Privacy Policy

1.1 Controller Identity. The Service is operated by the entity or individual controlling the domain where the Service is hosted (the "Service Operator" or "we"). The Service Operator is the data controller responsible for your personal information.

1.2 Privacy Contact. For all privacy-related inquiries, requests, or concerns, please contact us at:

1.3 Representative. If required by law, we will appoint a representative in your jurisdiction. Contact us for details.

3.1 Service Provision. We use your information to:

• Authenticate and authorize access to your account
• Process, route, and publish your content to connected platforms
• Schedule and queue publications according to your configured rules
• Generate AI-powered captions when enabled
• Monitor and display publication status, success rates, and errors
• Provide webhook endpoints for Telegram and payment processors
• Maintain session state and user preferences

3.2 Security and Abuse Prevention. We process technical data to:

• Prevent unauthorized access and account takeover
• Detect and block brute force attacks and credential stuffing
• Rate-limit login attempts and API requests
• Investigate security incidents and policy violations
• Protect our infrastructure and other users from abuse

3.3 Billing and Subscription Management. We use payment data to:

• Process payments and manage subscriptions
• Enforce account limits based on your plan
• Send billing notifications via Telegram (if enabled)
• Handle refunds and credits (when applicable)
• Track referral bonuses and promotional credits

3.4 Customer Support. We may use your information to:

• Respond to your inquiries and troubleshoot issues
• Investigate and resolve service problems
• Provide technical assistance and guidance

3.5 Service Improvement. We analyze aggregated, anonymized data to:

• Identify and fix bugs or performance issues
• Understand usage patterns and optimize features
• Plan infrastructure capacity and scaling

3.6 Legal Compliance. We may process information to:

• Comply with applicable laws, regulations, and legal processes
• Respond to lawful requests from authorities
• Enforce our Terms of Service
• Protect our rights, property, and safety, and that of our users

If you are located in the European Economic Area (EEA), UK, or Switzerland, we rely on the following legal bases:

• ➤ Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service, manage your account, and fulfill our contractual obligations to you.
• ➤ Legitimate Interests (Art. 6(1)(f) GDPR): Processing for security, fraud prevention, service improvement, and technical operations, where our legitimate interests are not overridden by your rights.
• ➤ Legal Obligation (Art. 6(1)(c) GDPR): Processing required to comply with laws, regulations, court orders, or law enforcement requests.
• ➤ Consent (Art. 6(1)(a) GDPR): For optional features like AI caption generation, email notifications, or marketing communications (where applicable). You may withdraw consent at any time.

5.1 Connected Platforms. By design, the Service shares your content with platforms you explicitly connect (Pinterest, Mastodon, Tumblr, VK). These platforms process your data under their own privacy policies. We do not control how these platforms use, store, or share your content after publication.

5.2 AI Providers. If you enable AI caption generation, your content may be sent to third-party AI providers:

• DeepSeek: Content processing for caption generation
• OpenAI: GPT models for caption generation
• Anthropic: Claude models for caption generation
• OpenRouter: Multi-model aggregation and routing

These providers have their own privacy policies and data retention practices. We recommend reviewing them before enabling AI features.

5.3 Payment Processors. Payment data is shared with:

• Stripe: Credit/debit card payments and subscriptions
• NOWPayments: Cryptocurrency payments

These processors handle sensitive payment data directly and are PCI-DSS compliant. We receive only limited transaction identifiers and status updates.

5.4 Infrastructure Providers. We use third-party services for:

• Hosting: Server infrastructure and storage
• CDN: Static asset delivery (CSS, JavaScript libraries)
• Email: Transactional emails (OTP codes) if email login is enabled

5.5 Legal Requirements. We may disclose information when required by:

• Valid legal process (subpoena, court order, search warrant)
• Government or law enforcement requests
• Investigations of fraud, abuse, or illegal activity
• Protection of our rights, property, or safety, or that of others

5.6 Business Transfers. If we are involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice in the Service before your information becomes subject to a different privacy policy.

5.7 Aggregate Data. We may share anonymized, aggregated statistical data that cannot identify you (e.g., "X% of users enable AI captions") for research, marketing, or partnership purposes.

5.8 No Sale of Personal Data. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6.1 Retention Periods. We retain information for as long as necessary to provide the Service and comply with legal obligations. Default retention periods (configurable by administrators):

• Account data: Until account deletion or inactivity threshold
• Content and queue items: ~60 days after completion (configurable)
• Media files: ~30 days after publication (configurable)
• Application logs: ~14 days (automatically rotated)
• Security logs (database): ~90 days (configurable)
• Payment records: As required by tax laws and financial regulations (typically 7 years)
• Session data: Until expiration or logout

6.2 Account Deletion. When you delete your account or we terminate it:

• Account data, configurations, and content are immediately marked for deletion
• Most data is deleted within 30 days
• Some data may be retained longer if required by law, for security, or to resolve disputes
• Anonymized statistical data may be retained indefinitely

6.3 Backup Copies. Backups may retain your information for up to 90 days after deletion from active systems. These backups are used only for disaster recovery and are not accessible for operational purposes.

6.4 Legal Holds. We may retain information longer if required for litigation, investigations, regulatory inquiries, or compliance audits.

7.1 Security Measures. We implement reasonable technical and organizational measures to protect your information:

• Encryption: Sensitive API keys and tokens are encrypted at rest using AES-256-GCM
• Password hashing: Passwords are hashed using strong, salted hashing algorithms
• HTTPS/TLS: Data in transit is encrypted using industry-standard TLS
• Access controls: Restricted access to production systems and databases
• Session security: HTTP-only, secure cookies with CSRF protection
• Rate limiting: Protection against brute force and credential stuffing attacks
• Login attempt tracking: Monitoring and blocking of suspicious authentication activity
• Regular updates: Security patches and dependency updates

7.2 Security Limitations. No method of transmission or storage is 100% secure. While we use reasonable security measures, we cannot guarantee absolute security. You use the Service at your own risk.

7.3 Your Responsibility. You are responsible for:

• Keeping your account credentials confidential and secure
• Not sharing your password or API keys with others
• Using a strong, unique password
• Logging out from shared or public devices
• Notifying us immediately of any security breach

7.4 Breach Notification. If we discover a security breach that compromises your personal information, we will notify you and relevant authorities as required by applicable law. Notification may be delayed if requested by law enforcement or to prevent further harm.

8.1 Essential Cookies. We use cookies and local storage for:

• Session management: Maintaining your logged-in state
• CSRF protection: Preventing cross-site request forgery attacks
• Preferences: Remembering your UI settings (if applicable)

These cookies are strictly necessary for the Service to function and cannot be disabled without breaking core functionality.

8.2 Third-Party Scripts. We load external JavaScript libraries from CDNs:

• Tailwind CSS: For styling (from cdn.tailwindcss.com)
• Chart.js: For statistics visualization (self-hosted with CDN fallback)
• Fancybox: For media lightbox functionality
• Telegram Login Widget: If Telegram login is enabled (from telegram.org)

These scripts may set their own cookies and collect usage data. We do not control these third-party practices.

8.3 No Advertising Trackers. We do not use advertising cookies, tracking pixels, or third-party analytics (e.g., Google Analytics, Facebook Pixel) on the Service.

8.4 Browser Settings. You can configure your browser to reject cookies, but this will prevent you from using the Service (as session cookies are essential for authentication).

9.1 Cross-Border Processing. Your information may be transferred to, stored in, and processed in countries other than your country of residence. This may include countries outside the European Economic Area (EEA) or those without adequate data protection laws.

9.2 Third-Party Locations. Connected platforms and service providers may be located globally:

• AI providers: May process in the United States, Europe, or other jurisdictions
• Payment processors: May process in multiple jurisdictions depending on your payment method
• Social platforms: Data is transferred to the jurisdiction of each platform's servers

9.3 Data Transfer Mechanisms. Where required, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission (for transfers to countries with adequate protection)
• Your explicit consent (for transfers necessary to provide the Service)

9.4 Acknowledgment of Risk. By using the Service and connecting third-party platforms, you acknowledge and accept that your information will be transferred internationally and may be subject to different data protection laws. We cannot control how third-party platforms process or protect your data in other jurisdictions.

10.1 Rights Overview. Depending on your location, you may have the following rights:

• ➤ Right of Access: Request a copy of the personal information we hold about you
• ➤ Right to Rectification: Request correction of inaccurate or incomplete information
• ➤ Right to Erasure ("Right to be Forgotten"): Request deletion of your personal information, subject to legal exceptions
• ➤ Right to Restriction: Request that we limit how we use your information in certain circumstances
• ➤ Right to Data Portability: Request a machine-readable copy of your information to transfer to another service
• ➤ Right to Object: Object to processing based on legitimate interests or for direct marketing
• ➤ Right to Withdraw Consent: Withdraw consent for processing where we rely on consent (does not affect prior processing)
• ➤ Right to Lodge a Complaint: File a complaint with your local data protection authority (if applicable)

10.2 Exercising Your Rights. To exercise any of these rights:

1. Send an email to support@posty.my with "PRIVACY REQUEST" in the subject line
2. Include your account email/username and clearly specify which right(s) you wish to exercise
3. Provide enough information for us to verify your identity (we may request additional verification)

10.3 Response Time. We will respond to verified requests:

• GDPR/UK GDPR: Within 30 days (extendable to 60 days for complex requests)
• CCPA/CPRA: Within 45 days (extendable to 90 days for complex requests)
• Other jurisdictions: As required by local law, or within a reasonable timeframe

10.4 Verification. To protect your privacy, we may require additional information to verify your identity before processing requests. If we cannot verify your identity, we may deny the request.

10.5 Limitations. We may decline requests that:

• Are manifestly unfounded, excessive, or repetitive
• Would violate the rights of others or applicable laws
• Conflict with legal retention obligations (e.g., tax records)
• Would compromise security or prevent fraud detection

10.6 No Fee. We do not charge a fee for processing valid privacy requests, except in cases of manifestly unfounded or excessive requests (where permitted by law).

10.7 California Residents. If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). See our CCPA-specific disclosures below (if applicable).

11.1 Age Restriction. The Service is not intended for children under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

11.2 Parental Notice. If you believe we have inadvertently collected information from a child, please contact us immediately at support@posty.my. We will promptly investigate and delete such information.

11.3 COPPA Compliance. We comply with the Children's Online Privacy Protection Act (COPPA) and similar laws. If you are under 13, do not use the Service or provide any information.

12.1 Right to Modify. We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. We will notify you of material changes by:

• Updating the "Last updated" date at the top of this page
• Posting a notice in the Service (if significant changes)
• Sending an email to your registered address (for substantial changes)

12.2 Continued Use. Your continued use of the Service after changes become effective constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Service and may request account deletion.

12.3 Review Responsibility. We encourage you to review this Privacy Policy periodically. The current version supersedes all prior versions.

For privacy-related questions, data requests, or concerns, please contact us:

Response Time: We aim to respond to all privacy inquiries within 3-5 business days, and to formal data protection requests within the timeframes required by applicable law.