This policy explains how SiteSorted collects, uses, and protects your personal data — including data received from Facebook when you connect your account.
Last updated: 17 May 2026
SiteSorted (“we”, “us”, or “our”) is a software-as-a-service (SaaS) platform based in Ireland that automates Facebook ad creation and scheduling for small businesses. We use artificial intelligence to generate ad copy and imagery, and the Facebook Marketing API to post ads to your connected Facebook Page on your behalf.
As data controller, we are responsible for deciding how and why your personal data is processed. We operate under the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018. This policy applies to all users of the SiteSorted platform at sitesorted.org.
Questions about this policy? Contact us at sitesortedapp@gmail.com.
We collect the following categories of information when you use SiteSorted:
When you sign up, we collect your name and email address through Clerk, our authentication provider. Clerk manages your login credentials and identity securely on our behalf.
To generate ads tailored to your business, you provide us with:
Subscription payments are processed securely by Stripe. We do not store your card number, CVC, or full billing details on our servers. We receive only non-sensitive metadata from Stripe such as your subscription plan, status, and billing period dates.
When you connect your Facebook account to SiteSorted, we receive and store the following data from the Facebook Marketing API:
This data is collected only when you explicitly choose to connect your Facebook account and is used solely to create and manage ads on your behalf. See Section 4 for full details on how we handle Facebook data.
We automatically collect limited technical and usage data including:
We process your personal data for the following purposes and legal bases:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the SiteSorted service | Contract performance |
| Generating AI-powered ad copy via the Claude API (Anthropic) | Contract performance |
| Generating ad imagery via Replicate (AI image generation) | Contract performance |
| Posting ads to your Facebook Page via the Marketing API | Contract performance |
| Processing subscription payments via Stripe | Contract performance |
| Sending service emails (monthly reports, failure alerts) via Resend | Contract performance |
| Preventing fraud and ensuring platform security | Legitimate interests |
| Improving our service through aggregated analytics | Legitimate interests |
| Complying with legal obligations (e.g. tax records) | Legal obligation |
When you connect your Facebook account via OAuth, SiteSorted receives:
Facebook data is used solely and exclusively for the following purposes:
We do not use Facebook data for any other purpose. We do not analyse, sell, license, or share Facebook data with any third parties other than what is strictly required to operate the Marketing API on your behalf.
Facebook data is not shared with any third parties. It is stored securely in our database (Supabase, EU region) and accessed only by the automated systems that post ads on your behalf.
You can disconnect your Facebook account from SiteSorted at any time from the dashboard Settings panel. When you disconnect:
Facebook access tokens and related credentials are stored only for as long as your Facebook account is connected to SiteSorted. They are permanently deleted when you disconnect your Facebook account or delete your SiteSorted account.
Facebook access tokens are stored encrypted in our database. They are never exposed in client-side code, logged in plain text, or transmitted outside of server-side API calls to the Facebook Marketing API.
When you connect Facebook, SiteSorted requests the following permissions:
ads_management — to create and manage ad campaignsads_read — to retrieve ad performance datapages_manage_ads — to manage ads on your Facebook Pagepages_read_engagement — to read basic Page engagement datapages_show_list — to list Pages you manage so you can select the correct oneWe request only the minimum permissions necessary to perform ad management on your behalf.
Your data is stored in Supabase, a managed PostgreSQL database hosted on AWS infrastructure in the EU (Ireland region). As an Irish company processing Irish customers' data, we maintain EU data residency by default.
We implement the following security measures to protect your data:
We are a company based in Ireland and are fully subject to the GDPR and the Irish Data Protection Act 2018. We maintain a lawful basis for all data processing activities as described in Section 3.
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours and affected individuals without undue delay, as required by GDPR Article 33.
We share your data only with the following trusted third-party processors to operate the SiteSorted platform. Each is engaged under appropriate data processing agreements:
We do not sell your personal data to any third party. We do not share your data with advertisers, data brokers, or any other parties not listed above.
Some third-party processors listed above (including Anthropic, Clerk, Replicate, Resend, and Vercel) are based in the United States. Where we transfer personal data outside the European Economic Area (EEA), we rely on:
We ensure that all international transfers meet the adequacy requirements of GDPR Chapter V.
You have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of any inaccurate or incomplete data.
Right to Erasure
Request deletion of your account and associated data. Note that some data must be retained for legal reasons (e.g. tax records).
Right to Restrict Processing
Request that we limit how we use your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format (e.g. JSON).
Right to Object
Object to processing based on legitimate interests.
Right to Withdraw Consent
Where processing is based on consent, withdraw it at any time without affecting prior processing.
We will respond to all requests within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Data Protection Commission (Ireland).
SiteSorted uses only essential cookies required for the platform to function:
We do not use advertising cookies, tracking pixels, or third-party analytics cookies (such as Google Analytics). We do not profile you for advertising purposes.
SiteSorted is designed for businesses and is intended only for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided us with data, please contact us immediately and we will delete it.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
Continued use of SiteSorted after the effective date of any updated policy constitutes acceptance of that policy. If you disagree with any changes, you may cancel your subscription and request deletion of your data.
If you have any questions about this Privacy Policy, how we handle your data, or wish to exercise your data rights, please contact us:
SiteSorted Privacy Contact
sitesortedapp@gmail.comWe aim to respond to all privacy enquiries within 5 business days and all formal data subject requests within 30 days.