Privacy Policy — Outsource by The Good Picture

1. Who we are

Outsource is a marketing-services platform operated by The Good Picture (legal entity Upwelling Ltd), based in Nairobi, Kenya (“we”, “us”, “our”). We act as the data controller for personal data processed at outsource.thegoodpicture.com.

Our data-protection contact is contact@thegoodpicture.com. Privacy matters are handled by our team and escalated to our founders, Frédéric Cavé and Alexandre Brecher, where needed.

2. Data we collect

Account data — name, email, role, company, and authentication details.
Content you provide — briefs, comments, files, and other materials you submit for marketing work.
Usage data — pages visited, actions taken, device and browser information, and log data.
Integration data — when you connect a third-party account (e.g. LinkedIn), we store access tokens (encrypted at rest) and basic profile information needed to provide the integration.

3. How we use your data

To provide, operate, and improve the platform and our marketing services.
To produce, review, and — only when you initiate it — publish content on your behalf.
To communicate with you about your account, deliveries, and support requests.
To maintain security, prevent abuse, and meet legal obligations.

We do not sell your personal data.

4. Cookies & tracking

We use only essential cookies — primarily your authentication session — required to keep you signed in and to operate the platform securely. We do not currently use third-party advertising or analytics trackers. If we introduce analytics in future, we will update this policy and, where required, request your consent first.

5. Third-party integrations

When you connect an external service such as LinkedIn (and, in future, Meta and other platforms), we access and store only the data and permissions required to deliver the feature you enabled — for example, creating draft posts on your LinkedIn profile at your request. We use those tokens solely to perform actions you initiate, and you can disconnect an integration at any time from your profile settings, which removes the stored tokens. Your use of those services is also governed by their own terms and privacy policies.

6. Subprocessors

We rely on the following subprocessors to operate the Service. Each is bound by a data-processing agreement:

Vercel — Hosting & content deliveryPrivacy policy ↗

Supabase — Database & authenticationPrivacy policy ↗

Anthropic — AI content generationPrivacy policy ↗

Resend — Transactional emailPrivacy policy ↗

Sentry — Error monitoringPrivacy policy ↗

LinkedIn — Publishing (when you connect it)Privacy policy ↗

Meta — Publishing (when added/connected)Privacy policy ↗

7. Where your data is stored & international transfers

Your account and content data is stored in our primary database (Supabase), hosted in the European Union (Frankfurt region). Application hosting and serverless processing (Vercel) currently run in the United States, and some subprocessors (Anthropic, Resend, Sentry) are US-based.

Where personal data of individuals in the EU/UK is transferred outside the EEA/UK — for application processing or to those subprocessors — we rely on appropriate safeguards under GDPR Article 46, principally Standard Contractual Clauses, together with the subprocessors’ own transfer mechanisms.

8. Legal bases (GDPR)

Where the GDPR applies, we process personal data on the bases of performance of a contract (providing the service you signed up for), our legitimate interests (operating and securing the platform), your consent (e.g. optional integrations), and compliance with legal obligations.

9. Data sharing

We share data with the subprocessors listed above, with third-party platforms you choose to connect, and where required by law. We do not otherwise disclose your personal data.

10. Data retention

We keep personal data only as long as needed for the purposes above. Specific periods:

Account data — lifetime of the account + 30 days after deletion.
Content & deliveries — lifetime of the account + 90 days.
System logs — 90 days.
LinkedIn (and similar) tokens — until you disconnect the integration or the token expires.
Audit logs — 2 years.

11. Your rights

Subject to applicable law, you may exercise the following rights by emailing contact@thegoodpicture.com. We respond within 30 days.

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — ask us to delete your data (the right to be forgotten).
Portability — receive your data in a structured, machine-readable format.
Restriction — ask us to limit how we process your data.
Objection — object to processing based on our legitimate interests.

You may also lodge a complaint with your local data-protection authority.

12. Children’s data

Outsource is a business tool intended for professional use. It is not directed to, and we do not knowingly collect personal data from, anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

13. Breach notification

In the event of a personal-data breach likely to affect your rights, we will notify affected users and, where required, the relevant supervisory authority within 72 hours of becoming aware, in line with GDPR Articles 33 and 34.

14. Security

We use industry-standard measures including encryption in transit, encryption of stored integration tokens, access controls, and audit logging. No method of transmission or storage is completely secure, but we work to protect your data and review our practices regularly.

15. Changes to this policy

We may update this policy from time to time. For material changes, we will give at least 30 days’ notice by email and update the effective date above before the changes take effect.

16. Contact

The Good Picture (Upwelling Ltd) — Nairobi, Kenya. contact@thegoodpicture.com

This document is our current policy. It will be revised as our service evolves. For questions, contact us at contact@thegoodpicture.com.