Privacy Policy

Last updated: 23 April 2026

1. Who we are

Milkman is a service provided by Milkman Stories Media (Chamber of Commerce number 73573566), a company registered in the Netherlands at Jupiterkade 7, 2516BS The Hague. In this policy "we", "us", or "Milkman" refers to Milkman Stories Media. We are the data controller for the personal data we process through the Milkman application ("Service") available at app.milkman.one.

2. What data we collect

We collect the following categories of personal data:

  • Account data: email address, name, avatar (optional), hashed password or OAuth identifier.
  • Workspace & content data: brand profiles, content drafts, outlines, assets you upload, and AI-generated content associated with your workspace.
  • Connected social accounts: access tokens and basic profile information for LinkedIn, Facebook, Instagram, and YouTube accounts you connect, strictly to perform actions you request (publishing posts, reading engagement metrics).
  • Usage data: pages viewed, feature interactions, token consumption for billing purposes.
  • Billing data: processed by Stripe — we store only the customer reference and subscription status, not card details.
  • Technical data: IP address, browser type, device information, cookies strictly necessary for authentication.

3. Why we process your data (legal basis)

  • Contractual necessity: to provide the Service you signed up for (account, workspace, content generation, publishing).
  • Legitimate interest: to secure the Service, prevent abuse, improve product quality through aggregated usage analysis.
  • Legal obligation: to comply with tax and accounting laws (invoices are retained for 7 years).
  • Consent: for optional cookies (analytics) — you can withdraw consent at any time.

4. How we use connected social accounts

When you connect a LinkedIn, Facebook, Instagram, or YouTube account, we store the access token securely and use it only to perform actions you explicitly initiate:

  • Publish content you create in Milkman to the chosen account
  • Read engagement metrics (likes, views, comments) on content you published through Milkman
  • Display your account name, avatar, and basic profile info in the app

We do not access, read, or store any content other than what is directly needed for the above functions. We never post anything without your explicit action. You can disconnect any account at any time in Settings → Channels.

5. Who we share data with

We share data only with service providers strictly necessary to run the Service:

  • Supabase (EU) — database & authentication hosting
  • Vercel (EU) — application hosting
  • Stripe (EU/US, DPA signed) — payment processing
  • Resend (EU) — transactional email delivery
  • Anthropic & OpenAI (US, DPA signed) — AI content generation; content sent to these providers is not used for model training
  • LinkedIn, Meta, Google — only when you explicitly connect those accounts, and only for the actions listed in Section 4

We do not sell your data. We do not share data for advertising purposes.

6. International transfers

Some processors (Anthropic, OpenAI, Stripe) are based outside the EEA. Transfers are covered by Standard Contractual Clauses (SCCs) and/or adequacy decisions where applicable.

7. How long we keep your data

  • Account & workspace data: as long as your account is active. After deletion, all personal data is removed within 30 days.
  • Billing records: 7 years (Dutch tax law).
  • Logs & analytics: 12 months, then deleted or anonymized.

8. Your rights (GDPR)

You have the right to:

  • Access a copy of your personal data
  • Correct inaccurate data
  • Delete your data ("right to be forgotten") — see Data Deletion
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent at any time
  • Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

To exercise any of these rights, email us at helpdesk@milkman.digital. We respond within 30 days.

9. Security

We use encryption in transit (TLS) and at rest, role-based access controls, regular security updates, and access logging. Access tokens for connected social accounts are encrypted in the database. Only the minimum number of engineers have production access.

10. Cookies

We use only strictly necessary cookies for authentication. We do not use advertising or cross-site tracking cookies. Analytics are aggregated and do not require consent.

11. Changes to this policy

We may update this policy to reflect changes in the Service or legal requirements. Material changes will be communicated via email at least 30 days before taking effect.

12. Contact

Milkman Stories Media
Jupiterkade 7, 2516BS The Hague, Netherlands
KvK 73573566
helpdesk@milkman.digital