Privacy Policy · Anomalia
Legal

Privacy Policy

Last updated: 5 June 2026

This Privacy Policy explains how Anomalia collects, uses, shares and protects your personal data when you use our website and service. We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and Italian Legislative Decree 196/2003 as amended.

1. Who is responsible for your data (Data Controller)

The data controller is Marco Di Franco, a sole proprietorship (ditta individuale)established in Italy, VAT no. (P.IVA) IT18500501004.

For any question about this policy or to exercise your rights, you can reach us at privacy@anomalia.so.

2. What data we collect

We collect only what we need to run the service:

Data you give us

  • Account data — name, email address and the password (stored hashed) you use to sign in.
  • Brand & content data — the brand information, notes, documents, images, products and instructions you add so Anomalia can plan and create posts for you.
  • Billing data — when you subscribe, payment is handled by our payment processor; we receive your plan, billing status and invoice details, but we never see or store your full card number.
  • Communications — messages you send us by email or through the product.

Data from your connected accounts

  • Social-account access — when you connect Instagram, Facebook or TikTok, we store the access tokens needed to publish on your behalf, together with your account/handle and basic profile details those platforms return.
  • Public post history — to learn your voice and visual style, we collect publicly available information about your past posts on the accounts you connect.

Data we collect automatically

  • Usage & device data — pages visited, actions taken, approximate location (from IP), browser and device type. We use product-analytics and session-replay tools (see §5) to understand how the product is used and to fix problems.
  • Cookies and similar technologies — used to keep you signed in and to measure usage (see §6).

3. Why we use your data and the legal basis

PurposeLegal basis (GDPR Art. 6)
Provide and operate the service (accounts, planning, generating and publishing posts)Performance of a contract — Art. 6(1)(b)
Process payments and prevent fraudPerformance of a contract / legal obligation — Art. 6(1)(b), (c)
Analytics, session replay and product improvementConsent or legitimate interest — Art. 6(1)(a)/(f)
Security, abuse prevention and debuggingLegitimate interest — Art. 6(1)(f)
Sending service and (with consent) marketing emailsLegitimate interest / consent — Art. 6(1)(f)/(a)
Meeting tax and accounting obligationsLegal obligation — Art. 6(1)(c)

We use the content and public post history you provide to generate posts with AI. We do not sell your personal data, and we do not use your content to train third-party AI models for purposes unrelated to providing you the service.

4. AI-generated content

Anomalia uses third-party AI services to draft captions and create images and videos based on the brand information and instructions you give us. Your prompts and brand context are sent to these providers only to produce your content. AI output can be inaccurate — you stay in control and nothing is published without your approval.

5. Who we share your data with (Processors)

We share data with carefully selected providers that process it on our behalf and under our instructions as data processors. The main ones are:

ProviderPurpose
SupabaseDatabase, authentication and file storage
VercelWebsite & application hosting
StripeSubscription billing and payment processing
Google (Gemini API)AI text and image generation
kie.aiAI image / video generation
ScrapeCreatorsCollecting public post history from connected accounts
ResendSending transactional and notification emails
Meta (Instagram, Facebook) & TikTokPublishing posts to your connected accounts
PostHogProduct analytics
Microsoft ClarityUsage analytics and session replay

We may also disclose data where required by law, to enforce our Terms, or in connection with a merger or sale of the business.

6. Cookies & analytics

Cookies and similar technologies that are strictly necessary to run the service (for example, to keep you signed in) are always active and require no consent.

We also collect anonymous, aggregate usage statistics (provided by PostHog) in a cookieless way: no cookies are stored, no persistent identifier is used across sessions, and the data is not used to identify you personally. Because this processing is anonymous, it runs without requiring your consent.

Only if you accept via our cookie banner do we enable full analytics and session-replay, which store cookies and record interactions with our pages (such as clicks and scrolling) to help us improve the product, using PostHog and Microsoft Clarity. You can change your choice at any time through the “Cookie preferences” link in the footer, or by clearing cookies in your browser.

7. International transfers

Some of our providers are based outside the European Economic Area (for example, in the United States). When data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an adequacy decision.

8. How long we keep your data

We keep your personal data for as long as your account is active and as needed to provide the service. After you close your account we delete or anonymise your data within a reasonable period, except where we must keep it longer to comply with legal obligations (for example, invoices for tax purposes) or to resolve disputes.

9. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased (“right to be forgotten”);
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent at any time, without affecting prior processing.

To exercise any of these rights, email privacy@anomalia.so. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali).

10. Children

Anomalia is not directed to children under 16 and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

11. Security

We use appropriate technical and organisational measures — including encryption in transit, access controls and trusted infrastructure providers — to protect your data. No method of transmission or storage is completely secure, but we work to keep your information safe.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, notify you through the service or by email.


Questions about your privacy? Write to privacy@anomalia.so.