KontentspaceKontentspace

Privacy Policy

Effective Date: February 27, 2026

Last Updated: February 27, 2026

1. Introduction

Vestergaard Software ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Kontentspace platform and services (collectively, the "Service").

We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws in Denmark and the European Union.

2. Data Controller

The data controller responsible for your personal data is:

Vestergaard Software
CVR (Business Registration Number): 44703653
Location: Aalborg, Denmark
Email: kontentspace@lassejlv.dk

3. Information We Collect

3.1 Personal Information You Provide

When you create an account or use our Service, we collect:

  • Identity Information: Name, email address, profile image
  • Account Credentials: Password (stored in hashed form)
  • Billing Information: Subscription details, customer ID, payment status (processed by Polar.sh)
  • Content Data: Draft posts, scheduled content, published tweet IDs, media attachments
  • AI Conversations: Chat thread titles, message content, tool interactions
  • Uploaded Files: File names, MIME types, sizes, storage metadata, and file contents for AI processing

3.2 Information Collected Automatically

We automatically collect certain information when you use the Service:

  • Usage Data: Tweet counts, AI message counts, scheduled posts, storage usage metrics
  • Device Information: IP address, browser type, operating system, device identifiers
  • Session Data: Session tokens, login timestamps, user agent strings
  • Preferences: Timezone settings, selected Twitter account preferences

3.3 Information from Third Parties

We receive information from third-party services you connect:

  • Twitter/X OAuth: Account ID, username, profile information, access tokens, refresh tokens, token expiry dates, authorized scopes
  • Payment Processor: Subscription status, billing history, customer ID from Polar.sh

3.4 API Usage Data

If you use our API (Pro and Max plans), we collect:

  • API key usage and request counts
  • Rate limit consumption
  • Endpoint access patterns

4. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

4.1 Contractual Necessity (Article 6(1)(b))

Processing necessary to fulfill our contract with you, including:

  • Account creation and management
  • Providing the core Service features
  • Processing payments and managing subscriptions
  • Delivering scheduled content to Twitter/X

4.2 Consent (Article 6(1)(a))

Where you have given explicit consent, including:

  • Connecting your Twitter/X account via OAuth
  • Enabling AI features and processing uploaded files for AI context
  • Receiving marketing communications (if applicable)

You may withdraw consent at any time by disconnecting services or contacting us.

4.3 Legitimate Interests (Article 6(1)(f))

Processing based on our legitimate interests, including:

  • Service improvement and analytics
  • Fraud prevention and security
  • Technical support and customer service
  • Marketing our own similar services (with opt-out option)

We ensure our legitimate interests do not override your fundamental rights and freedoms.

4.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations, including:

  • Accounting and tax requirements
  • Data retention laws
  • Responding to lawful requests from authorities

5. How We Use Your Information

We use your personal data for the following purposes:

5.1 Service Provision

  • Creating and managing your account
  • Authenticating users and maintaining sessions
  • Processing and delivering content to Twitter/X
  • Storing drafts, scheduled posts, and conversation history
  • Providing AI-powered writing assistance

5.2 Billing and Administration

  • Managing subscription plans and payments
  • Tracking usage against plan limits
  • Handling billing inquiries and disputes
  • Maintaining financial records

5.3 Service Improvement

  • Analyzing usage patterns to improve features
  • Monitoring service performance and reliability
  • Developing new functionality
  • Conducting research and analytics

5.4 Security and Compliance

  • Protecting against fraud and unauthorized access
  • Investigating violations of our Terms of Service
  • Complying with legal obligations
  • Enforcing our agreements

5.5 Communication

  • Sending service-related notifications
  • Responding to support requests
  • Providing updates about the Service
  • Sending marketing communications (with your consent or where permitted by law)

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

  • Account Information: Retained while your account is active. Deleted within 30 days of account deletion, except where legal obligations require longer retention.
  • Content Data (drafts, scheduled posts): Retained while your account is active. Deleted upon account deletion.
  • Published Content: Tweet IDs and metadata retained for analytics and history until account deletion.
  • AI Conversations: Retained while your account is active to maintain conversation context. Deleted upon account deletion.
  • Uploaded Files: Retained until you delete them or delete your account.
  • Usage Logs: Retained for 12 months for security and analytics purposes.
  • Billing Records: Retained for 7 years to comply with Danish accounting laws.
  • Session Data: Retained for the duration of the session plus up to 30 days for security purposes.

When we no longer need your data, we securely delete or anonymize it.

7. Data Sharing and Third Parties

7.1 Service Providers

We share data with trusted third-party service providers who assist us in operating the Service:

ProviderPurposeLocationSafeguards
Polar.shPayment processingEU/EEAGDPR-compliant
Twitter/XSocial media integrationUSAStandard Contractual Clauses
Google (Gemini)AI processingUSAStandard Contractual Clauses
Amazon Web ServicesCloud infrastructureEU (Frankfurt)GDPR-compliant
Better AuthAuthentication servicesEU/EEAGDPR-compliant

7.2 Legal Requirements

We may disclose your data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, government agencies).

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

7.4 With Your Consent

We may share your data with third parties when you explicitly authorize us to do so.

8. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), specifically in the United States. When we transfer your data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to the United States
  • Adequacy Decisions: We rely on adequacy decisions where available
  • Additional Safeguards: We implement technical and organizational measures to protect your data

For more information about international transfers, please contact us.

9. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

9.1 Right to Access (Article 15)

You have the right to request copies of your personal data. We may charge a reasonable fee for excessive or repetitive requests.

9.2 Right to Rectification (Article 16)

You have the right to request correction of any information you believe is inaccurate or incomplete.

9.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purposes collected
  • You withdraw consent (where consent is the legal basis)
  • You object to processing (in certain circumstances)
  • The data has been unlawfully processed

9.4 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing when:

  • You contest the accuracy of the data
  • The processing is unlawful but you oppose erasure
  • We no longer need the data but you require it for legal claims

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used format and to transfer it to another controller.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

9.8 Right to Lodge a Complaint (Article 77)

You have the right to complain to a supervisory authority, specifically:

Datatilsynet (Danish Data Protection Agency)
Borgergade 28, 5.
1300 Copenhagen K
Denmark
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk

9.9 Exercising Your Rights

To exercise any of these rights, please contact us at kontentspace@lassejlv.dk. We will respond within 30 days of receiving your request. We may need to verify your identity before processing your request.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: Data in transit is protected using TLS 1.3. Sensitive data at rest is encrypted.
  • Access Controls: Role-based access controls and multi-factor authentication for staff.
  • Secure Infrastructure: Our infrastructure is hosted on AWS with industry-standard security certifications.
  • Regular Audits: We conduct security assessments and penetration testing.
  • Incident Response: We have procedures in place to detect, respond to, and report data breaches.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

11.1 Essential Cookies

Required for the Service to function (e.g., session cookies, authentication tokens).

11.2 Preference Cookies

Store your preferences and settings (e.g., sidebar state, selected account).

11.3 Analytics Cookies

Help us understand how users interact with the Service (anonymized where possible).

You can manage cookie preferences through your browser settings. Please note that disabling certain cookies may affect Service functionality.

12. Children's Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification for significant changes

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Vestergaard Software
CVR: 44703653
Aalborg, Denmark
Email: kontentspace@lassejlv.dk

For data protection inquiries, please include "Data Protection" in the subject line.

15. Additional Disclosures

15.1 AI Processing

Our AI features use Google Gemini. When you use AI features:

  • Your prompts and uploaded file contents may be processed by Google's AI services
  • We do not use your data to train Google's AI models
  • File contents are processed temporarily for generating responses

15.2 Twitter/X Integration

When you connect your Twitter/X account:

  • We store OAuth tokens securely to post on your behalf
  • You can revoke access at any time through Twitter/X settings or by disconnecting in Kontentspace
  • We comply with Twitter/X's Developer Agreement and Privacy Policy

15.3 Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

This Privacy Policy was last updated on February 27, 2026.