Privacy policies are usually written so you won't read them. This one is written so you will. Plain English first, legal terms where needed. Version 4.2, last updated January 12, 2026.
We collect the minimum we need to run Postkeet — your email, your social-account OAuth tokens, the content you create, and basic usage analytics. We don't sell your data. We don't use your content to train shared AI models. We keep it for as long as you use Postkeet, plus 30 days after deletion, and then it's cryptographically erased.
Plain terms: if you stop using Postkeet, we delete your stuff. If you want to see everything we have about you, one click exports it. If you want us to forget you completely, one click does that too — see data deletion.
"Postkeet," "we," "us" means Postkeet Studio, Inc., a Delaware corporation, with EU operations via Postkeet Studio Ltd. (Portugal). You can reach our privacy team at privacy@postkeet.studio. Our Data Protection Officer is Mara Keel, co-founder.
This policy applies to postkeet.studio, the Postkeet web app, the Postkeet iOS and Android apps, and our public API.
Four categories, nothing outside these:
| Category | Examples | Source |
|---|---|---|
| Account | Email, display name, avatar, password hash, timezone, workspace name | You |
| Connected accounts | OAuth tokens + public profile info (handle, follower count) for IG, LI, X, TT, FB, Pinterest | Platforms you connect, with your authorization |
| Content | Drafts, scheduled posts, images, captions, brand voice samples, chat history | You |
| Usage | Features used, button clicks, session duration, browser type, IP (truncated), crash logs | Automatic, via our own analytics (no Google / Meta trackers) |
We don't collect: precise location, biometrics, contacts, SSNs, payment card numbers (that's Stripe's job), advertising IDs, or anything about your activity on other sites.
Legal bases (GDPR Art. 6): contract for running the service, legitimate interest for security and improvement, consent for marketing emails, legal obligation where applicable.
A short list of subprocessors, each with a signed DPA. The full list with descriptions lives on our security page. Summary:
We do not sell your data. We do not share it for advertising. We don't make money that way.
Your content is not used to train shared AI models. Your drafts, voice samples, and chat history stay yours. Your brand-voice model is per-account and isolated. Model inference runs through zero-retention APIs. This is binding in our Data Processing Addendum.
We do use de-identified, aggregated usage patterns (e.g. "posts scheduled per day of week") to improve heuristics like best-time suggestions. Nothing in that signal identifies you or your content.
We use the minimum required: a session cookie to keep you logged in, a CSRF cookie for form security, and a preference cookie for theme (dark / light). That's it. No advertising cookies, no pixels, no third-party fingerprinting. Full list and controls on Cookies.
Depending on where you live, you may have rights to access, correct, export, delete, restrict, or object to our processing of your data. These apply globally to all Postkeet customers — not just EU / UK / California residents — because we think they should.
| Data | Retention |
|---|---|
| Active account data | For as long as you use Postkeet |
| Deleted items (drafts, scheduled posts) | 30 days in a recovery zone, then cryptographically erased |
| Account deletion | 30-day grace period, then full erasure within 7 days |
| Billing records | 7 years (tax requirement) |
| Security logs | 90 days |
| Backups | Rolling 35-day window; deletions propagate on next cycle |
Our primary region is us-east-1 (Virginia). Studio customers in the EU can request eu-central-1 (Frankfurt) residency — we'll keep your production data there. Transfers between regions use Standard Contractual Clauses and additional safeguards (encryption, pseudonymization) where legally required.
Postkeet is not directed at children under 16. If we learn we've collected data from someone under 16 without a parent / guardian, we delete it. If you think we have, email privacy@postkeet.studio.
If we make material changes (new categories of data, new processors handling your content, changes to your rights), we email every account owner at least 30 days before it takes effect, with a plain-English summary of what's different.
Non-material changes (typo fixes, clarifications) are logged at the bottom of this page with a date. Full change history available on request.
Privacy questions: privacy@postkeet.studio.
Data Protection Officer: Mara Keel, dpo@postkeet.studio.
UK representative: Prighter Ltd, postkeet@prighter.com.
Paper mail: see our office addresses.
v4.2 · effective jan 12, 2026 · previous: v4.1 (aug 2025), v4.0 (feb 2025), v3.0 (oct 2024). Change log on request.