Legal

Privacy Policy

How we collect, use and protect your personal data and your Instagram account data when you use TuCM.

Last updated: 1 May 2026

Index

  1. Data controller
  2. Data we process
  3. Purposes
  4. Legal basis
  5. Recipients
  6. International transfers
  7. Retention periods
  8. Your rights
  9. Security
  10. Minors
  11. Changes to this policy
  12. Contact

1. Data controller

The controller responsible for personal data collected through tucm.es and the TuCM application is:

  • Cox Security SL (hereafter, "TuCM" or "we")
  • Spanish Tax ID (CIF): B06790224
  • Address: Paseo de la Castellana, 194 — BJ, 28046 Madrid (Madrid), Spain
  • Email: info@tucm.es
  • Phone: +34 659 811 913

2. Data we process

2.1. Data you provide directly

  • Account & contact data: name, email, password (bcrypt-hashed), phone.
  • Business data: description of your activity, audience, goals, brand tone, key dates and any other information you give us to set up your content plan.
  • Materials you upload: images, videos, texts and other files you load into the platform for the AI to use as reference.

2.2. Data obtained from Meta (Instagram and Facebook)

When you connect your Instagram account to TuCM via "Login with Facebook", with your express consent we obtain from Meta:

  • Identifiers of your Instagram Business account and the linked Facebook Page.
  • Long-lived access token, stored AES-256-GCM encrypted.
  • Public profile information: username, bio, picture, follower and following counts.
  • Published content: posts, carousels, reels and stories on your account.
  • Metrics and insights: reach, impressions, interactions, aggregated demographics.
  • Comments and direct messages received on your account, only as needed to reply on your behalf.

We only request the permissions strictly required to deliver the service (instagram_basic, instagram_content_publish, instagram_manage_comments, instagram_manage_insights, pages_show_list, pages_read_engagement, business_management).

2.3. Data generated by service usage

  • AI-generated content based on your instructions (texts, images, videos).
  • Technical logs: access date and time, IP address, browser, usage events.
  • Telegram data: chat IDs of recipients you link to receive alerts and approvals.
  • Billing data: consumption, budget and cost records associated with your account.

3. Purposes

We process your data for the following purposes:

  • Provide the contracted Instagram automation service: planning, generation, publishing, comment replies and metrics.
  • Send alerts and approval requests through Telegram to the recipients you link.
  • Improve and tailor the service, including auto-tuning the content plan based on your account metrics.
  • Comply with applicable legal obligations (tax, accounting, data protection).
  • Communicate with you for technical support, incidents and service updates.
  • Ensure platform security, prevent fraud and abuse.

We do not sell your data. We do not use it to train third-party AI models. Content you generate on TuCM is processed solely to deliver the service to you.

We process your data under the following legal bases (Article 6 GDPR):

  • Performance of the contract (Art. 6.1.b): to deliver the service you have contracted.
  • Consent (Art. 6.1.a): when you connect your Meta account and grant the requested permissions.
  • Legal obligations (Art. 6.1.c): to keep invoices, comply with tax requirements and respond to authorities.
  • Legitimate interest (Art. 6.1.f): to ensure security, prevent abuse and improve the service without affecting your rights.

5. Recipients

To deliver the service we share strictly necessary data with the following providers, all bound by data processing agreements:

ProviderUseLocation
Meta Platforms, Inc.Instagram and Facebook connection (read, publish, metrics)USA / EU
Anthropic, PBCText generation and planning with Claude modelsUSA
OpenAI, L.L.C.Auxiliary natural-language tasksUSA
Black Forest Labs (via fal.ai)Image generation (Flux 2 Pro)USA
Runway AI, Inc.Video generationUSA
Telegram FZ-LLCAlert and approval messagingUAE / global
Hosting providerInfrastructure and storageEU (Spain)

We send these providers only the data strictly required for their specific task. Your Meta credentials are never shared with any AI provider.

6. International transfers

Some providers are located outside the EEA. Transfers rely on the Standard Contractual Clauses approved by the European Commission (Decision 2021/914/EU), with additional technical measures (encryption in transit and at rest). You can request a copy by writing to info@tucm.es.

7. Retention periods

We apply automatic retention to all data. Each category has a maximum period after which it is deleted or anonymised, unless legally required otherwise.

7.1. Personal and account data

  • Account data (alias, email, hashed password): while your account is active. If you cancel or request deletion, removed within a maximum of 30 calendar days (in practice within hours).
  • Tax data (Tax ID, address, billing details): while your account is active. After deletion, only the data essential for invoices already issued is retained, for the legally required tax period.
  • Meta access tokens: while valid; revoked immediately when the account is disconnected or data is deleted.
  • Unused UGC content (photos/videos you upload but we never publish): deleted from disk and our records after 30 days from upload.
  • Published content: original file deleted immediately after publishing on Instagram. We only keep the caption, hashtags and link to the published post — enough for historical reports.

7.2. Tax and billing data (legal obligation)

  • Issued tax invoices: 6 years from issuance (Spanish General Tax Law art. 66).
  • Wallet movements and AI consumption charged to the client: 4 to 6 years as VAT taxable base and accounting records.
  • Subscriptions and contractual data: during the contract term + applicable statute of limitations.

7.3. Technical and audit logs

  • Admin operations audit: 2 years.
  • Processed deletion requests: 2 years after completion, as proof of compliance with your right to erasure.
  • Detailed AI call logs: 1 year (aggregated data is retained longer for tax purposes).
  • Meta OAuth logs: 1 year (forensics for connection issues).
  • Monthly digest logs: 1 year.
  • System logs and piece metrics: 90 days.
  • Strategy runner logs: 90 days.
  • Telegram processed update logs: 30 days.
  • Parsing error logs: 30 days.
  • Authentication and login attempt logs: 30 days.
  • Expired password reset tokens: 7 days.
  • Telegram media temporary buffers: 7 days.

7.4. Communications

  • Support emails: 3 years from the last contact.

These periods are applied automatically by a daily process. You can see the current state from your panel under Settings → Data policy.

8. Your rights

Under GDPR and Spanish LOPDGDD you may exercise the following rights at any time:

  • Access: know what data we hold about you.
  • Rectification: correct inaccurate data.
  • Erasure ("right to be forgotten"): delete your data when no longer needed. See the data deletion page.
  • Restriction of processing.
  • Portability: receive your data in a structured format.
  • Objection to processing based on legitimate interest.
  • Withdraw consent at any time, without retroactive effect.
  • Not to be subject to automated decisions with legal effects on you.

To exercise any of these, write to info@tucm.es with your identity and the right you wish to exercise. We will reply within one month.

If you believe we are not handling your rights properly, you may file a complaint with the Spanish Data Protection Agency (www.aepd.es).

9. Security

We apply the technical and organisational measures required by GDPR:

  • AES-256-GCM encryption for tokens, Meta credentials and Telegram bot secrets.
  • In-transit encryption (TLS 1.2+) on all communications.
  • Total isolation between accounts: no data is shared across clients.
  • Bcrypt password hashing.
  • Role-based access control and activity logging.
  • Encrypted backups and retention policies.

10. Minors

TuCM is exclusively for people aged 18+ or with legal capacity to contract. We do not knowingly collect data from minors. If we detect a minor user, we will delete the account and associated data.

11. Changes to this policy

We may update this policy to reflect legal or service changes. The current version is always available at this URL, with its last-updated date. For substantial changes, we will notify you by email before they take effect.

12. Contact

For any question about this policy or about the processing of your data:

  • Email: info@tucm.es
  • Postal address: Cox Security SL, Paseo de la Castellana, 194 — BJ, 28046 Madrid, Spain.