucklow, operating as a sole trader (Einzelunternehmen) registered in Austria. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use CenBur at cenbur.com and any associated mobile applications (collectively, the “Service”).
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Austrian data protection law.
2. Data Controller
The data controller responsible for your personal data is:
Dominik Mucklow
Einzelunternehmen
Innsbruck, Austria
Email: privacy@cenbur.com
3. What Data We Collect
3.1 Account data
When you create a CenBur account, we collect:
- Your name
- Your email address
- Your password (stored as a bcrypt hash — never in plain text)
3.2 Business profile data
To provide the marketing and operations features of CenBur, we collect information you provide about your business:
- Business name and description
- Target audience description
- Preferred posting frequency and channels
- Writing examples and brand voice materials you choose to upload
3.3 Social media account connections
When you connect a social media account (Instagram, Facebook, Threads, LinkedIn, or others) to CenBur, we collect and store:
- OAuth access tokens and refresh tokens, encrypted at rest
- Your social media account name, ID, and profile image (as returned by the platform’s API)
- Published post data and basic engagement metrics from connected accounts
We do not collect your social media passwords. Authentication is handled entirely through OAuth 2.0 via the respective platform.
3.4 Content data
We store content you create or that is generated on your behalf through the Service:
- Drafted posts, approved posts, and published posts
- Uploaded images and media
- Editorial plans and campaign descriptions
3.5 Usage data
We collect technical data about how you use the Service:
- IP address and approximate location (country/region)
- Browser type and version
- Pages visited and features used within CenBur
- Timestamps of actions
3.6 Payment data
Payment processing is handled by third-party payment processors (Stripe). We do not store your full credit card details. We retain transaction records including amounts, dates, and subscription status.
4. How We Use Your Data
We use your data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Contract (Art. 6(1)(b) GDPR) |
| Generating AI-powered content on your behalf | Contract (Art. 6(1)(b) GDPR) |
| Publishing content to your connected social accounts | Contract (Art. 6(1)(b) GDPR) |
| Sending transactional emails (account, billing) | Contract (Art. 6(1)(b) GDPR) |
| Improving the Service and fixing bugs | Legitimate interests (Art. 6(1)(f) GDPR) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
| Sending product updates and marketing (opt-in only) | Consent (Art. 6(1)(a) GDPR) |
We do not use your data for advertising. We do not sell your data to third parties. We do not use your content to train shared AI models.
5. AI-Generated Content
CenBur uses the Anthropic Claude API to generate content on your behalf. When generating content:
- Your business description, brand voice profile, and content context are sent to Anthropic’s API as part of the request
- Anthropic processes this data under their own privacy policy and data processing agreement
- Your data is not used by Anthropic to train their models under our enterprise agreement
You can review Anthropic’s privacy policy at anthropic.com/privacy.
6. Social Media Platforms
When CenBur publishes content to your connected social accounts, we act as a data processor on your behalf. The respective platform (Meta, LinkedIn, etc.) processes that published content under their own terms of service and privacy policies. We recommend reviewing:
7. Data Storage and Security
- All data is stored in the European Union using Supabase (hosted on AWS eu-central-1, Frankfurt, Germany)
- Data in transit is encrypted using TLS 1.2 or higher
- Data at rest is encrypted using AES-256
- OAuth tokens are encrypted at the application level before storage
- Access to production data is restricted to authorised personnel only
- We maintain regular backups and incident response procedures
8. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion + 30 days |
| Business profile data | Until account deletion |
| Published post data | Until account deletion |
| Draft and unpublished content | Until deleted by user or account deletion |
| Usage logs | 90 days |
| Billing records | 7 years (Austrian tax law requirement) |
| OAuth tokens | Until channel disconnected or account deleted |
When you delete your account, we permanently delete all associated personal data within 30 days, except where retention is required by law (e.g. billing records).
9. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
- Right of access — Request a copy of all personal data we hold about you
- Right to rectification — Request correction of inaccurate data
- Right to erasure — Request deletion of your personal data (“right to be forgotten”)
- Right to restriction — Request that we limit how we process your data
- Right to data portability — Receive your data in a machine-readable format
- Right to object — Object to processing based on legitimate interests
- Right to withdraw consent — Withdraw marketing consent at any time
- Right to lodge a complaint — Complain to your national supervisory authority
To exercise any of these rights, contact us at privacy@cenbur.com. We will respond within 30 days.
If you are based in Austria, you may also lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde): dsb.gv.at
10. Cookies
CenBur uses the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
sb-auth-token | Supabase authentication session | Session |
cenbur-preferences | UI preferences (theme, language) | 1 year |
We do not use advertising cookies or third-party tracking cookies. We do not use Google Analytics or similar tracking tools.
11. Third-Party Services
We use the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, infrastructure | EU (Frankfurt) |
| Anthropic | AI content generation | USA |
| Vercel | Web hosting and CDN | EU nodes |
| Stripe | Payment processing | USA/EU |
| Meta (Facebook/Instagram/Threads) | Social publishing | USA |
| Social publishing | USA |
Where sub-processors are located outside the EU, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
12. Children’s Privacy
CenBur is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@cenbur.com and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.
14. Contact
For any privacy-related questions or requests:
Email: privacy@cenbur.com
Postal: Dominik Mucklow, Innsbruck, Austria
This Privacy Policy was prepared in accordance with GDPR (EU) 2016/679 and Austrian data protection law. It is recommended that you seek independent legal advice before relying on this document for compliance purposes.