Privacy Policy
Last updated: January 1, 2025
PostMind AI, Inc. ("PostMind", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website at postmind.ai and our social media management platform (collectively, the "Service").
By creating an account or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.
1. Information We Collect
1.1 Information You Provide Directly
- Account registration: Your name, email address, and password (stored as a secure hash — we never store your plaintext password).
- Profile information: Optional details you add to your profile, such as your profile photo, time zone, phone number, and language preference.
- Workspace information: Your organization or brand name, logo, website URL, and industry when you create a workspace.
- Content: Social media posts, captions, images, videos, and other content you create, upload, or schedule through our platform.
- Communications: Messages you send us via email or in-app support chat.
- Billing information: Payment method details are collected and processed directly by our payment processors (Stripe, Paystack, Flutterwave). We only store your subscription status, plan type, and billing history reference IDs — never your raw card number.
1.2 Information Collected Automatically
- Log data: IP address, browser type, operating system, referring URL, pages visited, and timestamps when you access the Service.
- Device information: Device type, screen resolution, and browser version.
- Usage data: Features you use, actions you take, frequency of use, and performance metrics to improve the Service.
- Cookies and similar technologies: See Section 5 (Cookies) for details.
1.3 Information from Third Parties
- Social media accounts you connect: When you connect a social media account (Twitter/X, Instagram, LinkedIn, Facebook, TikTok, YouTube, Snapchat), we receive an OAuth access token and the account metadata necessary to publish content and retrieve analytics on your behalf. We do not receive or store your social media passwords. OAuth tokens are stored encrypted in our database.
- Google OAuth login: If you sign in with Google, we receive your name, email address, and profile photo from Google.
- Analytics from connected platforms: Post reach, impressions, engagement metrics, and follower counts from your connected social accounts, as permitted by each platform's API terms.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service: Create and manage your account, process your posts and schedules, connect to social media platforms, and enable all platform features.
- AI features: Pass your content and prompts to our AI providers (OpenAI, Anthropic) to generate captions, hashtags, post ideas, and other AI-powered content. Your content may be sent to these providers but is not used by them to train their base models under our enterprise agreements.
- Analytics and insights: Process social media performance data to generate analytics reports and AI-driven insights for your account.
- Billing and payments: Process subscription payments, send invoices, and manage your subscription lifecycle.
- Communications: Send transactional emails (account verification, password reset, scheduled post notifications, billing receipts) and, with your consent, product updates and marketing communications. You can opt out of marketing emails at any time.
- Security and fraud prevention: Monitor for suspicious activity, enforce our Terms of Service, and protect our users and platform.
- Service improvement: Analyze aggregate usage patterns to improve features, fix bugs, and develop new functionality.
- Legal compliance: Comply with applicable laws, regulations, and legal processes.
Legal Bases for Processing (GDPR)
For users in the European Economic Area (EEA) and UK, our legal bases are:
- Contract performance: Processing necessary to provide the Service you signed up for.
- Legitimate interests: Security monitoring, fraud prevention, service improvement, and analytics.
- Consent: Marketing communications, non-essential cookies.
- Legal obligation: Retention of billing records and compliance with applicable laws.
3. How We Share Your Information
We do not sell your personal data. We do not share it with third parties for their own marketing purposes. We share data only in the following circumstances:
3.1 Service Providers (Subprocessors)
We share data with trusted service providers who process data on our behalf under contractual obligations to protect it:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure, storage | US, EU |
| Stripe | Payment processing | US |
| Paystack | Payment processing (Africa) | NG |
| OpenAI | AI content generation | US |
| Anthropic | AI content generation | US |
| Resend | Transactional email | US |
| Twilio | SMS (2FA) | US |
| Firebase (Google) | Push notifications | US |
| Sentry | Error monitoring | US/EU |
3.2 Social Media Platforms
When you connect social accounts and schedule posts, your content is transmitted to the respective social media platforms (Twitter/X, Instagram, LinkedIn, etc.) as directed by you. Those platforms' own privacy policies govern how they handle your content once published.
3.3 Legal Requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of PostMind, our users, or the public.
3.4 Business Transfers
If PostMind is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.
3.5 With Your Consent
We may share information with third parties when you explicitly direct us to do so or provide your consent.
4. Data Retention
We retain your data for as long as necessary to provide the Service and comply with legal obligations:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account profile data | Until deletion + 30 days | Contract |
| Published post content | Until deletion | Contract |
| Media files | Until deletion | Contract |
| Billing records | 7 years | Legal obligation |
| Analytics data | 24 months | Legitimate interest |
| Security / audit logs | 90 days (identifiable), 7 years (anonymized) | Security / legal |
| Support messages | 3 years | Legitimate interest |
After the applicable retention period, data is securely deleted or anonymized so it can no longer be associated with you.
5. Cookies and Tracking Technologies
We use the following types of cookies and similar technologies:
- Strictly necessary cookies: Required for the Service to function. These include session management cookies and security tokens. Cannot be disabled.
- Functional cookies: Remember your preferences such as language, theme, and layout settings.
- Analytics cookies: Collect anonymized data about how you use the Service to help us improve it. Used only with your consent.
- Marketing cookies: Used to track the effectiveness of our marketing campaigns. Used only with your consent.
You can manage cookie preferences via the cookie consent banner on your first visit. You can also clear cookies through your browser settings, though this may affect Service functionality.
6. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right to Access: Request a copy of all personal data we hold about you. Available via Settings → Account → Download Your Data, or by emailing privacy@postmind.ai.
- Right to Rectification: Correct inaccurate or incomplete personal data. You can update most information directly in your account settings.
- Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data. You can delete your account in Settings → Account → Delete Account. Some data may be retained for legal obligations (see Section 4).
- Right to Data Portability: Receive your data in a structured, machine-readable format (JSON). Available in Settings → Account → Download Your Data.
- Right to Restrict Processing: Request that we limit how we process your data in certain circumstances.
- Right to Object: Object to processing based on legitimate interests. You can opt out of marketing communications at any time via the unsubscribe link in any email or in notification preferences.
- Rights related to automated decision-making: We do not make solely automated decisions that significantly affect you.
To exercise any of these rights, contact us at privacy@postmind.ai. We will respond within 30 days (GDPR requires response within 30 days; CCPA within 45 days).
EEA/UK users: You have the right to lodge a complaint with your local supervisory authority if you believe we have not handled your data in accordance with applicable law. In the EU, you can find your supervisory authority at edpb.europa.eu.
California residents (CCPA): You have the right to know what personal information we collect, to delete it, to opt out of its sale (we do not sell personal information), and to non-discrimination for exercising these rights.
7. Security
We implement industry-standard security measures to protect your personal information, including:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of sensitive data at rest using AES-256
- bcrypt hashing of passwords (never stored in plaintext)
- Two-factor authentication (2FA) available for all accounts
- Access controls and role-based permissions within workspaces
- Regular security audits and penetration testing
- All production secrets stored in AWS Secrets Manager
No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to security@postmind.ai.
8. Children's Privacy
The Service is not directed to children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us at privacy@postmind.ai and we will take steps to remove the information.
9. International Data Transfers
PostMind AI is based in the United States. If you access the Service from outside the US, your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.
For users in the EEA or UK, we rely on the following transfer mechanisms to ensure adequate protection:
- Standard Contractual Clauses (SCCs) with our service providers
- The EU-US Data Privacy Framework (where applicable)
10. Third-Party Links
The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services you access through our platform.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you by email (to the address associated with your account)
- Display a prominent notice in the Service for 30 days
Your continued use of the Service after changes become effective constitutes your acceptance of the updated policy. If you do not agree to the changes, please discontinue use of the Service and delete your account.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:
PostMind AI, Inc.
Attn: Privacy / Data Protection
Email: privacy@postmind.ai
General support: support@postmind.ai
Security disclosures: security@postmind.ai
We aim to respond to all privacy-related inquiries within 5 business days and to fulfill data subject requests within 30 days.