Privacy Policy

Last updated: April 2026

This policy explains what we collect, why, and what choices you have. This is a starter template — consult a lawyer before using in production.

What we collect

• Account info: your email, workspace name, plan.
• Content you post: the text, media, and schedules you create in the app.
• Connected social accounts: credentials for platforms you connect, stored encrypted at rest.
• Usage metrics: post counts, success rates, engagement pulled back from platform APIs.
• Server logs: IP address, request path, timestamp, user agent.

How we use it

• To publish your posts on your behalf.
• To compute analytics for your dashboard.
• To email you critical events (post failures, team invites, billing).
• To prevent abuse and debug production issues.

How we store it

Databases hosted on Supabase (US-East). Media on Cloudflare R2. Application servers on DigitalOcean. All traffic over TLS. Credentials encrypted with Fernet (AES-128) using a rotating master key.

Who we share it with

We don't sell your data. We share only with the sub-processors required to run the service: Supabase (DB), DigitalOcean (compute), Cloudflare (CDN + storage), Stripe (billing), OpenAI (AI drafting if enabled). Each handles data under their own published DPA.

Your rights

• Export. One-click ZIP download from the dashboard, including all posts, media, and settings.
• Delete. Email us and we'll purge your tenant within 7 days.
• Correct. Update anything from the dashboard.

Retention

Active data lives as long as your account does. Failed posts older than 90 days, webhook deliveries older than 30 days, and exports older than 14 days are purged automatically.

Contact

Privacy questions: jonathan@cgmimm.com.