Legal
Last updated: 27 April 2026
This policy applies to Content OS, operated by Content OS ("we", "us", "our"). Contact: support@contentos.io
Content OS ("Content OS") is the data controller for personal data processed through the Content OS platform (content-os.co.uk and related subdomains). We are based in the United Kingdom.
For all data protection enquiries, contact us at support@contentos.io. We aim to respond within 5 business days. We are registered with the Information Commissioner's Office (ICO) as required under UK GDPR.
We collect only the data we genuinely need to provide and improve the service. The table below explains each category, the legal basis under UK GDPR Article 6, the purpose, and how long we keep it.
| Data category | Lawful basis | Purpose | Retention |
|---|---|---|---|
| Account data (name, email, password hash) | Contract | Create and manage your account, authenticate access | For the life of your account, plus 6 months after deletion |
| Business/organisation name | Contract | Personalize the platform and AI-generated content to your brand | For the life of your account, plus 6 months after deletion |
| Payment and billing data (card last 4, subscription status) | Contract + Legal Obligation | Process subscriptions and comply with financial record-keeping law | 7 years (Companies Act / HMRC requirements) |
| Connected social accounts (OAuth tokens, platform IDs) | Contract | Publish and schedule content on your behalf, fetch analytics | Until you disconnect the account or delete your account |
| Content you create (scripts, titles, descriptions, thumbnails) | Contract | Store, display, and AI-process your content within the platform | For the life of your account, plus 90 days after deletion |
| Brand voice data (example scripts, tone descriptions) | Contract | Improve AI-generated content quality to match your style | For the life of your account, plus 90 days after deletion |
| Usage and analytics data (feature usage counts, quota consumption) | Legitimate Interests | Enforce plan limits, detect abuse, improve the platform | 24 months rolling |
| Log data (IP address, browser, timestamps) | Legitimate Interests | Security, fraud prevention, debugging | 90 days |
| Cookie / session data | Essential (PECR exempt) | Keep you logged in | Session duration, renewed on activity |
"Contract" means processing is necessary to perform the contract with you (UK GDPR Art. 6(1)(b)). "Legitimate Interests" means we have a legitimate business interest that is not overridden by your rights (Art. 6(1)(f)). "Legal Obligation" means we are required by law (Art. 6(1)(c)).
When you use AI generation features (scripts, captions, thumbnails), your content data is sent to our AI sub-processors (Anthropic, fal.ai) to generate outputs. Specifically:
When you connect a social media account (YouTube, TikTok, Instagram, LinkedIn), we store OAuth access tokens that allow us to:
We do not access your private messages, contacts, or any data beyond what is necessary for the above. You can revoke access at any time from Settings - Connections, or directly from the platform's own settings.
We use the following third-party processors to deliver the service. Each has a Data Processing Agreement with us. We have taken steps to ensure international transfers comply with UK GDPR Chapter V.
| Processor | Location | Purpose | Safeguard |
|---|---|---|---|
| Supabase Inc. | EU (Frankfurt) | Database, authentication, file storage | EU-based servers, Standard Contractual Clauses (SCCs) |
| Stripe Inc. | USA | Payment processing and billing | UK-US Data Bridge adequacy decision; PCI-DSS Level 1 |
| Anthropic PBC | USA | AI script, caption, and description generation | UK-US Data Bridge adequacy decision; data not used to train models under our agreement |
| fal.ai Inc. | USA | AI thumbnail and cover image generation | UK-US Data Bridge adequacy decision; Standard Contractual Clauses |
| Resend Inc. | USA | Transactional email delivery | UK-US Data Bridge adequacy decision; Standard Contractual Clauses |
| Zernio | EU | Social media post scheduling and publishing (TikTok, Instagram, LinkedIn) | EU-based processor; Data Processing Agreement in place |
| Vercel Inc. | USA | Web hosting and edge network | UK-US Data Bridge adequacy decision; Standard Contractual Clauses |
The UK-US Data Bridge (adequacy decision, 12 October 2023) permits transfers of personal data from the UK to certified US organisations without additional safeguards. We verify that each US processor holds a valid certification before relying on it.
You have the following rights regarding your personal data. To exercise any of them, email support@contentos.io with "Data Subject Request" in the subject line. We will respond within one calendar month.
Right of access (Article 15)
Request a copy of all personal data we hold about you. Available via Settings - Account - Export my data.
Right to rectification (Article 16)
Ask us to correct inaccurate or incomplete data. Most account data can be updated directly in Settings.
Right to erasure (Article 17)
Request deletion of your account and all associated personal data. Available via Settings - Account - Delete account. We will action erasure within 30 days, except where we are required by law to retain certain records (e.g., financial records for 7 years).
Right to restriction (Article 18)
Ask us to pause processing of your data in certain circumstances, e.g., while you contest its accuracy.
Right to data portability (Article 20)
Receive your personal data in a structured, machine-readable format (JSON). Available via Settings - Account - Export my data.
Right to object (Article 21)
Object to processing based on our legitimate interests. We will stop unless we have compelling legitimate grounds that override your rights.
Rights related to automated decision-making (Article 22)
We do not make decisions that produce legal or similarly significant effects based solely on automated processing.
We use only essential cookies required to operate the service (authentication session cookies). We do not use tracking or advertising cookies. For full details, see our Cookie Policy.
We apply appropriate technical and organisational measures to protect your personal data, including:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33.
We do not keep your data longer than necessary:
Content OS is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us immediately and we will delete it.
We may update this policy from time to time. We will notify you of material changes by email (to the address on your account) or by a notice within the platform at least 14 days before changes take effect. The "Last updated" date at the top of this page indicates when it was last revised. Continued use of the service after changes take effect constitutes acceptance of the updated policy.
If you have concerns about how we handle your data, please contact us first at support@contentos.io. We will do our best to resolve the issue.
If you are not satisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
Live chat: ico.org.uk/contact-us