Privacy Policy

Effective date: 2026-04-19

Last updated: 2026-04-19

1. Who we are

Popp Media Agency ("Popp Media," "we," "our," or "us") is a marketing, content production, and automation agency operating out of California, USA. This Privacy Policy covers personal information we collect through poppmedia.agency and our client-facing publishing platform at me.poppmedia.agency (the "Services").

Our legal contact for privacy questions is legal@poppmediaagency.com. Mail can be sent to Popp Media Agency, 7051 Coldwater Canyon Ave, North Hollywood, CA 91605.

2. Information we collect

2.1 Information you provide directly

Contact details: name, email, phone number, company name, job title
Project details you share during discovery, scoping, or onboarding
Billing and payment information (we use third-party payment processors; we do not store full card numbers)
Account credentials you create to access client workspaces
Content you upload, schedule, or publish through our platform
Social media account credentials you authorize us to connect (stored encrypted; see Section 5)

2.2 Information collected automatically

Device and browser information (user agent, OS, language, screen size)
IP address and approximate geographic location (country/region)
Pages visited, time on page, referring URL, session activity
Cookies and similar technologies (see Section 6)

2.3 Information from third parties

When you authorize us to connect a social platform (e.g., Facebook Pages, LinkedIn, YouTube, Google Business Profile), we receive profile metadata, account identifiers, access tokens, and platform-reported metrics solely to operate the Services on your behalf. We request the minimum scopes required for the features you use.

3. How we use information

Provide, operate, maintain, and improve the Services
Respond to inquiries, support requests, and proposals
Schedule and publish content to platforms you have connected
Send service notifications, invoices, and (if opted-in) marketing emails
Detect, prevent, and respond to abuse, fraud, or security incidents
Comply with legal obligations and enforce our Terms

We do not sell your personal information. We do not use your data or your clients' data to train third-party AI models.

4. Legal bases (GDPR)

For users in the European Economic Area, UK, or Switzerland, our legal bases are:

Contract: to deliver the Services you hired us to perform
Legitimate interests: operating, securing, and improving the Services
Consent: optional marketing emails and non-essential cookies (you can withdraw at any time)
Legal obligation: tax records, financial reporting, law-enforcement requests

5. How we store and protect information

Data is hosted on servers physically located in the United States. Social platform access tokens are encrypted at rest using AES-256 via our credential encryption service. Audit logs are tamper-evident (hash-chained) and retained for 15 years for legal-hold compliance.

No system is perfectly secure. We maintain reasonable administrative, technical, and physical safeguards and notify affected users of material security incidents without undue delay as required by law.

6. Cookies

We use cookies for the following purposes:

Strictly necessary: authenticate you, remember your workspace, protect against CSRF
Preferences: theme, language, sidebar layout
Analytics: aggregate, anonymized site usage (we use Cloudflare Web Analytics, which does not use individual tracking cookies)

You can block cookies in your browser settings. Strictly necessary cookies may break core functionality if blocked.

7. Third parties we share data with

We do not sell data. We share the minimum necessary data with vendors that help us run the Services. As of the effective date, these are:

Hosting / infrastructure: our VPS provider, Cloudflare (DNS, tunnels, CDN, WAF)
Payment processing: Stripe
Email delivery: SMTP relay; email addresses only as needed
Social platforms you connect: Meta (Facebook, Instagram, Threads), LinkedIn, YouTube, Google Business Profile, X, TikTok, Pinterest, Discord, Slack, Telegram, Reddit — data flows strictly per your authorization
Self-hosted Postiz: our publishing engine, running on our own infrastructure under this same Policy
AI services: Anthropic (Claude); data is not used for model training

Each vendor is bound by a written agreement or their published Data Processing Addendum.

8. Data retention

Account and project data: for the life of the engagement and 7 years after (tax, legal)
Audit events: 15 years
Marketing email opt-ins: until you unsubscribe
Server logs: 90 days rolling
Expired tokens: auto-purged via TTL index

9. Your rights

9.1 California (CCPA / CPRA)

California residents have the right to: know what personal information we collect, delete your information, correct inaccuracies, opt-out of "sale" or "sharing" (we do neither), and limit use of sensitive personal information. We do not discriminate against users who exercise these rights.

9.2 European Economic Area / UK

You have rights to access, rectify, erase, restrict, object to, and port your personal data. You can lodge a complaint with your local supervisory authority.

9.3 How to exercise rights

Email legal@poppmediaagency.com from the address on file and we'll verify your identity and respond within 30 days (45 for CCPA).

10. Children's privacy

The Services are not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have, contact us and we'll delete it.

11. International transfers

We operate in the United States. If you access the Services from outside the U.S., your data is transferred to and stored in the U.S. Where required, we rely on Standard Contractual Clauses.

12. Changes

We may update this Policy. Material changes will be emailed to active account holders and announced on this page at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.

13. Contact

Popp Media Agency
7051 Coldwater Canyon Ave
North Hollywood, CA 91605
legal@poppmediaagency.com