Privacy Policy

Postack ("we", "us", "our") operates the website trypostack.com and the postack.io application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using Postack, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Account & Early Access Information: When you sign up for Early Access or create an account, we collect your name, email address, and optional profile details such as your creator type, audience size, and preferred platforms.

Content You Create: Ideas, drafts, themes, brand voice settings, and scheduled posts you create within Postack. This content is yours — we store it to provide the Service.

Connected Platform Data: When you connect social media accounts, we store OAuth tokens (encrypted at rest) and basic account metadata needed to publish on your behalf. We never store your social media passwords.

Usage & Analytics Data: We collect anonymous usage data such as pages visited, features used, device type, browser type, and general location (country/city). We use this to improve the product. We do not use third-party tracking pixels or cross-site trackers.

Technical Data: IP addresses are collected temporarily for fraud prevention and security purposes, and are automatically purged after 90 days.

• To provide, maintain, and improve the Service
• To generate AI-powered content drafts, suggestions, and scheduling recommendations
• To publish content to your connected social media platforms on your behalf
• To send transactional emails (account confirmations, Early Access updates, security alerts)
• To analyze aggregated, anonymized usage patterns and improve product features
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

Postack uses AI (powered by Anthropic's Claude API) to generate content drafts, analyze your brand voice, suggest scheduling times, and provide engagement insights.

Your content may be sent to our AI provider (Anthropic) for processing. This is necessary to generate drafts, adapt content per platform, and refine your brand voice. Under Anthropic's API terms, content submitted via the API is not used to train their models.

We may use aggregated, anonymized usage patterns (not your personal content or data) to improve our product's AI features — for example, to understand which scheduling patterns lead to better engagement across all users. We will never use your personal content, posts, ideas, or brand voice data to train third-party AI models.

We do not sell, rent, or trade your personal information to third parties. Period.

We do not share your data with advertisers. We do not monetize your content. We do not provide data brokers access to any user information.

We use a limited number of third-party services to operate Postack. Each receives only the minimum data necessary for their function:

Landing page (trypostack.com): We use sessionStorage for UTM attribution parameters. No cookies are set. No third-party tracking pixels are loaded.

Application (postack.io): We use a secure, httpOnly authentication cookie (SameSite=Strict) for your session. Analytics cookies are only set after you provide consent. We will display a consent banner for users in jurisdictions that require it (EU/EEA).

We take the security of your data seriously:

• All data is stored in Supabase (Postgres) with Row-Level Security — users can only access their own data
• OAuth tokens are encrypted at rest using Supabase Vault
• All connections use TLS/HTTPS encryption in transit
• IP addresses are automatically purged after 90 days
• No PII is included in application logs or error reports
• Internal access to production databases requires multi-factor authentication

While no method of electronic storage is 100% secure, we implement industry-standard safeguards to protect your data.

Depending on your location, you may have the following rights regarding your data:

• Access: Request a copy of all personal data we hold about you (JSON export)
• Deletion: Request permanent deletion of your account and all associated data. We will comply within 30 days.
• Rectification: Update or correct inaccurate personal information through your account settings
• Portability: Export your data in a machine-readable format (JSON)
• Object: Opt out of marketing emails via the unsubscribe link in any email we send
• Withdraw Consent: Revoke consent for data processing at any time by contacting us

To exercise any of these rights, email us at privacy@postack.io.

If you are located in the European Union or European Economic Area, we process your personal data under the following legal bases:

• Contract: Processing necessary to provide the Service you signed up for
• Consent: Where you have given explicit consent (e.g., marketing emails, analytics cookies)
• Legitimate Interest: Product improvement and fraud prevention, balanced against your rights

You may lodge a complaint with your local data protection authority if you believe your rights have been violated.

Under the California Consumer Privacy Act, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information — though we do not sell your data
• Non-discrimination for exercising your privacy rights

We understand creators are protective of their audience relationships. Here's how we handle it:

• We never store your followers' data for profiling or resale
• Engagement inbox messages (comments, replies) are processed in memory and stored only within a 90-day rolling window for inbox functionality
• For "Comment the Word" campaigns, we act as a data processor — you control what triggers are set and what messages are sent
• We never scrape, sell, or share your audience data with any third party

We retain your data only as long as necessary:

• Account data: Until you delete your account
• Content (ideas, posts, themes): Until you delete them or your account
• OAuth tokens: Purged immediately when you disconnect a platform
• IP addresses: Automatically purged after 90 days
• Inbox messages: 90-day rolling window
• Analytics data: Retained in anonymized, aggregated form

Postack is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on our Service. Your continued use of Postack after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or your data, reach out to us:

privacy@postack.io