Privacy Policy
Effective date: March 29, 2026
Last updated: March 29, 2026
1. Introduction
Poster Inc. ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our social media content management platform ("the Service"). This policy is compliant with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
2. Data We Collect
2.1 Account Information
- Email address (required for authentication)
- Full name (provided during registration)
- Profile avatar (optional)
- Password hash (we never store plaintext passwords)
2.2 Workspace Content
- Post content (titles, captions, hashtags, tags)
- Media files (images, videos, GIFs uploaded to the platform)
- Workspace settings (name, timezone, industry)
- Team member information (email, role assignments)
- Comments and reactions
2.3 Usage Data
- Feature usage patterns (via PostHog analytics)
- Error reports (via Sentry)
- API access logs (endpoint, method, response code)
- Browser type and operating system
3. How We Use Your Data
- To provide and operate the Service
- To authenticate your identity and manage your account
- To enable team collaboration within workspaces
- To send transactional emails (verification, password reset, notifications)
- To monitor and improve Service performance and reliability
- To detect and prevent fraud or abuse
- To comply with legal obligations
4. Legal Basis for Processing (GDPR)
- Contract performance: Processing necessary to provide the Service you've signed up for
- Legitimate interest: Analytics, security monitoring, and Service improvement
- Consent: Marketing communications (opt-in only)
- Legal obligation: Data required by law (tax records, fraud prevention)
5. Subprocessors
We use the following third-party services to operate Poster:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database, authentication, file storage | US (AWS) |
| Vercel | Application hosting, CDN, serverless functions | Global (Edge) |
| Sentry | Error tracking and performance monitoring | US |
| PostHog | Product analytics | US/EU (configurable) |
6. Your Rights
Under GDPR and CCPA, you have the right to:
- Access: Request a copy of all personal data we hold about you
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Data portability: Export your data in a machine-readable format (JSON/CSV)
- Restriction: Request restriction of processing your data
- Objection: Object to processing based on legitimate interest
- Withdraw consent: Withdraw consent for marketing communications at any time
To exercise any of these rights, email us at privacy@poster.counsel-ops.com. We will respond within 30 days.
7. Data Retention
- Active accounts: Data is retained as long as your account is active
- Account deletion: Personal data is deleted within 90 days of account deletion
- Workspace content: Removed within 90 days of workspace deletion or account deletion
- Backups: Automated backups are retained for 30 days, then permanently deleted
- Audit logs: Retained for 1 year for security and compliance purposes
8. Data Security
We implement industry-standard security measures including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- API key hashing with bcrypt
- Row Level Security (RLS) on all database tables
- Regular security audits and vulnerability scanning
- Rate limiting on all API endpoints
- Input sanitization to prevent XSS and injection attacks
9. Cookies
We use essential cookies for authentication and session management. These are strictly necessary for the Service to function and do not require consent. We use PostHog for analytics, which may set cookies to track usage patterns. You can opt out of analytics tracking in your account settings.
10. International Data Transfers
Your data may be processed in the United States and other countries where our subprocessors operate. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for transfers outside the European Economic Area.
11. Children's Privacy
The Service is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice within the Service. The "Last updated" date at the top reflects the most recent revision.
13. Data Protection Officer
For privacy-related inquiries, contact our Data Protection Officer at dpo@poster.counsel-ops.com.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.
14. Contact
Poster Inc.
San Francisco, CA, USA
Email: privacy@poster.counsel-ops.com