Privacy Policy

1. Data Controller

The data controller responsible for your personal data is: VADYM PETRYSHYN ul. Zakrzowiecka 43E/L19, 30-376 Kraków, Poland NIP: 6793258445 Email: [email protected] As a small business, we are not required to appoint a Data Protection Officer (DPO) under GDPR. However, for any privacy-related inquiries, you can contact us at the email address above.

2. Information We Collect

We collect the following categories of personal information: Account Information: • Name and email address when you create an account • Password (stored in encrypted form) • Account preferences and settings Social Media Account Information: • OAuth tokens and account identifiers when you connect social media accounts (Threads, Twitter/X, LinkedIn, Facebook) • We do not store your social media passwords User-Generated Content: • Posts, drafts, and prompts you create • Content generation history and AI conversation logs • YouTube URLs and video transcriptions you request Technical Data (collected automatically): • IP address and approximate location • Device type, browser, and operating system • Referral source and pages visited Usage Data: • Features used and interactions with the Service • AI models selected and generation settings • Time spent on the platform and session information Communications: • Support requests and correspondence • Feedback and survey responses

3. Legal Basis for Processing (GDPR Article 6)

Under GDPR, we process your personal data based on the following legal grounds: Contract Performance (Article 6(1)(b)): • Creating and managing your account • Providing AI content generation services • Processing social media integrations • Managing your drafts and content Legitimate Interests (Article 6(1)(f)): • Improving and optimizing the Service • Preventing fraud and ensuring security • Analyzing usage patterns (in aggregated form) • Communicating about service updates Our legitimate interests are balanced against your rights and freedoms. You can object to processing based on legitimate interests at any time. Consent (Article 6(1)(a)): • Sending marketing communications (optional) • Non-essential cookies and analytics You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Legal Obligation (Article 6(1)(c)): • Complying with tax and accounting requirements • Responding to lawful requests from authorities • Maintaining records as required by law

4. How We Use Your Information

We use your information for the following purposes: Service Delivery: • To create and maintain your account • To provide AI-powered content generation • To manage drafts and publishing workflows • To facilitate social media integrations and posting Service Improvement: • To analyze usage patterns and improve features • To fix bugs and optimize performance • To develop new features based on user needs • We may use de-identified or aggregated data for these purposes Communication: • To send important service updates and security alerts • To respond to support requests • To send marketing communications (with your consent) Security and Compliance: • To protect against fraud, abuse, and unauthorized access • To enforce our Terms of Service • To comply with legal obligations

5. Third-Party AI and Service Providers

To provide our services, we transmit data to the following third-party providers: AI Model Providers (for content generation): • Google (Gemini) — Privacy: https://policies.google.com/privacy • OpenAI (GPT) — Privacy: https://openai.com/policies/privacy-policy • Anthropic (Claude) — Privacy: https://www.anthropic.com/privacy • xAI (Grok) — Privacy: https://x.ai/legal/privacy-policy • OpenRouter — Privacy: https://openrouter.ai/privacy Based on current provider policies, API data sent to these providers is not used to train their public models by default. Content & Media Services: • YouTube (Google) — Publicly available video transcript extraction. No personal data is sent to YouTube beyond the video URL you provide. Authentication Services: • Google OAuth — For "Sign in with Google" functionality. We receive only your email and basic profile info. Privacy: https://policies.google.com/privacy Communication Services: • SendGrid (Twilio) — Transactional emails (verification, password reset). Privacy: https://www.twilio.com/en-us/legal/privacy Infrastructure: • Cloud hosting providers for servers and database storage All our processors are bound by data processing agreements that ensure appropriate protection of your data. For providers outside the EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions where applicable. We do not sell your personal information to any third party.

6. International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA), including the United States, where our AI providers operate. For transfers outside the EEA, we implement appropriate safeguards: • Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our processors • Adequacy Decisions: Where available, we rely on EU adequacy decisions • Supplementary Measures: We implement additional technical and organizational measures where required You can request a copy of the safeguards we use by contacting us at [email protected].

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy: Account Data: • Retained for the duration of your account • Deleted within 30 days of account deletion request Content and Drafts: • Retained while your account is active • Deleted upon account deletion Technical Logs: • Retained for up to 90 days for security and debugging • Automatically purged on a rolling basis Backup Data: • Retained for up to 90 days • Automatically purged after this period Legal Requirements: • We may retain certain data longer if required by law (e.g., tax records, legal disputes) Anonymized Data: • Aggregated, de-identified data may be retained indefinitely for analytics

8. AI-Generated Content Disclaimer

Our Service uses artificial intelligence to assist with content creation. Please be aware that: • AI-generated content may contain inaccuracies, errors, or inappropriate material • We do not guarantee the accuracy, completeness, originality, or suitability of AI-generated content • You are solely responsible for reviewing and approving all content before publishing • We are not responsible for consequences arising from use of AI-generated content • AI-generated content does not represent the views or endorsements of Postory The AI processes your inputs to generate outputs but does not make autonomous decisions that significantly affect you. This processing does not constitute automated decision-making with legal effects under GDPR Article 22.

9. Your Privacy Rights

Under GDPR and other applicable laws, you have the following rights: Right of Access (Article 15): You can request a copy of the personal data we hold about you. Right to Rectification (Article 16): You can request correction of inaccurate or incomplete data. Right to Erasure (Article 17): You can request deletion of your personal data ("right to be forgotten"). Right to Restriction (Article 18): You can request that we limit how we use your data. Right to Data Portability (Article 20): You can request your data in a structured, machine-readable format. Right to Object (Article 21): You can object to processing based on legitimate interests or for direct marketing. Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time. Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (see Section 16). To exercise these rights, contact us at [email protected]. We will verify your identity and respond within 30 days (or as required by law). These rights are provided free of charge, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

11. Data Security

We implement appropriate technical and organizational measures to protect your data: Technical Measures: • Encryption in transit (TLS/HTTPS) • Encryption at rest for sensitive data • Secure password hashing (bcrypt) • Regular security updates and patching Organizational Measures: • Access limited to authorized personnel only • Regular security assessments • Incident response procedures • Employee security awareness No method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at [email protected].

12. Cookies and Tracking Technologies

14. Social Media Integrations

When you connect social media accounts to Postory: What We Access: • Only the permissions necessary to provide the Service • Typically: ability to post content on your behalf • Account identifiers to maintain the connection What We Store: • OAuth tokens (securely encrypted) • Account identifiers • We do NOT store your social media passwords What We Don't Do: • We don't access your private messages • We don't access your followers/following lists beyond what's needed • We don't sell your social media data Disconnecting: You can disconnect social media accounts (including Threads, X/Twitter, and Google) at any time through your Accounts page at postory.io/accounts. This will revoke our access tokens, though content already published will remain on those platforms.

14a. Meta/Threads Platform Data

Postory integrates with the Meta Threads API to allow you to publish content to Threads. What Threads data we access: • Your Threads user profile information (user ID, username) • Ability to create and publish posts on your behalf How we use Threads data: • To authenticate your Threads account connection • To publish content you create and approve in Postory to your Threads profile • To display your Threads account information within the Postory app What we do NOT do with Threads data: • We do not sell Threads user data to third parties • We do not use Threads data for advertising purposes • We do not use Threads data to train AI models • We do not access your Threads direct messages or private content • We do not store your Threads password Data retention and deletion: Threads connection data (user ID, access tokens) is retained only while your account is active and the integration is connected. You can disconnect Threads at any time via your Connectors page, or delete your entire account via Settings. See our Data Deletion Instructions for more details. Postory's use of the Threads API is subject to Meta's Platform Terms and Developer Policies.

14b. X/Twitter Platform Data

Postory integrates with the X (formerly Twitter) API to allow you to publish content to X. What X data we access: • Your X user profile information (user ID, username, display name) • Ability to create and publish posts on your behalf How we use X data: • To authenticate your X account connection • To publish content you create and approve in Postory to your X profile • To display your X account information within the Postory app What we do NOT do with X data: • We do not sell X user data to third parties • We do not use X data for advertising purposes • We do not use X data to train AI models • We do not access your X direct messages or private content • We do not store your X password • We do not perform off-platform matching of X user data Data retention and deletion: X connection data (user ID, access tokens) is retained only while your account is active and the integration is connected. You can disconnect X at any time via your Connectors page, or delete your entire account via Settings. See our Data Deletion Instructions for more details. Postory's use of the X API is subject to the X Developer Agreement and Policy.

15. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected]. If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete that information.

16. US State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Delaware, Utah, Virginia, or other states with comprehensive privacy laws, you may have additional rights: Your Rights May Include: • Right to know what personal information we collect • Right to access and obtain a copy of your data • Right to delete your personal information • Right to correct inaccurate data • Right to opt-out of sale/sharing of personal information • Right to opt-out of targeted advertising • Right to non-discrimination for exercising your rights Our Practices: • We do NOT sell your personal information • We do NOT share personal information for cross-context behavioral advertising • We do NOT use sensitive personal information for purposes other than providing the Service To Exercise Your Rights: Contact us at [email protected] or use the account deletion feature. We will verify your identity before processing your request. Authorized Agents: You may designate an authorized agent to make requests on your behalf with proper verification.

17. Supervisory Authority and Complaints

If you are in the European Economic Area and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local data protection authority. For Poland, the supervisory authority is: Prezes Urzędu Ochrony Danych Osobowych (UODO) ul. Stawki 2 00-193 Warszawa, Poland Website: https://uodo.gov.pl Email: [email protected] For other EEA countries, you can find your local authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en We encourage you to contact us first so we can try to resolve your concerns directly.

18. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. How We Notify You: • Posting the updated policy on our website with a new "Last Updated" date • Email notification for material changes • In-app notification for significant updates Material Changes: For significant changes that affect how we process your data, we will provide at least 30 days' notice before the changes take effect. Your continued use of the Service after updates take effect constitutes acceptance of the revised policy.

19. Contact Us

For any privacy-related questions, concerns, or to exercise your rights, please contact us: VADYM PETRYSHYN ul. Zakrzowiecka 43E/L19, 30-376 Kraków, Poland NIP: 6793258445 Email: [email protected] We aim to respond to all legitimate inquiries within 30 days. If your request is particularly complex or you have made multiple requests, we may need up to 60 days but will notify you of any extension.