Legal
The boring but important bits.
Last updated: 1 April 2026 · Version 1.0
1. Introduction
PostVito Ltd ("PostVito", "we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it.
PostVito Ltd is the data controller for personal data processed through the Service. We are registered in England and Wales.
If you have questions about this policy, contact us at privacy@postvito.com.
2. Information We Collect
2.1 Account information. When you register, we collect your name, email address, and password hash. If you sign in via Google OAuth, we receive your name, email, and profile photo from Google.
2.2 Workspace and content data. We store the social accounts you connect, niches you create, content you draft or schedule, ideas generated by the AI agent, media assets you upload, and posts you publish.
2.3 Analytics data. We collect and store analytics snapshots from connected social accounts, including follower counts, engagement metrics, and impression data, as provided by the platform APIs.
2.4 Billing information. Payment processing is handled by Stripe. We store only the last four digits of your card, card brand, billing address, and subscription status. We never store your full card number.
2.5 Usage data. We collect information about how you use the Service, including pages visited, features used, generation credit consumption, and API request logs. This data is used to improve the Service and diagnose issues.
2.6 Communications. If you contact us by email, we retain those communications to resolve your query and improve our support.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process your subscription and billing
- Send transactional emails (account confirmation, billing receipts, credit usage alerts)
- Send product updates and marketing communications (you can opt out at any time)
- Detect and prevent fraud, abuse, and security incidents
- Comply with our legal obligations
- Enforce our Terms of Service
Our lawful bases under UK GDPR / EU GDPR are: contract performance (to provide the Service you signed up for), legitimate interests (security, fraud prevention, service improvement), legal obligation (tax and financial record-keeping), and consent (marketing emails).
4. AI Content Generation
When you use AI generation features, your prompts and any reference images are sent to third-party AI model providers (including but not limited to OpenAI, Stability AI, and Kling AI) to generate content. These providers process your input under their own privacy policies. We recommend not including personal data in generation prompts.
Generated outputs are stored in your Workspace and are subject to this Privacy Policy.
5. Social Platform Data
When you connect social accounts, we access your profile, posts, analytics, and inbox via the platform's API (TikTok, Instagram, YouTube, X/Twitter, LinkedIn, Pinterest). We store only the data necessary to provide the Service. Your social platform credentials are never stored — we use OAuth tokens which you can revoke at any time from the relevant platform's settings.
6. Sharing Your Information
We do not sell your personal data. We share information only in the following circumstances:
Service providers. We engage third-party vendors to help operate the Service, including Supabase (database hosting), Stripe (payments), Resend (transactional email), and Vercel (hosting). These providers process data on our behalf under data processing agreements.
AI model providers. As described in section 4.
Legal requirements. We may disclose information if required to do so by law, court order, or government authority.
Business transfers. In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.
7. International Transfers
PostVito Ltd is based in the UK. Your data may be transferred to and processed in countries outside the UK and EEA, including the United States, where our service providers operate. Where we transfer data outside the UK/EEA, we rely on appropriate safeguards including Standard Contractual Clauses or adequacy decisions.
8. Data Retention
We retain your personal data for as long as your account is active. If you cancel or your account is terminated, we retain your data for 90 days to allow for reactivation, after which it is permanently deleted.
Billing records are retained for 7 years as required by UK financial law. Anonymised usage analytics may be retained indefinitely.
9. Your Rights
Under UK GDPR and EU GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate personal data
- Erasure ("right to be forgotten") — request deletion of your personal data
- Restriction of processing in certain circumstances
- Data portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time where processing is based on consent
To exercise these rights, email privacy@postvito.com. We will respond within 30 days. UK residents may lodge complaints with the Information Commissioner's Office (ico.org.uk). EU residents may lodge complaints with their national supervisory authority.
10. Cookies
We use essential cookies to maintain your session and preferences. For full details, see our Cookie Policy.
11. Security
We implement technical and organisational measures to protect your data, including encryption at rest and in transit, row-level security on all workspace data, and regular access reviews. Despite these measures, no transmission over the internet is completely secure.
12. Children
The Service is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@postvito.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification at least 30 days before they take effect.
14. Contact
PostVito Ltd
privacy@postvito.com
legal@postvito.com
Data Protection Officer
dpo@postvito.com
You may contact our DPO directly for any matter relating to the processing of your personal data or the exercise of your rights under UK GDPR / EU GDPR.