GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union regulation that took effect on 25 May 2018 and governs how organisations collect, store, and process personal data of individuals in the EU and EEA. The UK GDPR is the UK-specific equivalent following Brexit, supplemented by the Data Protection Act 2018.

This page explains the additional rights and protections that apply to you if you are a resident of the European Economic Area (EEA), the United Kingdom, or Switzerland. For our complete privacy practices, please also see our Privacy Policy.

For the purposes of GDPR and UK GDPR, Mediux AI acts as the data controller of the personal data you provide directly to us (account information, billing details, content you create). For the personal data processed through connected social media platforms, we act as a data processor on your behalf.

As a data subject in the EEA, UK, or Switzerland, you have the following rights:

• Right to be informed (Art. 13–14): To know how your personal data is being collected and used — this notice fulfils that obligation.
• Right of access (Art. 15): To request a copy of the personal data we hold about you, free of charge.
• Right to rectification (Art. 16): To have inaccurate or incomplete personal data corrected.
• Right to erasure / "right to be forgotten" (Art. 17): To request deletion of your personal data where there is no compelling reason for us to keep processing it.
• Right to restrict processing (Art. 18): To request that we limit the use of your data in certain circumstances.
• Right to data portability (Art. 20): To receive your personal data in a structured, machine-readable format, and to have it transmitted to another controller.
• Right to object (Art. 21): To object to processing based on legitimate interests, direct marketing, or research and statistics.
• Rights related to automated decision-making (Art. 22): To not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time.
• Right to lodge a complaint (Art. 77): With a supervisory authority — see Section 13 below.

Under Article 6 of GDPR, we process your personal data under the following legal bases:

• Performance of a contract (Art. 6(1)(b)): To provide the Service you have signed up for — account creation, content publishing, scheduling, analytics, billing.
• Legitimate interests (Art. 6(1)(f)): To improve our Service, secure our platform, prevent fraud and abuse, and conduct internal analytics. We balance these against your fundamental rights and freedoms.
• Legal obligation (Art. 6(1)(c)): To comply with applicable laws, tax requirements, and lawful requests from authorities.
• Consent (Art. 6(1)(a)): For optional features such as marketing communications, optional analytics cookies, or where required by law. You may withdraw consent at any time.
• Vital interests / Public task (Art. 6(1)(d)(e)): Rarely — only where strictly necessary to protect someone's vital interests or in connection with a public-interest task.

• Identity data: Name, email, password (hashed), profile picture, billing address.
• Account data: User ID, plan, role, organisation membership.
• Connected social media data: Account handles, platform user IDs, OAuth access tokens (encrypted), the content of comments and DMs received through connected accounts.
• Content data: Posts, captions, hashtags, media you upload, AI prompts you provide.
• Usage data: Pages visited, features used, log timestamps.
• Technical data: IP address, device type, browser, OS, time zone.
• Marketing & communications data: Preferences for receiving marketing.
• Payment data: Subscription status, invoices, last 4 digits of card (full card data is held by Stripe, not us).

We do not knowingly collect special category data (Art. 9) such as health, biometric, or political opinion data.

We use carefully selected third-party providers to deliver parts of the Service. All subprocessors are bound by data processing agreements that include GDPR-compliant safeguards.

An up-to-date subprocessor list is available on request. We will notify customers of new subprocessors with a reasonable opportunity to object.

Where personal data is transferred outside the EEA or the UK, we rely on appropriate safeguards under GDPR Chapter V:

• Adequacy decisions by the European Commission and the UK Government, where they apply.
• Standard Contractual Clauses (SCCs) approved by the European Commission (2021/914) and the UK's International Data Transfer Agreement (IDTA).
• Supplementary measures including encryption in transit (TLS 1.2+) and at rest, access controls, and contractual restrictions.
• EU–US Data Privacy Framework certification where the subprocessor participates.

You can request a copy of the safeguards in place for any specific transfer by contacting our DPO.

We retain personal data only for as long as necessary for the purposes set out in our Privacy Policy, and as required by law.

The Service includes AI features (caption generation, image generation, content suggestions, auto-reply suggestions). These are decision-support tools, not automated decisions producing legal or similarly significant effects on you within the meaning of Article 22 GDPR. You always remain in control of whether AI-generated content is published.

If you are concerned about how an AI feature has used your data, contact our DPO at dpo@mediuxai.com.

We implement appropriate technical and organisational measures under Article 32 GDPR, including:

• Encryption of data in transit (TLS 1.2+) and at rest.
• Hashing of passwords using industry-standard algorithms.
• Role-based access control and least-privilege principles.
• Regular software patching and security reviews.
• Logging and monitoring of administrative access.
• Data minimisation and pseudonymisation where practicable.
• Incident response procedures with a 72-hour breach notification commitment.

You can contact our Data Protection Officer for any GDPR-related question, concern, or request:

To exercise any of the rights described in Section 3, you can:

• Use the in-product privacy controls in Settings → Account.
• Email us at privacy@mediuxai.com with the subject "GDPR Request".
• Write to our registered office (see Section 2).

We will respond within one month of receiving a verifiable request (Art. 12 GDPR). This period may be extended by two further months for complex requests; we will let you know if so. Requests are normally handled free of charge — only manifestly unfounded or excessive requests may incur a reasonable fee.

To protect your data, we may need to verify your identity before processing a request.

We hope you will come to us first with any concern, but you have the right to lodge a complaint with the supervisory authority in your country of residence:

Our Service is not directed to children under the age of 16. We do not knowingly collect personal data of children under 16 in the EEA or UK. If you believe a child has provided us with their data, please contact our DPO and we will delete it promptly.

We may update this notice to reflect changes in law, our practices, or supervisory authority guidance. Material changes will be communicated through the Service or by email. The "Last updated" date at the top of this page indicates when the latest revisions were made.

For all GDPR-related enquiries, please contact: