Privacy Policy

Last updated: March 26, 2026

Postino ("we", "us", "our") is operated by Artur Khomych, based in Poland, EU. This policy explains what data we collect, why we collect it, and what rights you have over it.

1. Data We Collect

Account information

• Email address (used for authentication and notifications)
• Name and profile details you provide during onboarding
• Business name, niche, and target audience (used to configure AI agents)

Social account tokens

• OAuth access and refresh tokens from LinkedIn, Instagram, and Threads
• Basic profile data from connected social accounts (name, profile URL)

Content data

• AI-generated posts and content variants
• Your edits, approvals, and feedback on generated content
• Brand voice profile (writing style, tone preferences, anti-slop word list)
• Content plans and scheduling data

Usage data

• Agent run logs (which AI model was used, token count, duration)
• Feature usage patterns for product improvement

2. How We Use Your Data

• AI content generation: Your brand voice profile, business context, and previous edits are sent to AI models to generate content that matches your style.
• Publishing on your behalf: When you approve a post, we use your OAuth tokens to publish it to the selected social platform.
• Trend analysis: We analyze public trend data in your niche to suggest content topics. We do not scrape your competitors' private data.
• Product improvement: Aggregated, anonymized usage data helps us improve AI quality and features.

3. OAuth Token Security

Social platform OAuth tokens are encrypted at rest using AES-256 encryption (via Supabase Vault). Tokens are only decrypted at the moment of publishing or refreshing access. We never store tokens in plaintext. We never share tokens with third parties. We request only the minimum scopes needed for publishing.

4. Third-Party Services

We use the following third-party services to operate Postino:

We do not sell your data to any third party. AI providers (Anthropic) do not use your data for model training when accessed via their API.

5. Data Retention

• Agent run logs are automatically deleted after 90 days.
• Draft posts that have been orphaned (not edited or published) are automatically deleted after 180 days.
• Published content is retained as long as your account is active.
• Account data is deleted within 30 days of account deletion request.

6. Your Rights (GDPR)

As an EU-based service, we comply with the General Data Protection Regulation. You have the right to:

• Access — Request a copy of all data we hold about you.
• Rectification — Correct any inaccurate data.
• Erasure — Request deletion of your account and all associated data.
• Data portability — Export your data in a machine-readable format (JSON).
• Restriction — Request that we stop processing your data while a complaint is resolved.
• Object — Object to data processing for specific purposes.

To exercise any of these rights, email us at the address below. We respond within 30 days.

7. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies. No third-party cookie banners are needed because we do not set any non-essential cookies.

8. Data Processing Location

Postino is operated from Poland, EU. Our database is hosted on Supabase (AWS eu-central-1, Frankfurt). AI processing may occur on servers outside the EU (Anthropic, US-based), but no personal data beyond content prompts is shared with AI providers, and API-based processing is not used for model training.

9. Children

Postino is not intended for users under the age of 16. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to all registered users at least 14 days before taking effect.

11. Contact

For privacy-related questions or data requests:

• Email: privacy@postino.uk
• Data controller: Artur Khomych, Poland, EU