Datenschutzerklärung

Last updated: 21 May 2026

Diese Datenschutzerklärung gilt für die Nutzung der Briefkraft-SaaS-Plattform unter briefkraft.co. Briefkraft ist ein KI-gestützter Social-Media-Management-Dienst, betrieben von Klejdi Meleqi.

1. Verantwortlicher

2. Erhobene Daten

Wir erheben folgende personenbezogene Daten:

• Kontodaten: Name, E-Mail-Adresse, Passwort (verschlüsselt gespeichert), Unternehmensinformationen
• Zahlungsdaten: Wird direkt von unserem Zahlungsanbieter Stripe verarbeitet. Wir speichern keine Kreditkartennummern.
• Social-Media-Daten: OAuth tokens, usernames, account IDs and metrics of connected platforms (Instagram, Twitter/X, LinkedIn, TikTok, YouTube)
• Nutzungsdaten: Erstellte Inhalte (Captions, Bilder) und Posting-Verläufe
• Technische Daten: IP-Adresse, Browsertyp, Zugriffszeiten (Server-Logs)
• Referral data: If you arrive via an affiliate or partner link, a referral cookie (bk_ref) is stored for up to 90 days to attribute the referral correctly.
• Fraud prevention data: A one-way hash (SHA-256) of your email address is stored to detect duplicate trial registrations. This hash cannot be reversed to recover your email address and is processed on the basis of our legitimate interest in preventing abuse (Art. 6(1)(f) GDPR).

3. Zweck der Verarbeitung

Wir verarbeiten deine Daten ausschließlich für:

• Bereitstellung und Betrieb der Briefkraft-Plattform
• Verwaltung deines Benutzerkontos und Abonnements
• Veröffentlichung von Inhalten auf deinen verbundenen Social-Media-Plattformen
• KI-gestützte Generierung von Captions und Bildern
• Analyse und Anzeige von Social-Media-Metriken
• Zahlungsabwicklung über Stripe
• Kommunikation bezüglich deines Kontos (z. B. Token-Ablauf, Zahlungsprobleme)

4. Rechtsgrundlage

Die Verarbeitung basiert auf:

• Art. 6 Abs. 1 lit. b DSGVO — Vertragserfüllung (Dienstleistungserbringung)
• Art. 6 Abs. 1 lit. a DSGVO — Einwilligung (Verbindung von Social-Media-Accounts via OAuth)
• Art. 6 Abs. 1 lit. f DSGVO — Berechtigtes Interesse (Sicherheit, Betrugsprävention)

5. TikTok-Integration (Login Kit und Content Posting API)

Briefkraft uses the official TikTok API (provided by TikTok Pte. Ltd.). By connecting your TikTok account to Briefkraft, the following products and scopes are used:

• Login Kit (user.info.basic): Briefkraft uses Login Kit to authenticate TikTok users. When connecting your TikTok account in the Briefkraft dashboard, we receive your display name and Open ID to confirm the connection and display your account in the dashboard. Briefkraft does not gain access to your TikTok password.
• Content Posting API (video.publish): Briefkraft uses the Content Posting API to automatically publish approved video posts to your TikTok profile on your behalf at the scheduled time. Posts are only published after your explicit approval in the Briefkraft dashboard. No content is ever published without your prior consent.
• Video Upload (video.upload): Briefkraft uses the video upload scope to send video drafts to your TikTok inbox, which you can then review, edit, and publish directly from the TikTok app. This scope is used as an alternative posting method for creators who prefer to finalise posts in TikTok Studio.

The following TikTok user data is processed by Briefkraft:

• Public profile information (display name, Open ID) — used solely to confirm account connection and display the connected account in the dashboard
• OAuth access token and refresh token — stored encrypted in the Briefkraft database; used exclusively to publish content and manage the TikTok connection on your behalf

Data sharing: Briefkraft does not share, sell, or transfer your TikTok user data to any third party, except to TikTok's own APIs when performing actions you have explicitly requested (e.g. publishing a video). No other third party receives your TikTok user data.

Data protection: TikTok OAuth tokens are stored encrypted at rest in our PostgreSQL database. All communication between Briefkraft and the TikTok API is transmitted exclusively over HTTPS/TLS. Access to the database is restricted to authorised server processes only. Briefkraft does not store TikTok videos, captions entered on TikTok, private messages, or any non-public TikTok content.

Briefkraft's use of TikTok platform data complies with the TikTok Platform Terms of Service.

The TikTok connection can be disconnected at any time in the Briefkraft dashboard under Accounts. Upon disconnection, all stored TikTok tokens are immediately and irrevocably deleted from our systems.

6. YouTube Integration (YouTube Data API v3)

Briefkraft uses the official YouTube Data API v3 (provided by Google LLC). By connecting your YouTube account to Briefkraft, the following OAuth 2.0 scopes are requested:

• youtube (Manage your YouTube account): Briefkraft uses this scope to read your channel information (channel name, subscriber count) to confirm a successful connection, and to publish community posts on your behalf. Actions are only taken after your explicit approval in the Briefkraft dashboard.
• youtube.upload (Manage your YouTube videos): Briefkraft uses this scope to upload videos to your YouTube channel on your behalf. Videos are only published after your explicit approval in the Briefkraft dashboard.

The following YouTube/Google user data is processed by Briefkraft:

• Channel information (channel name, channel ID, subscriber count) — used solely to confirm account connection
• OAuth access token and refresh token — stored encrypted in the Briefkraft database; used exclusively to publish content on your behalf

Data sharing: Briefkraft does not share, sell, rent, or transfer your YouTube/Google user data to any third party. The only external system that receives your Google user data is Google's own YouTube Data API v3, and only when you explicitly request an action (e.g. uploading a video or reading channel information). No other third party, advertiser, or partner receives your Google user data under any circumstances.

Internal access: Access to stored Google/YouTube tokens and user data is restricted to automated server processes required to operate the service. No Briefkraft staff member accesses your Google user data except when necessary to resolve a support issue you have explicitly requested, and only with your consent.

Data protection: YouTube OAuth tokens are stored encrypted at rest in our PostgreSQL database hosted on Hetzner servers in Germany. All communication between Briefkraft and Google APIs is transmitted exclusively over HTTPS/TLS. The database server is access-controlled and not publicly reachable. Tokens are deleted immediately and irrevocably upon disconnection of your YouTube account.

AI/ML training: Briefkraft does not use Google user data — including any data obtained from Google APIs — to develop, improve, or train generalised artificial intelligence or machine learning models. Information received from Google APIs is used solely to provide the specific features the user requests (publishing videos, displaying channel info).

Briefkraft's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

The YouTube connection can be disconnected at any time in the Briefkraft dashboard under Accounts. Upon disconnection, all stored Google/YouTube tokens are immediately and irrevocably deleted.

7. Meta (Facebook & Instagram) Integration

Briefkraft uses the official Meta Graph API (provided by Meta Platforms, Inc.) to connect Facebook Pages and Instagram Business/Creator accounts. By connecting your Meta account to Briefkraft, the following OAuth 2.0 permissions are requested:

• instagram_basic / instagram_manage_insights: Briefkraft uses these permissions to read your Instagram account name, profile ID, and performance metrics (reach, impressions, engagement) to confirm a successful connection and display analytics in your dashboard.
• instagram_content_publish: Briefkraft uses this permission to publish photo, video, and carousel posts to your Instagram Business or Creator account on your behalf. Content is only published after your explicit approval in the Briefkraft dashboard.
• pages_show_list / pages_read_engagement: Briefkraft uses these permissions to identify and display the Facebook Pages associated with your account and to read page engagement metrics for your analytics dashboard.
• pages_manage_posts: Briefkraft uses this permission to publish posts to your Facebook Page on your behalf. Posts are only published after your explicit approval in the Briefkraft dashboard.

The following Meta user data is processed by Briefkraft:

• Instagram account information (account name, Instagram User ID, follower count) — used solely to confirm account connection and display analytics
• Facebook Page information (Page name, Page ID) — used solely to confirm connection and enable publishing
• OAuth access token and refresh token — stored encrypted in the Briefkraft database; used exclusively to publish content and retrieve analytics on your behalf
• Post performance metrics (reach, impressions, likes, comments) — displayed in the Briefkraft analytics dashboard

Data sharing: Briefkraft does not share, sell, or transfer your Meta/Facebook/Instagram user data to any third party, except to Meta's own APIs when performing actions you have explicitly requested (e.g. publishing a post). No other third party receives your Meta user data.

Data protection: Meta OAuth tokens are stored encrypted at rest in our PostgreSQL database. All communication between Briefkraft and the Meta Graph API is transmitted exclusively over HTTPS/TLS. Access to the database is restricted to authorised server processes only. Tokens are deleted immediately and irrevocably upon disconnection.

Briefkraft's use of Meta platform data complies with the Meta Platform Terms and the Meta Developer Policies.

The Meta connection can be disconnected at any time in the Briefkraft dashboard under Accounts. Upon disconnection, all stored Meta/Facebook/Instagram tokens are immediately and irrevocably deleted.

7a. Threads Integration

Briefkraft uses the official Threads API (provided by Meta Platforms, Inc.) to connect Threads accounts. By connecting your Threads account to Briefkraft, the following OAuth 2.0 permissions are requested:

• threads_basic: Briefkraft uses this permission to read your Threads profile information (username, profile ID) to confirm a successful connection and display it in your dashboard.
• threads_content_publish: Briefkraft uses this permission to publish text and media posts to your Threads account on your behalf. Content is only published after your explicit approval in the Briefkraft dashboard.
• threads_read_engagement: Briefkraft uses this permission to read post performance metrics (views, likes, replies) for display in your analytics dashboard.

The following Threads user data is processed by Briefkraft:

• Profile information (username, Threads User ID) — used solely to confirm account connection and display in dashboard
• Post performance metrics (views, likes, replies) — displayed in the Briefkraft analytics dashboard
• OAuth access token and refresh token — stored encrypted in the Briefkraft database; used exclusively to publish content and retrieve analytics on your behalf

Data sharing: Briefkraft does not share, sell, or transfer your Threads user data to any third party, except to Meta's Threads API when performing actions you have explicitly requested (e.g. publishing a post). No other third party receives your Threads user data.

Data protection: Threads OAuth tokens are stored encrypted at rest in our PostgreSQL database. All communication between Briefkraft and the Threads API is transmitted exclusively over HTTPS/TLS. Access to the database is restricted to authorised server processes only. Tokens are deleted immediately and irrevocably upon disconnection.

Briefkraft's use of Threads platform data complies with the Meta Platform Terms.

The Threads connection can be disconnected at any time in the Briefkraft dashboard under Accounts. Upon disconnection, all stored Threads tokens are immediately and irrevocably deleted.

8. Other Third-Party Providers and Processors

Wir verwenden folgende Drittanbieter:

• Stripe, Inc. (USA) — Zahlungsabwicklung. Datenschutzerklärung
• Brevo SAS (France) — Email delivery (lifecycle and marketing emails). Datenschutzerklärung
• Resend, Inc. (USA) — Transactional email delivery (alerts and notifications). Datenschutzerklärung
• Cloudinary Ltd. (Israel/USA) — Image hosting and backup storage. Datenschutzerklärung
• Replicate, Inc. (USA) — AI image and video generation. Only anonymised, AI-generated prompts are transmitted to Replicate — no personal data is processed by Replicate on our behalf. Datenschutzerklärung
• Anthropic, PBC (USA) — AI text generation (captions, content strategy). Prompt data is retained by Anthropic for up to 30 days for safety monitoring, after which it is deleted. Anthropic does not use your data to train its models under our agreement. Datenschutzerklärung
• Hetzner Online GmbH (Germany) — Server hosting. All data is stored on servers located in Germany. Datenschutzerklärung
• Google LLC (USA) — YouTube Data API v3. Datenschutzerklärung
• Meta Platforms, Inc. (USA) — Instagram API
• X Corp. (USA) — Twitter/X API
• LinkedIn Corporation (USA) — LinkedIn API
• ByteDance Ltd. (Singapore) — TikTok API

Transfers to third countries (USA) are based on the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs). Transfers to Israel are based on the EU adequacy decision for Israel.

9. Retention Period

Deine Daten werden gespeichert, solange dein Account aktiv ist. Bei Kündigung werden personenbezogene Daten innerhalb von 30 Tagen gelöscht, sofern dem keine gesetzlichen Aufbewahrungsfristen entgegenstehen (z. B. Steuerrecht: 10 Jahre). OAuth-Tokens werden bei der Trennung sofort gelöscht.

10. Your Rights

Du hast das Recht auf:

• Auskunft (Art. 15 DSGVO) — Welche Daten wir über dich gespeichert haben
• Berichtigung (Art. 16 DSGVO) — Berichtigung unrichtiger Daten
• Löschung (Art. 17 DSGVO) — Löschung deiner Daten
• Einschränkung (Art. 18 DSGVO) — Einschränkung der Verarbeitung
• Datenübertragbarkeit (Art. 20 DSGVO) — Export deiner Daten
• Widerspruch (Art. 21 DSGVO) — Widerspruch gegen die Verarbeitung
• Widerruf der Einwilligung — Jederzeit mit Wirkung für die Zukunft

Zur Ausübung deiner Rechte kontaktiere uns unter [email protected].

11. Data Security

Wir setzen technische und organisatorische Maßnahmen um: SSL/TLS-Verschlüsselung, verschlüsselte Passwortspeicherung, regelmäßige Backups, zugangsbeschränkte Serverinfrastruktur.

12. Cookies

Briefkraft verwendet nur technisch notwendige Session-Cookies für die Login-Funktion. Es werden keine Tracking- oder Marketing-Cookies eingesetzt.

13. Right to Lodge a Complaint

Du hast das Recht, eine Beschwerde bei einer Datenschutzaufsichtsbehörde einzureichen. Die zuständige Behörde ist die Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Postfach 3163, 65021 Wiesbaden.

14. Business Outreach and Sales Prospecting

As part of our business development activities, we may process publicly available professional contact information (name, job title, company, professional email address or LinkedIn URL) of individuals at companies that may benefit from Briefkraft's services.

This processing is based on our legitimate interest in contacting potential B2B customers (Art. 6(1)(f) GDPR). We process this data exclusively for the purpose of sending a single initial contact message. We do not engage in repeated unsolicited contact.

You have the right to object to this processing at any time (Art. 21 GDPR) by emailing [email protected] with subject line "Opt-out — Outreach". Upon receipt we will immediately delete your data from our prospect database and cease all contact.

We retain prospect data for a maximum of 6 months from collection. Data is sourced via Apify Inc. (USA, Standard Contractual Clauses) and Brave Search API (USA, Standard Contractual Clauses).