Privacy Policy

Last updated: 11 June 2026

This Privacy Policy explains how ACCOUNTability! collects, uses, shares, and protects personal data — both the data of our customers and the data of the people they ask us to scan.

If you are a person who has been scanned and did not ask for this, you have rights — including the right to object to our processing and to ask us to erase your data. You can exercise them at any time by emailing team@aipoweredsocialscan.com. See Section 11 (Your rights) and Section 12 (How Subjects can object or opt out).

1. Who we are

ACCOUNTability! ("we", "us", or "our") is the operator of the ACCOUNTability! service available at aipoweredsocialscan.com and api.aipoweredsocialscan.com (the "Service"), and is the data controller responsible for the personal data described in this policy.

You can reach us at:

ACCOUNTability!
General Díaz Porlier 51, Madrid, Spain
Email: team@aipoweredsocialscan.com

We are based in Spain, and our processing of personal data is governed by the EU General Data Protection Regulation (GDPR) and applicable Spanish data-protection law. The relevant supervisory authority is the Spanish Data Protection Agency, the Agencia Española de Protección de Datos (AEPD).

2. Scope of this policy

This Privacy Policy describes how we handle personal data in connection with the Service: who we collect it about, what we collect, why, on what legal basis, who we share it with, how long we keep it, and the rights you have.

This policy works alongside our Terms & Conditions, which it is incorporated into and forms part of. Where this policy uses defined terms such as "Subject", "Report", "Public Data", and "Platforms", they have the meanings given in the Terms.

It does not cover the privacy practices of the third-party platforms from which Public Data is drawn, or of any third-party site the Service may link to. Their handling of your data is governed by their own policies.

3. The two groups of people

The Service is unusual in that it processes the personal data of two distinct groups of people, and this policy applies to both:

Customers. People who visit the website, create a request, pay for a scan, and receive a Report. Customers give their personal data to us directly and choose to use the Service.
Subjects. The individuals that a Customer asks us to locate and analyse. A Subject is a data subject under the GDPR but did not provide their data to us directly and is not our customer. We obtain a Subject's data from publicly available sources, not from the Subject. We recognise that Subjects have important rights in this situation, and we explain those rights and how to exercise them in Sections 11 and 12.

Where a person scans themselves ("self-check"), they are both a Customer and the Subject.

4. Personal data we collect

4.1 Data we collect from Customers

Identity and contact data — such as the name and email address you provide when you create a request or sign in.
Request data — the name and any identifiers of the Subject you ask us to scan, and the stated purpose of the scan (for example self-check, dating, influencer vetting, or "other").
Payment data — payment for a scan (€15) is processed by our third-party payment provider, Stripe. Stripe handles your card details directly; we do not store full card numbers. We receive only limited information from Stripe such as a confirmation of payment and a transaction reference.
Technical and usage data — limited information generated when you use the website, such as log data, and any cookies or analytics described in Section 14.

4.2 Data we collect about Subjects

To produce a Report, we collect and analyse a Subject's publicly available information from the Platforms. This may include:

public posts, comments, replies, captions, and other text;
publicly visible likes, reactions, and other public engagement signals;
public profile information (such as display name, handle, bio, location if public, and profile or banner images);
images and media that are publicly posted; and
AI-derived analysis and inferences we generate from the above — for example an AI profile summary, "red-flag" classifications, tone assessments, a "word-portrait", statistics, and similar outputs.

We only collect Public Data that was accessible without circumventing any login wall, access control, or technical restriction. We do not collect private messages or content behind privacy settings.

5. Where Subject data comes from

We do not receive a Subject's data from the Subject. We obtain it from publicly available sources — primarily the public areas of the following third-party Platforms, to the extent the Subject's content there is public at the time we access it:

X (Twitter)
Facebook
LinkedIn
Instagram
TikTok

Collection is performed on our behalf using automated tools and third-party data-collection providers (see Section 8). The AI-derived analysis is then generated from that publicly sourced material.

6. How and why we use data & lawful bases

Under the GDPR we must have a lawful basis for each purpose for which we use personal data. The bases differ for the two groups.

6.1 Customer data

To provide the Service and deliver your Report — basis: performance of a contract (Article 6(1)(b) GDPR). This includes processing your request, taking payment via Stripe, generating the Report, and providing support.
To meet legal and accounting obligations — basis: legal obligation (Article 6(1)(c) GDPR), for example keeping transaction records for tax purposes.
To secure, maintain, and improve the Service and prevent misuse — basis: our legitimate interests (Article 6(1)(f) GDPR) in running a safe and reliable service.

6.2 Subject data

Our processing of a Subject's Public Data — locating it, analysing it, and presenting it in a Report — relies on legitimate interests under Article 6(1)(f) GDPR.

The balancing test, in plain English. We (and the Customer who requests a scan) have a legitimate interest in being able to assess, from already-public information, whether a named person's public conduct raises concerns — for example before dating someone, working with an influencer, or checking one's own public footprint. We weigh that interest against the Subject's interests, rights, and freedoms. In doing so we take account of the fact that the data is already public, that we draw only on what the person themselves made public, that we limit retention (Section 10), that we restrict permitted uses (the Terms prohibit using a Report for employment, credit, insurance, housing, or other regulated decisions), and that we provide a clear and easy way to object. Where a Subject's interests, rights, and freedoms override our interest, we will not process — or will stop processing — their data on this basis.

Right to object. Because this processing relies on legitimate interests, a Subject has the right to object at any time (Article 21 GDPR). If you object, we will stop the relevant processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is needed to establish, exercise, or defend legal claims. See Section 12 for how to object.

7. Special-category data

A person's public posts may reveal "special-category" personal data under Article 9 GDPR — for example data revealing political opinions, religious or philosophical beliefs, racial or ethnic origin, trade-union membership, health, sex life, or sexual orientation. Because the Service analyses what a Subject has posted publicly, a Report may incidentally surface or infer such data.

We handle special-category data with particular care and limit our use of it:

We process such data only to the extent it is necessary to perform the analysis a Customer has requested from already-public material, and not for any incompatible purpose.
Where we rely on a Subject's data having been manifestly made public by the data subject (Article 9(2)(e) GDPR), we limit ourselves to information the Subject themselves clearly made public.
We apply the same retention limit (Section 10) and the same rights, including the right to object and to erasure (Sections 11–12).
The Terms prohibit Customers from using a Report to discriminate against a person or to make decisions regulated by law.

8. Who we share data with

We do not sell personal data. We share data only as needed to operate the Service:

The requesting Customer. The Report about a Subject is delivered to the Customer who requested and paid for that scan.
Service providers (processors and sub-processors). We use trusted third parties to operate the Service, including a payment provider (Stripe), hosting and infrastructure providers, AI / large-language-model analysis providers, and data-collection providers. These parties process personal data on our instructions, under contracts that require appropriate safeguards.
Legal and protective disclosures. We may disclose data where required by law, to comply with legal process, or to establish, exercise, or defend legal claims, and to protect the rights and safety of any person.
Business transfers. If we are involved in a merger, acquisition, or sale of assets, data may be transferred subject to this policy.

You can request further information about the categories of service providers we use by contacting team@aipoweredsocialscan.com.

9. International transfers

Some of the service providers described in Section 8 may be located, or may process data, outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we take steps to ensure it remains protected by appropriate safeguards recognised under the GDPR — for example the European Commission's Standard Contractual Clauses (SCCs), an adequacy decision, or another lawful transfer mechanism.

You can ask us for more information about the safeguards in place by contacting team@aipoweredsocialscan.com.

10. How long we keep data

We keep personal data only for as long as necessary for the purposes described in this policy. We retain Reports and their associated scan data for 90 days from delivery, after which they are deleted or anonymised, unless a longer period is required to comply with a legal obligation or to establish, exercise, or defend legal claims (a "legal hold").

Limited Customer records — such as a transaction reference needed for accounting and tax — may be kept for the period required by law, separately from the scan data.

11. Your rights

If you are in the EEA (and in many cases regardless of where you are), you have the following rights in relation to your personal data under the GDPR. These apply to both Customers and Subjects:

Access — to be told whether we process your data and to receive a copy of it.
Rectification — to have inaccurate data corrected and incomplete data completed.
Erasure ("right to be forgotten") — to have your data deleted in certain circumstances.
Restriction — to have our use of your data limited in certain circumstances.
Portability — to receive certain data in a portable format, where applicable.
Object — and in particular, because we process Subject data on the basis of legitimate interests, the right to object to that processing at any time (Article 21 GDPR). See Section 12.
Rights related to automated decision-making — you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. Our Reports are tools for human judgement; the Terms require Customers to verify information independently and prohibit using a Report for regulated decisions.

To exercise any right, email team@aipoweredsocialscan.com. We will respond within one month of receiving your request, as required by the GDPR; this period may be extended by up to two further months for complex or numerous requests, in which case we will tell you. Exercising your rights is free, although we may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive. We may need to verify your identity before acting.

12. How Subjects can object or opt out

If you have been scanned and did not ask to be, or you simply do not want us to process your data, you can object to our processing and/or ask us to erase your data at any time. There is a simple way to do this:

Email team@aipoweredsocialscan.com and tell us who you are (for example the profile or handle that was scanned) and that you object to or want your data erased.

When you object to our legitimate-interests processing, we will stop processing your data for that purpose unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary to establish, exercise, or defend legal claims. We will confirm the outcome to you, normally within one month. You do not need to give a reason to exercise your right to object.

13. Security

We take reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, and disclosure — including access controls, encryption in transit, and limiting retention as described in Section 10. No system can be guaranteed to be completely secure, but we work to protect data appropriately to its sensitivity, and we expect the same of our service providers. These measures include encryption of data in transit (HTTPS/TLS), restricted and authenticated access to systems and stored data, use of reputable service providers (such as our payment provider and hosting infrastructure), and limited data retention as described in Section 10. In the event of a personal-data breach that is likely to result in a risk to individuals, we will notify the relevant supervisory authority and, where required, affected individuals in accordance with the GDPR.

14. Cookies & analytics

We do not use advertising or tracking cookies. The only cookies set in connection with the Service are essential cookies set by our payment provider, Stripe, which are necessary to process payments securely and to help prevent fraud. Your use of Stripe is also subject to Stripe's own privacy policy. If we introduce analytics or other non-essential cookies in the future, we will update this policy and obtain your consent where required, including providing the means to manage your choices.

15. Children

The Service is intended for adults aged 18 or over and is not directed at children. We do not knowingly use the Service to create reports for or about children, and we do not knowingly collect Customer data from children. If you believe a child's data has been processed inappropriately, contact us at team@aipoweredsocialscan.com and we will take appropriate action.

16. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, where a change is material, take reasonable steps to bring it to your attention. We encourage you to review this page periodically.

17. Complaints & contact

If you have any questions about this policy or about how we handle personal data, or if you wish to exercise your rights, please contact us:

ACCOUNTability!
General Díaz Porlier 51, Madrid, Spain
Email: team@aipoweredsocialscan.com

You also have the right to lodge a complaint with a data-protection supervisory authority. In Spain this is the Agencia Española de Protección de Datos (AEPD) (www.aepd.es). If you are in another EEA country, you may instead complain to your local supervisory authority. We would, however, appreciate the chance to address your concerns first.