Reachfolio

Privacy policy

This is a convenience translation of the German Datenschutzerklärung (privacy policy). The German version is authoritative and prevails in case of any discrepancy.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) for the processing of personal data on reachfolio.app is:

Marcos Antonio Oliveira Ramos (“Amazonia Tech”), sole proprietor, Munich, Germany
Email: [email protected]
Full serviceable address available on request.

2. Principles — how Reachfolio handles data

Reachfolio is built privacy-first from the ground up. Concretely:

  • The application runs on servers in Germany.
  • Metrics for your social-media accounts are obtained exclusively through the platforms’ official APIs and only with the OAuth authorization you grant there yourself — no scraping, no purchased data sets.
  • The creator marketplace is strictly opt-in: without your explicit, always-revocable consent your profile is not discoverable there.
  • Public media-kit pages count views anonymously and in aggregate only — no cookies, no IP storage, no identification of individual visitors.
  • There is no ad tracking, no ad-tech and no social-media plugins.

3. Hosting and infrastructure

Reachfolio runs on our own infrastructure in Germany. When you access the website we process technical connection data (IP address, timestamp, requested resource, user agent) to the extent required to deliver the page, keep the service stable and defend against attacks. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in a secure and functional operation). Server logs are kept short-term and deleted automatically; they are not used for profiling.

Since July 10, 2026 traffic is routed through the content-delivery network of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA (“Cloudflare”) (CDN/reverse proxy, DDoS protection). Cloudflare processes technical connection data on our behalf; a data processing agreement (Art. 28 GDPR) is in place. Where data is transferred to the USA, the transfer relies on the adequacy decision for the EU-US Data Privacy Framework (Cloudflare is certified) and, additionally, on EU standard contractual clauses (Art. 46(2)(c) GDPR).

4. Account and sign-in

When you create an account we process your email address, your name, a password (stored exclusively as a cryptographic hash), your language preference and your workspace data (workspace, team memberships, subscription tier). The purpose is providing the service you request by registering; the legal basis is Art. 6(1)(b) GDPR (performance of a contract). Account data is stored for the duration of the contractual relationship; after you delete your account it is removed unless statutory retention obligations (e.g. commercial and tax retention periods for invoices) require otherwise.

5. Connected social-media accounts (the core of the service)

Reachfolio is an analytics service for your own social-media presence. You connect your accounts yourself by signing in directly with the respective platform and authorizing Reachfolio there via OAuth — we never see your platform passwords, and the granted access tokens are stored encrypted. The official APIs of Meta (Instagram), TikTok and Google (YouTube) are supported.

Through these APIs we process: basic profile data (handle, account name), follower and subscriber counts, reach, impression and engagement metrics, post metadata (e.g. publication time, post type) and — only where you authorize it — aggregated audience demographics (e.g. age-group and country shares). The purpose is the analytics service you signed up for (dashboards, history, benchmarks, media kits); the legal basis is Art. 6(1)(b) GDPR.

Retention and platform rules: metrics are stored as history for as long as the account is connected. Data obtained from the YouTube API Services is refreshed or deleted at least every 30 days in accordance with Google’s requirements. If you disconnect an account, we delete the data obtained from that platform together with the tokens; you can additionally revoke the authorization at any time directly with the platform (for Google, e.g. at myaccount.google.com/permissions; for Meta and TikTok in the respective account settings).

The platforms themselves are independent controllers of their own processing. For YouTube, the Google Privacy Policy additionally applies (www.google.com/policies/privacy); Reachfolio uses the YouTube API Services.

6. Creator marketplace (consent only)

The marketplace through which brands can find you is strictly opt-in: new profiles are never listed. Listing happens only after your explicit, granular consent (per platform and per data category — e.g. follower counts, engagement, aggregated demographics, rate card); the legal basis is Art. 6(1)(a) GDPR. To be able to demonstrate consent (Art. 7(1) GDPR) we record every grant and change as a versioned entry with timestamp, acting person, IP address and user agent.

You can withdraw consent at any time with effect for the future (Art. 7(3) GDPR). Withdrawal delists your profile immediately, and the derived data prepared for brands is purged right away. Brands only ever see aggregates computed by us — never raw audience data, never your access tokens. We retain the versioned consent records after a withdrawal for accountability purposes (Art. 5(2), Art. 17(3)(e) GDPR).

7. Public media-kit pages — anonymous view counting

When you publish a media kit, the corresponding page is publicly accessible. For the view statistics of these pages we deliberately decided against any tracking: no cookies are set, no IP addresses are stored and no visitor profiles are built. Counting is strictly anonymous and aggregate — to avoid double counting, a hash is computed with a daily-rotating random key held only in memory and never persisted; after rotation, attributing a count to an individual person is technically impossible even for us. Only counter values (numbers) are stored, no personal data.

8. Payments (Stripe)

If you subscribe to a paid plan, payment is processed via Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland; where applicable involving Stripe, Inc., USA). You enter your payment details (e.g. card data) directly with Stripe; we never receive full card data, only subscription and payment status plus invoicing data. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). A data processing agreement pursuant to Art. 28 GDPR is in place (Stripe Data Processing Agreement); transfers to the USA rely on the EU-US Data Privacy Framework and EU standard contractual clauses. We retain invoice-related data for the statutory commercial and tax retention periods.

9. AI-assisted features (optional)

Individual features — such as the weekly metrics digest in text form or the explanations of marketplace matching — can be phrased with AI assistance. Where this is enabled, we use Anthropic, PBC (San Francisco, USA) as a processor. Only factual inputs are transmitted — aggregated metrics and metadata of your workspace — never raw audience data and never access tokens. The legal basis is Art. 6(1)(b) GDPR (a function of the service you use). Under Anthropic’s commercial terms the inputs are not used to train AI models; transfers to the USA rely on the EU-US Data Privacy Framework and/or EU standard contractual clauses. If these features are not enabled, no data is sent to Anthropic.

10. Recipients and processors

Personal data is only received by the following categories of recipients:

  • Cloudflare, Inc. (USA) — CDN/reverse proxy and attack protection (processor, see section 3).
  • Stripe Payments Europe, Ltd. (Ireland) / Stripe, Inc. (USA) — payment processing, only if you subscribe to a paid plan (processor, see section 8).
  • Anthropic, PBC (USA) — AI text features, only where enabled (processor, see section 9).
  • The platforms you connect — Meta, TikTok and Google — as independent controllers via your own accounts (see section 5).

We only engage further service providers after a data processing agreement has been concluded and this privacy policy has been updated accordingly.

11. Transfers to third countries

Where the US providers named in section 10 process data outside the EU/EEA, this is based on the adequacy decision for the EU-US Data Privacy Framework (Art. 45 GDPR) and/or EU standard contractual clauses (Art. 46(2)(c) GDPR). The core data storage (database, metrics history, consent records) is located in Germany.

12. Cookies and local storage

Reachfolio uses strictly necessary cookies only (Section 25(2) no. 2 of the German TDDDG):

  • reachfolio_refresh — HttpOnly session cookie that keeps you signed in (deleted on sign-out or expiry).
  • rf_locale — stores your language choice (German/English), lifetime one year.

There are no tracking, analytics or advertising cookies and no third-party trackers — which is why Reachfolio deliberately shows no cookie banner: there is nothing that would require consent. This is a design decision, not an oversight.

13. Your rights

Under the GDPR you have the following rights:

  • access to the data processed (Art. 15 GDPR),
  • rectification of inaccurate data (Art. 16 GDPR),
  • erasure (Art. 17 GDPR),
  • restriction of processing (Art. 18 GDPR),
  • data portability (Art. 20 GDPR),
  • objection to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR),
  • withdrawal of consent with effect for the future (Art. 7(3) GDPR) — for the marketplace at any time directly in your settings.

An informal email to [email protected] is sufficient. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority competent for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, www.lda.bayern.de.

14. No automated decision-making

There is no automated decision-making, including profiling, within the meaning of Art. 22 GDPR. The marketplace’s “Brand-Fit” score is an assistive ranking with disclosed sub-scores; the decision about contact or collaboration is always made by a human.

15. Obligation to provide data

reachfolio.app can be used without providing personal data; an account only requires the data listed in section 4 — without it the contract cannot be performed. All further processing (marketplace, AI features) is optional.

16. Changes to this privacy policy

We update this privacy policy when the service or the legal situation changes (for example when a new processor is added). The version published here applies.

Last updated: July 10, 2026

Back to the home page