Privacy Policy
Last updated: [EFFECTIVE DATE]
This Privacy Policy explains how [COMPANY LEGAL NAME] (“PostPost”, “we”, “us”) collects, uses, and shares personal data when you use our website and the PostPost service (the “Service”), and the rights you have. For data protection purposes, the controller is [COMPANY LEGAL NAME], [REGISTERED ADDRESS].
Where you use the Service to process personal data about your own customers, contacts, or audiences, you are the controller of that data and we act as your processor — see our Data Processing Addendum.
1. Personal data we collect
Data you provide
- Account data: name, email address, password, and (for sign-in with Google) basic profile information.
- Brand and business data: information you add about your business or your clients’ businesses — brand name, website URL, logos, colors, fonts, services, pricing, audience, and voice samples.
- Content: posts, captions, images, files, and other content you create, upload, import, or schedule.
- Workspace and team data: members you invite, their roles, and approval activity.
- Billing data: we use Stripe to process payments. Stripe collects your payment-card and billing details directly; we receive limited information such as your plan, billing country, the last four digits and brand of your card, and transaction status. We do not store full card numbers.
- Communications: messages you send us (for example, support requests) and your responses to surveys or our waitlist.
Data from connected platforms
When you connect a social account (X/Twitter, LinkedIn, Instagram, Facebook, TikTok, Threads, Pinterest, YouTube, Telegram, Bluesky, Mastodon, Discord, and others), we receive and store access credentials or tokens and, depending on the platform, profile details, account identifiers, the content you publish through us, and engagement and analytics metrics. We use this only to provide the Service at your direction.
Data collected automatically
- Usage data: how you interact with the Service — pages and features used, actions taken, and timestamps.
- Device and log data: IP address, browser type, device and operating system, referring pages, and diagnostic/error data.
- Cookies and similar technologies: see our Cookie Policy.
2. How we use personal data
- Provide, operate, secure, and maintain the Service, including creating and managing your account and workspaces.
- Generate AI-assisted content at your request and publish, schedule, and retrieve analytics for your Connected Platforms.
- Process payments, manage subscriptions, and prevent fraud.
- Provide customer support and respond to your requests.
- Send service and transactional messages (for example, security alerts, billing notices, and product updates).
- Understand usage and improve and develop the Service (product analytics and error monitoring).
- Send marketing communications where permitted, and measure the effectiveness of our marketing and advertising (including via advertising platforms such as Google and Meta) — subject to your cookie/consent choices.
- Comply with legal obligations and enforce our terms and policies.
We do not use the content you upload, or your customers’ personal data, to train third-party AI models, and we instruct our AI sub-processors not to use it to train their models, where such an option is available.
AI features generate and suggest content at your request, and you decide what to review, edit, and publish. We do not use them to make solely automated decisions that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR.
3. Legal bases (EEA/UK)
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR, mapped to each purpose:
| Purpose | Legal basis |
|---|---|
| Create and manage your account and workspaces; provide, operate, and maintain the Service; generate AI-assisted content at your request and publish, schedule, and retrieve analytics for your Connected Platforms; provide support. | Performance of a contract (Art. 6(1)(b)) |
| Process payments and manage subscriptions; keep billing and tax records. | Performance of a contract (Art. 6(1)(b)); legal obligation for tax/accounting records (Art. 6(1)(c)) |
| Secure the Service and prevent fraud and abuse; debug, improve, and develop the Service (product analytics and error monitoring); promote the Service. | Legitimate interests (Art. 6(1)(f)) — our interest in keeping the Service secure, reliable, and growing, balanced against your rights. |
| Set non-essential cookies, run analytics and advertising, and send marketing where consent is required. | Consent (Art. 6(1)(a)) — you may withdraw it at any time, without affecting prior processing. |
| Comply with legal obligations and respond to lawful requests. | Legal obligation (Art. 6(1)(c)) |
4. Cookies and advertising
We and our partners use cookies and similar technologies for essential functionality, analytics, and advertising. We use advertising and measurement tools from Google (such as Google Ads tags and conversion tracking) and Meta (the Meta/Facebook Pixel) to measure and optimize our marketing and to show ads on those platforms. In regions that require consent, these tools load only after you consent, and we apply Google Consent Mode signals accordingly. You can manage your choices at any time — see our Cookie Policy.
5. How we share personal data
We do not sell your personal data. We share it only as described here:
- Sub-processors and service providers who help us run the Service (hosting, storage, payments, AI, analytics, error monitoring, email). They process data on our behalf under contract. See the current list in our Data Processing Addendum.
- Connected Platforms — at your direction, we transmit your content and instructions to the social platforms you connect.
- Advertising and analytics partners — subject to your consent, as described above.
- Legal and safety — where required by law, to enforce our terms, or to protect the rights, safety, and security of users, the public, or us.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
6. International transfers
We and our sub-processors may process personal data in countries other than your own, including outside the EEA/UK. Where we transfer personal data internationally, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum) or transfers to countries with an adequacy decision.
7. Retention
We keep personal data only for as long as necessary for the purposes set out in this Policy. We determine retention by the following criteria, per category of data:
- Account, brand, and workspace data: kept while your account is active, and deleted or anonymized within [e.g. 30–90 days] of account closure.
- Content and connected-platform tokens: kept until you delete the content or disconnect the platform, or your account is closed.
- Billing and tax records: kept for the period required by applicable tax and accounting law (typically [e.g. 6–10 years]).
- Support communications: kept for as long as needed to handle your request and a reasonable period afterward.
- Logs, security, and diagnostic data: kept for a limited period (typically [e.g. up to 12 months]) for security and troubleshooting.
- Backups: limited backup copies may persist for a short period after deletion before being overwritten.
Where we must retain data to comply with legal obligations, resolve disputes, or enforce our agreements, we keep it for as long as necessary for those purposes.
8. Security
We use technical and organizational measures designed to protect personal data, including encryption in transit, access controls, and secure storage of credentials and tokens. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
9. Your rights
Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal data; to object to or restrict certain processing; to withdraw consent; and to lodge a complaint with a supervisory authority. To exercise these rights, contact us at support@postpost.app. We may need to verify your identity. You will not be discriminated against for exercising your rights.
EEA/UK: you may complain to your local data protection authority. California (CCPA/CPRA): you have rights to know, delete, correct, and to opt out of the “sale” or “sharing” of personal information and limit use of sensitive personal information. We do not sell personal information for money; however, the use of advertising cookies may be considered “sharing” under California law. You can exercise your opt-out through our cookie settings or by contacting us. If you process data of California residents on behalf of your clients, those individuals should contact the relevant business.
10. Children
The Service is not directed to, and we do not knowingly collect personal data from, children under 16. If you believe a child has provided us personal data, contact us and we will delete it.
11. Third-party links
The Service and our content may link to third-party websites and services we do not control. This Policy does not apply to them; review their privacy policies.
12. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you (for example, by email or in-app notice) and update the “Last updated” date above.
13. Contact
For privacy questions or requests, contact us at support@postpost.app or by mail at [COMPANY LEGAL NAME], [REGISTERED ADDRESS].
Our Data Protection Officer / privacy contact (if applicable): [DPO NAME / EMAIL, if appointed]. EU representative (Art. 27 GDPR), if applicable: [EU REPRESENTATIVE]. UK representative, if applicable: [UK REPRESENTATIVE].