Privacy Policy

For the purposes of applicable data protection laws, the data controller is:

• Postless
• Website: https://postless.app
• Contact: [email protected]

If you are located in the European Economic Area (EEA) or the UK, Postless acts as the data controller for the personal data you provide to us.

We use your personal data for the following purposes:

• To create and manage your account
• To provide the core features of the Service, including AI content generation, scheduling, and multi-platform publishing
• To process payments and manage your subscription via Stripe
• To send transactional emails (account confirmations, password resets, post approval notifications) via Resend
• To analyse platform usage and improve the Service
• To detect and prevent fraud, abuse, or security incidents
• To comply with legal obligations
• To send you product updates and marketing communications (only where you have opted in, and with an easy opt-out at any time)

Our legal bases for processing your data (under GDPR) are:

• Contract: processing necessary to deliver the Service you've signed up for
• Legitimate interests: improving the platform, preventing fraud, ensuring security
• Consent: marketing communications and certain cookie usage
• Legal obligation: complying with applicable laws and regulations

Your data is stored on secure infrastructure hosted on Amazon Web Services (AWS), deployed via Docker containers. Our application database is powered by Supabase Postgres, managed through Prisma ORM.

Data is stored in encrypted form at rest and in transit using industry-standard TLS/SSL encryption. Access to production data is restricted to authorised personnel only, using role-based access controls.

Our static landing page is hosted on Cloudflare Pages. Cloudflare may collect standard web analytics data in accordance with their own privacy policy.

We retain your personal data for as long as your account is active, or as needed to provide the Service. If you close your account, we will delete or anonymise your personal data within 90 days, except where we are required to retain it for legal or compliance reasons.

To deliver the Service, we share data with the following trusted third-party providers. Each provider is bound by their own privacy policy and applicable data protection agreements.

We do not sell your personal data to any third party. We only share data with providers as necessary to operate the Service.

When you connect Facebook or Instagram through our Meta integration, Postless acts in accordance with Meta's Platform Terms and Developer Policies. Specifically:

• We request only the permissions required to publish content on your behalf
• We do not access your private messages, contacts, or personal timeline without explicit permission
• Access tokens are stored encrypted and are used solely to publish approved content
• You can revoke Postless's access to your Facebook or Instagram account at any time through your Meta account settings (Settings > Security > Apps and Websites)
• Upon revocation, we will delete your stored access token within 48 hours

Postless complies with Meta's data deletion requirements. If you request deletion of your data (see Section 10), we will also remove your Meta-related tokens and any associated data from our systems.

For other social platforms (LinkedIn, X/Twitter, TikTok, Threads, Bluesky), the same principles apply: minimal permissions, encrypted token storage, and immediate deletion on request.

Postless is a global service and your data may be processed in countries outside your own, including the United States, where some of our third-party providers (such as AWS, OpenAI, Anthropic, and Stripe) operate.

Where we transfer data outside the EEA or UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to providers certified under applicable adequacy frameworks

You can request information about the specific safeguards we use for international transfers by contacting [email protected].

Postless uses cookies and similar technologies to make the Service work and to understand how it is being used. Here is a summary of what we use:

• Essential cookies: required for the Service to function (e.g. keeping you logged in). These cannot be turned off.
• Analytics cookies: help us understand how users interact with the platform so we can improve it. These are anonymised where possible.
• Marketing cookies: used only if you have opted in to receive marketing communications.

You can manage your cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the Service.

Our landing page on Cloudflare Pages may use Cloudflare's standard web analytics, which is privacy-first and does not use cookies or track individuals across sites.

Depending on where you are located, you have the following rights regarding your personal data:

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

We take the security of your data seriously. Our security measures include:

• Encryption of data at rest and in transit (TLS 1.2+)
• Encrypted storage of all OAuth tokens and sensitive credentials
• Role-based access controls and least-privilege principles for internal access
• Regular security reviews and dependency updates
• Hashed and salted password storage (we never store plain-text passwords)

While we take all reasonable steps to protect your data, no system is completely secure. If you discover a security vulnerability, please report it responsibly to [email protected].

In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

All payment processing is handled by Stripe, Inc. Postless does not store your full payment card number, CVV, or any raw card data on our servers. Stripe collects and processes this information directly in accordance with their Privacy Policy (https://stripe.com/privacy) and is certified to PCI DSS Level 1 standards.

We receive and store only non-sensitive billing information such as the last four digits of your card, card brand, expiry date, and billing address for account management purposes.

The Postless Service is not directed at children under the age of 13 (or 16 in some jurisdictions). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under the applicable minimum age, we will delete it immediately.

If you believe a child has provided us with their personal information, please contact us at [email protected].

We may update this Privacy Policy from time to time as our Service evolves or legal requirements change. When we make material changes, we will notify you by email or by displaying a prominent notice in the app at least 14 days before the changes take effect.

The "Last Updated" date at the top of this document will always reflect when the most recent changes were made. We encourage you to review this policy periodically.

If you have any questions, concerns, or requests related to this Privacy Policy, please contact us:

• Email: [email protected]
• Website: https://postless.app
• Support: [email protected]

If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (for example, the ICO in the UK or your national supervisory authority in the EU).