Dool Social Privacy Policy

Terms of Service
Dool Social – Internal Application 

Last updated: 9 February 2026 

This Privacy Policy explains how Dool Creative Agency Ltd (the “Agency”, “we”, “us”, or “our”) processes personal data in connection with the Dool Social application (the “App”). The App is an internal operational tool used exclusively by authorised Agency employees and contractors to manage social media accounts on behalf of Agency clients. 

1. Data controller 
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is: Dool Creative Agency Ltd 71–75 Shelton Street London WC2H 9JQ United Kingdom Company number: 12340031 ICO registration number: ZB399107 Where the Agency processes personal data strictly on behalf of a client (for example, publishing content or retrieving analytics from third-party platforms), the Agency acts as a data processor in accordance with the applicable client agreement.  

2. Scope of this policy 
This Privacy Policy applies solely to personal data processed within the App. It does not govern the privacy practices of third-party social media platforms or services, including but not limited to Meta (Facebook / Instagram), TikTok, LinkedIn, Google / YouTube, and Google Business Profile. These platforms act as independent data controllers and their own privacy policies apply. 

3. Categories of personal data processed 
Depending on how the App is used, the following categories of personal data may be processed: User data (Agency personnel), including name, work email address, internal user ID, role and permission level, authentication identifiers, login metadata, and activity or audit logs related to App usage. Client-related account data, including identifiers of connected third-party platform accounts and authorisation tokens required to act on those accounts. Content and operational data, including content drafts, captions, hashtags, uploaded media files, schedules, and publishing metadata. Communications data, including messages, comments, and interaction metadata retrieved from connected platforms where this functionality is enabled. Analytics and reporting data, including performance metrics, engagement statistics, and reporting outputs derived from connected platforms. Technical and security data, including IP address, device or browser metadata, timestamps, and system or security logs. 

4. Purposes and legal bases for processing 
Personal data is processed for the following purposes and lawful bases: To operate, administer, and provide access to the App for authorised Agency work, based on the Agency’s legitimate interests. To perform services for Agency clients and act on client instructions when managing social media accounts, based on the performance of a contract. To connect to third-party platforms, publish content, retrieve data, and generate reports, based on the performance of a contract. To maintain security, access control, auditability, and system integrity, based on the Agency’s legitimate interests and, where applicable, legal obligations. To troubleshoot, maintain, and improve the App’s functionality, based on the Agency’s legitimate interests. Processing is limited to what is necessary and proportionate for internal Agency operations. 

5. Data sharing and disclosures 
Personal data may be shared: With third-party platforms, when accounts are connected, content is published, or analytics are retrieved via official APIs. With service providers that support the Agency’s operations (such as hosting, cloud infrastructure, databases, file storage, and monitoring tools), acting solely on the Agency’s instructions. With competent authorities, legal advisors, or other parties where required by law or necessary to protect legal rights, security, or compliance. The Agency does not sell personal data and does not use App data for advertising or profiling purposes. 

6. International data transfers 
Some third-party platforms and infrastructure providers may process personal data outside the United Kingdom or the European Economic Area. Where international transfers occur, the Agency relies on appropriate safeguards recognised under UK GDPR, including adequacy regulations, standard contractual clauses, or other lawful transfer mechanisms. 

7. Data retention 
Personal data is retained only for as long as necessary to perform internal Agency operations, fulfil client obligations, and comply with legal, regulatory, and security requirements. Retention periods may vary depending on the type of data, client instructions, and applicable law. Access to the App is revoked when a user’s engagement with the Agency ends. 

8. Access controls and confidentiality 
Access to the App is restricted to authorised users only. Permissions are role-based and reviewed periodically. All users are subject to contractual confidentiality obligations. 

9. Security measures 
The Agency implements appropriate technical and organisational measures to protect personal data, including secure authentication, access controls, protection of tokens and credentials, audit logging, monitoring, and infrastructure-level security controls. No system is entirely secure, but reasonable measures are taken to prevent unauthorised access, loss, or misuse of data. 

10. Data subject rights 
Where applicable under UK GDPR, individuals may exercise rights including access, rectification, erasure, and restriction of processing. Requests should be submitted internally to the Agency. Certain data may be retained where required for legal, security, or compliance purposes. 

11. Children’s data 
The App is not intended for use by children and is used exclusively for internal Agency business purposes.  

12. Changes to this policy 
This Privacy Policy may be updated from time to time. Continued use of the App constitutes acceptance of the updated version. 

13. Internal contact 
For questions regarding this Privacy Policy or the App, contact the Agency’s system administrator or operations team.