Third-Party Data Sharing Policy

Firstage Inc. ("Company", "we", "us", or "our") is committed to protecting your personal information when sharing data with third-party services. This policy complies with the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

---

Overview of Third-Party Data Sharing

Sharing Principles

We do not sell, rent, or trade your personal information. We share data with third parties only when:

1. You have provided explicit consent
2. It is necessary for service provision
3. Required by law or legal process
4. To protect our rights and safety

Note: Following Buffer's approach, Firstage is not responsible for any third-party service's use of your exported information once shared through our platform integrations.

Social Media Platform Integrations

Meta Platforms (Facebook, Instagram)

Purpose: Stage profile social media integration, custom audience creation Data Shared:

• Hashed user identifiers
• Post content and metadata
• Engagement metrics (likes, comments, shares)
• Anonymized audience insights

Legal Basis: Consent (GDPR Art. 6(1)(a)) Retention: Up to 180 days per Meta's policy Safeguards: API encryption, secure token management, data minimization

Google Services (Analytics, Ads, Cloud)

Purpose: Website analytics, advertising optimization, AI content generation Data Shared:

• Anonymized website usage statistics
• Advertising click and conversion data
• AI prompt data for content generation
• Performance metrics

Legal Basis: Consent (GDPR Art. 6(1)(a)) Retention: Up to 26 months per Google's policy Safeguards: Google Cloud security standards, data encryption

Other Social Platforms

Platforms: LinkedIn, Twitter/X, TikTok, YouTube, Bluesky, Threads Purpose: Unified social media management, automated content publishing Data Shared: Account linking information, post content, scheduling data Legal Basis: Consent Safeguards: Platform-specific API security protocols

AI Service Providers

Google Cloud (Vertex AI)

Purpose: AI content generation, natural language processing, translation services Data Processed:

• User prompts and instructions
• Generated content outputs
• Anonymized usage patterns for service improvement

Service Provider: Google Cloud Platform Processing Activities: AI model inference, data processing Retention: Until service delivery completion Safeguards: Google Cloud security and privacy policies

OpenAI (ChatGPT, GPT-4, etc.)

Purpose: Advanced AI content generation, text translation and summarization, creative assistance Data Processed:

• User prompts and instructions
• Contextual information for content generation
• Text translation and editing requests
• AI-generated outputs (for quality improvement)

Service Provider: OpenAI, L.L.C. (United States) Processing Activities: AI model inference, natural language processing, content generation Retention: 30 days (OpenAI API policy) Safeguards:

• HTTPS encrypted transmission
• Automatic personally identifiable information filtering
• Training data usage exclusion (opt-out)
• User-specific data isolation

Anthropic Claude (Supplementary AI Services)

Purpose: Safe AI content generation, long-form text analysis, multilingual translation Data Processed:

• Content generation prompts
• Document analysis and summarization requests
• Multilingual translation and localization requests
• Conversational AI interaction records

Service Provider: Anthropic PBC (United States) Processing Activities: Conversational AI services, text analysis and generation Retention: 90 days (Anthropic policy) Safeguards:

• Constitutional AI-based safety assurance
• Automatic harmful content blocking
• Personal information processing minimization
• End-to-end encryption

Analytics and Marketing Services

Web Analytics

Service Providers: Google Analytics, Mixpanel Purpose: Website usage analysis, user experience improvement Data Shared: Anonymized page visit records, click events, session data Retention: 26 months (Google), 5 years (Mixpanel)

Email Marketing

Service Providers: SendGrid, Mailchimp Purpose: Service notifications, marketing communications Data Shared: Email addresses, names, service usage status Retention: Until marketing consent withdrawal

Payment and Billing Services

Payment Processors

Service Providers: Stripe, Paddle Purpose: Payment processing, subscription management, tax handling Data Shared: Payment information, billing details, transaction history Retention: 7 years (legal compliance requirements) Safeguards: PCI DSS compliance, card data tokenization

Customer Support Services

Help Desk Operations

Service Providers: Intercom, Zendesk Purpose: Customer inquiry handling, technical support Data Shared: Inquiry content, contact information, service usage records Retention: 1 year after inquiry resolution

Design Tool Integration

Canva, Inc

Purpose: Design template provision, design export service, content creation support Data Shared:

• User authentication information (OAuth token)
• Design ID and metadata
• Selected design information (title, size, etc.)
• Design export request data

Legal Basis: Consent (GDPR Art. 6(1)(a)) Retention Period: Authentication token until disconnected from account settings, design metadata during service usage period Safeguards:

• OAuth 2.0 based secure authentication
• HTTPS encrypted transmission
• Token isolation management per user
• Compliance with Canva API security policy Canva Privacy Policy: https://www.canva.com/policies/privacy-policy/

Infrastructure and Hosting

Cloud Services

Service Providers: Google Cloud Platform, Amazon Web Services Purpose: Service infrastructure, data storage and backup Data Processed: All service data Retention: During service usage period Safeguards: ISO 27001, SOC 2 certification compliance

International Data Transfers

Transfer Destinations

• United States: Google, Meta, Stripe, OpenAI
• Ireland: Meta Platforms (EU entity)
• Singapore: AWS Asia data centers
• Other locations: As required for service delivery

Transfer Mechanisms and Safeguards

Legal Basis:

• GDPR Art. 44-49 (Adequacy decisions, SCCs, or consent)
• CCPA exemptions for service providers

Safeguards:

• EU Standard Contractual Clauses (SCCs)
• UK International Data Transfer Agreement (IDTA)
• Encryption in transit and at rest
• Regular security audits and assessments

User Rights and Responsibilities

Your Rights

1. Right to Object: Opt-out of third-party data sharing
2. Right of Access: Request information about data sharing
3. Right to Rectification: Correct inaccurate shared data
4. Right to Erasure: Request deletion of shared data
5. Right to Data Portability: Receive your data in portable format

Our Responsibilities

• Implement appropriate safeguards for data sharing
• Monitor and supervise third-party processors
• Notify of data breaches within legal timeframes
• Conduct regular privacy impact assessments

Limitation of Liability

Third-Party Service Usage: When you use third-party services through our platform (such as social media integrations), those services' privacy policies apply to their processing of your information. Firstage is not responsible for third-party services' data practices beyond our direct integration points.

Consent Management and Service Limitations

Withdrawing Consent

How to Withdraw:

1. Website: Account Settings → Privacy Management → Third-Party Sharing
2. Email: [email protected]
3. Phone: +1-XXX-XXX-XXXX (Business hours: 9 AM - 6 PM)

Service Limitations Upon Withdrawal

• Social media integration features unavailable
• Personalized recommendations limited
• AI content generation quality may decrease
• Marketing communications restricted

Policy Changes and Notifications

Change Process

For significant third-party sharing policy changes:

1. 30-day advance notice: Website notifications
2. Individual email notices: To registered users
3. Explicit re-consent: When adding new third parties

Contact and Complaints

Data Protection Officer

• Name: Hooney, Seol
• Position: Data Protection Officer
• Contact: [email protected]
• Address: [To be updated]

Supervisory Authorities:

• EU/UK: Local data protection authority
• California: California Attorney General's Office
• Other jurisdictions: As applicable to your location