postkeet / gdpr
v1.2 · 2026
gdpr · effective jan 12, 2026

EU users, you're covered.

The General Data Protection Regulation is one of the strongest privacy laws in the world. Postkeet treats its requirements as a floor, not a ceiling — and we extend most of these rights to every customer, everywhere. Here's exactly how we comply, in plain English.

1. Our GDPR commitment.

Postkeet is GDPR-compliant by design. We collect the minimum data we need, tell you exactly what we do with it, and give you real tools to see, export, correct, or delete it. No dark patterns. No "legitimate interest" loopholes to hide behind. See our Privacy Policy for the full data-handling detail.

As an EU or EEA resident, you are protected by the GDPR whenever you use Postkeet — regardless of where our servers sit. We built the data-deletion flow, the export tool, and our consent model around GDPR from day one, then extended the same rights to customers everywhere because it's the right way to run a company.

2. Lawful basis for processing.

GDPR Article 6 requires a specific lawful basis for each category of processing. Ours:

Data categoryLawful basisWhy
Account dataContractual necessity (Art. 6(1)(b))We can't deliver Postkeet without your email, password hash, and workspace settings.
Connected-platform tokensContractual necessity (Art. 6(1)(b))Publishing a post requires the OAuth token you authorized.
Content you createContractual necessity (Art. 6(1)(b))We host drafts, scheduled posts, and media so you can use the product.
Marketing emailsConsent (Art. 6(1)(a))Opt-in only. One-click unsubscribe in every email.
Product analyticsLegitimate interest (Art. 6(1)(f))Aggregated, de-identified usage data to fix bugs and prioritize features. No third-party ad trackers.
Security logsLegitimate interest (Art. 6(1)(f))Detecting account takeover and abuse. 90-day retention.
Billing recordsLegal obligation (Art. 6(1)(c))Tax and accounting law requires 7-year retention.
AI training on user dataNot done.We do not train shared AI models on your content. No lawful basis required because no processing occurs.

3. Your GDPR rights.

As an EU/EEA data subject, you have the following rights. Postkeet honors them within 30 days of request, free of charge, at privacy@postkeet.studio.

  • Art. 15 — Right of access. See every piece of data we hold about you. Exercise via Settings → Account → Export, or email us. Output: CSV + JSON zip.
  • Art. 16 — Right to rectification. Correct inaccurate data. Most fields are editable in Settings; for anything else, email us.
  • Art. 17 — Right to erasure ("right to be forgotten"). One-click delete in Settings, or via the data-deletion page. 30-day recovery window, then cryptographic erasure.
  • Art. 18 — Right to restriction of processing. Pause processing while a dispute is resolved. Email us and we'll freeze the account without deleting data.
  • Art. 20 — Right to data portability. Receive your data in a machine-readable format (JSON) to move to another service. Same export flow as Art. 15.
  • Art. 21 — Right to object. Object to processing based on legitimate interest (analytics, security). Marketing consent can always be withdrawn.
  • Art. 22 — Rights related to automated decision-making. Postkeet does not make solely-automated decisions with legal or significant effects on you. Best-time suggestions and caption drafts are tools, not decisions — you always approve before anything is published.

How to exercise any right: email privacy@postkeet.studio from the address on your account, or use the in-app flows. No ID verification required beyond proving control of the account email. We reply within 30 days — usually within 3.

4. Data processor information.

Under GDPR, Postkeet Studio, Inc. is the data controller for customer data. The sub-processors below act as data processors on our instructions, each under a signed Data Processing Agreement with GDPR Article 28 terms:

ProcessorRoleLocation
AWSInfrastructure & primary storageUS (us-east-1), EU (eu-central-1)
SupabaseManaged Postgres & authenticationEU (Frankfurt) for EU workspaces
CloudflareEdge caching, DDoS protectionGlobal
StripePayment processingUS, EU
AnthropicAI inference (zero-retention API)US
PostmarkTransactional emailUS
SentryError monitoring (PII scrubbed)EU

The authoritative, versioned list lives on our security page. We notify customers by email at least 30 days before adding a new sub-processor that handles your content.

5. International transfers.

Some of our sub-processors are established in the United States. Any transfer of EU personal data outside the EEA is covered by one or more of the following safeguards required by GDPR Chapter V:

  • Standard Contractual Clauses (SCCs) — the EU Commission's 2021 modules are executed with every non-EEA processor that handles EU personal data.
  • Adequacy decisions — where applicable (e.g. UK, Switzerland), we rely on the relevant Commission adequacy decision.
  • EU-US Data Privacy Framework — where a processor is certified, we rely on the DPF as an additional layer.
  • Supplementary measures — end-to-end encryption in transit, encryption at rest, pseudonymization, and strict access controls.

Studio-plan customers can request EU data residency — your production data stays in eu-central-1 (Frankfurt). Email privacy@postkeet.studio to enable.

6. Data Protection Officer.

Postkeet has voluntarily appointed a Data Protection Officer, even though Article 37 does not strictly require one for a company of our size and processing profile. We think it's the right signal.

DPO: Mara Keel, co-founder. Contact: dpo@postkeet.com.

The DPO is independent, reports to the board, and is your direct line for any GDPR question, complaint, or request that isn't resolved via privacy@postkeet.studio.

7. Supervisory authority.

You have the right under GDPR Article 77 to lodge a complaint with your local data protection authority (DPA) if you believe we've mishandled your data. We'd appreciate an email to dpo@postkeet.com first so we can try to make it right — but you are not required to contact us before complaining.

Our lead supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD) in Portugal, where our EU operations are established. You can also file with the authority in your country of residence — find yours via the EDPB members list.

8. Data Processing Agreement.

If you're a business customer and need a signed Data Processing Agreement for your own GDPR Article 28 compliance, we have a ready-to-sign DPA that incorporates the current EU Standard Contractual Clauses.

Request a DPA: email dpa@postkeet.com with your legal entity name and billing email. We counter-sign and return within 2 business days. No enterprise-only gatekeeping — every paid plan qualifies.

Custom redlines are supported on Studio plans. Everyone else gets our standard form, which is already permissive on the points that usually matter (sub-processor notice, audit rights, breach notification, deletion on termination).

9. Updates to this page.

If we change how we comply with GDPR in any material way — new lawful basis, new sub-processor handling EU personal data, changes to how you exercise your rights — we'll email every EU account owner at least 30 days before it takes effect.

Non-material changes (clarifications, typo fixes, new links) are logged at the bottom of this page with a date. See also our Privacy Policy, Terms of Service, and contact page.

v1.2 · effective jan 12, 2026 · previous: v1.1 (aug 2025), v1.0 (may 2025). Change log on request.