Privacy Policy

This Privacy Policy explains how TopSocialBoost (“we”, “us”, “our”) collects, uses, stores, and protects personal information when you use topsocialboost.com and the services we deliver through it. It is written in plain language because privacy decisions should be understandable, not buried in legalese.

We are a controller under EU/UK GDPR Article 4(7) for personal data we process to fulfil your orders, and a service provider under California CCPA/CPRA §1798.140(ag) for personal information of California residents. This policy applies to all visitors regardless of location.

Quick summary

• We never collect or store your social media password, card number, or phone number.
• We collect only what is needed to deliver and support an order.
• No third-party tracking pixels (no Google Analytics, no Facebook Pixel).
• Data is stored on encrypted servers in Germany (EU/EEA).
• You can request deletion at any time and we honour it within 30 days.

1. Who we are

TopSocialBoost operates topsocialboost.com and provides social-media engagement services (followers, likes, views, etc.) delivered through licensed third-party networks. For privacy enquiries you can reach us by email at privacy@topsocialboost.com (general support is support@topsocialboost.com).

2. Personal data we collect

We deliberately collect the minimum data required. The categories below are exhaustive — nothing else about you ever enters our systems.

2.1 Data you provide directly

• Email address — for order confirmation, delivery updates, support replies, and refund processing. Required.
• Public profile or post URL — the destination of the engagement you ordered. We never log into the linked account; we only push public-facing engagement to it.
• Optional message — anything you write in the contact form or in a support reply. Stored for the lifetime of the support conversation.

2.2 Data collected automatically

• IP address — collected at order time for fraud prevention (chargeback defence) and rate-limiting. Truncated to /24 (IPv4) or /48 (IPv6) after 30 days for aggregate analytics.
• Browser fingerprint hash — a non-reversible SHA-256 of user-agent + accept-language + screen dimensions, used solely to detect duplicate accounts and payment fraud.
• Server access logs — request method, path, status code, and response time. Retained for 14 days for security investigations, then permanently deleted.

2.3 Data we receive from payment processors

• Stripe returns a payment intent ID, the last 4 digits of your card, and the card brand. We do not see, store, or process the full PAN, CVV, or expiry.
• Heleket returns the originating crypto wallet address (required for payment confirmation), the chosen coin, and the transaction hash.

3. What we never collect

For the avoidance of doubt, the following data is structurally impossible for us to collect because we do not ask for it and our systems do not have a field for it:

• Your social media account password (no growth service ever needs this).
• 2-factor authentication codes, backup codes, or app passwords.
• Your full credit card number, CVV, or expiry date.
• Your legal name, physical address, or phone number.
• Government identification (passport, driver licence, etc.).
• Biometric data, health data, or any other GDPR Article 9 special category.

4. How we use the data (purposes & legal basis)

We do not rely on consent (Art. 6(a)) for any of the above because none of these purposes require it — they are either contractual or genuine legitimate interest with a balancing test in your favour.

5. Who we share data with (processors)

We share data only with the minimum set of providers required to operate the service. Each is bound by a Data Processing Agreement (DPA) under GDPR Article 28.

• Stripe Payments Europe Ltd. (Ireland) — card processing. PCI-DSS Level 1.
• Heleket OÜ (Estonia) — cryptocurrency payment gateway.
• Hetzner Online GmbH (Germany) — server hosting + encrypted backups, ISO 27001 certified.
• Resend Inc. (Delaware, USA) — transactional email delivery (order confirmations, support replies). Covered by EU-US DPF.
• Cloudflare, Inc. (USA) — DDoS protection and CDN edge caching of static assets only (no personal data passes through cache layer). Covered by EU-US DPF.
• Delivery network partners — receive only the public URL submitted at checkout, never any other personal data.

We do not sell, rent, lease, or share personal information with marketing companies, data brokers, advertising networks, social platforms, or any other third party not listed above.

6. International data transfers

Your personal data is primarily stored within the EU/EEA (Hetzner Falkenstein DC, Germany). Where transfers to the United States occur (Stripe USA, Resend, Cloudflare), they are made under the EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795) and the relevant providers' certifications. For any transfer outside an adequacy decision we additionally rely on Standard Contractual Clauses (SCC 2021/914 Module 2).

7. How long we keep data

• Active order data — until 30 days after order completion, then anonymized (URL deleted, email replaced with hash) and retained as accounting records.
• Email + support correspondence — 24 months from last activity, then deleted.
• Anonymized order references — 7 years (legal obligation under EU/US tax law, e.g., German AO §147).
• Server access logs — 14 days, then permanently deleted.
• Encrypted database backups — 30 days rolling, then destroyed.

8. Your rights under GDPR (Articles 15–22)

You have the following enforceable rights regarding your personal data:

• Right of access (Art. 15) — request a copy of all data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate data.
• Right to erasure (Art. 17, “right to be forgotten”) — request full deletion. We honour within 30 days unless a legal-obligation exception applies (e.g., a tax record is locked).
• Right to restriction (Art. 18) — pause processing while a dispute is resolved.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable JSON export.
• Right to object (Art. 21) — to processing based on legitimate interest.
• Right to lodge a complaint (Art. 77) — with the supervisory authority of your habitual residence or place of work. The German lead supervisory authority is the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

To exercise any of these rights, email privacy@topsocialboost.com with the email address you used at checkout. We respond within 30 days at no charge. We may verify your identity by emailing a one-time code to that address before processing.

9. California residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.):

• The right to know what personal information is collected, used, and disclosed.
• The right to delete personal information collected from you.
• The right to correct inaccurate personal information.
• The right to opt out of the “sale” or “sharing” of personal information for cross-context behavioural advertising. We do not sell or share personal information for this purpose, so this right has no operational effect, but you may still file the request.
• The right to non-discrimination for exercising any of the above.

We do not knowingly process the personal information of consumers under 16 years of age without affirmative authorization (the CPRA “opt-in” standard for minors).

10. Cookies & tracking technologies

We use a small first-party session cookie (tsb_session, lifetime: closed browser) to keep your shopping cart and checkout state intact between page loads. It is strictly necessary under ePrivacy Directive 2002/58/EC Article 5(3) and therefore does not require consent. We also store your cookie-banner choice in a first-party cookie (tsb_consent_v1, 6-month lifetime) so we don't prompt you on every visit.

With your consent (via the cookie banner), we may also load the following tracking tags. Each one is gated behind Google Consent Mode v2, meaning they do not set cookies or send personal data until you explicitly accept:

• Google Analytics 4 — pageview & conversion measurement

All consent-requiring tags default to denied on first visit. If you select “Reject all” or simply close the banner without accepting, none of these tags will fire and no third-party cookies will be set.

You can change your choice at any time using the “Cookie settings” link in the footer. Withdrawing consent is as simple as giving it: one click, instant effect, no dark patterns. We respect Global Privacy Control (GPC) signals as a valid opt-out under CCPA.

11. Children

Our service is not directed at children under 16 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@topsocialboost.com and we will delete the records promptly.

12. Security measures

• TLS 1.3 in transit (HSTS preload-eligible).
• AES-256 at rest for database storage and backups.
• Application-layer encryption (PostgreSQL pgcrypto) for sensitive setting values (API keys for processors).
• Argon2id password hashing for staff accounts (no customer passwords are stored — see §3).
• Network isolation: database not reachable from the public internet.
• 2-factor authentication required on all administrative accounts.
• Quarterly internal access review and logged admin actions (audit trail).

13. Updates to this policy

We update this policy when our practices change or when new regulation (e.g., the EU AI Act, or amendments to the CCPA) requires it. The “Last updated” date at the top always reflects the most recent change. For material changes that expand the categories of data we collect or the recipients we share with, we will additionally email all customers with active orders at least 30 days before the change takes effect.

14. Contact

Privacy enquiries: privacy@topsocialboost.com
General support: support@topsocialboost.com

Related documents: Terms of Service · Refund Policy · FAQ · Contact