Privacy Policy

This Privacy Policy explains how Post OS Studio ("we", "us") collects, uses, and protects your personal data when you use our website and admin portal. It applies to everyone who creates an account or interacts with the service, including users in the European Union and the United Kingdom whose rights are protected by the General Data Protection Regulation (GDPR).

We've written this in plain language because legal opacity is bad practice and we have nothing to hide. If anything here is unclear, email our contact form and we'll answer.

1. Who we are

Post OS Studio is operated by an individual data controller. If you need a name and address for legal purposes (e.g. a GDPR Article 27 representative request), email us and we'll provide it.

2. What we collect

We only collect what we need to run the service. There is no advertising, no resale of data, and no third-party tracking pixels.

Account data

• Email address (used as your login)
• Password (stored hashed — we cannot read it)
• Your name and any profile details you choose to add

Brand and creative data

• Brand identity: brand name, logo file (if uploaded), three reference brands you cite
• Brand attributes derived from your inputs: palette, fonts, tone, brand DNA
• Generated images you produce in SHOT, drafts and finals
• Coaching conversations in BRAIN if you use that feature

Subscription data

• Billing email, plan, subscription status, renewal dates
• We do not store your full card number or full billing address — those live with our payment processor

Technical data

• Browser type, IP address (used for session and abuse-prevention only)
• Usage analytics: which features you use, error logs, page views

3. Why we collect it (lawful basis under GDPR Article 6)

• Performance of a contract: we need this data to provide the service you've signed up for (run your brand build, generate images, process your subscription).
• Legitimate interest: minimal analytics and error logs to improve the product and prevent abuse.
• Consent: any optional features that require additional data will ask you first.

4. Sub-processors

To run the service we use a small set of third-party providers, each bound by their own GDPR commitments and each processing only what they need:

• Hosting and infrastructure providers — run the database, authentication, web hosting, and image storage
• AI model and embedding providers — power the image generation and brand-matching features
• Payment processor (merchant of record) — handles billing, taxes, and refunds

A current named list of our sub-processors is available on request — submit a quick note via our contact form and we'll share it.

Where data is transferred outside the EEA/UK, the transfer is covered by Standard Contractual Clauses or equivalent safeguards required under GDPR.

5. How long we keep it

• Account data: as long as your account is active, plus 30 days after deletion for refund / dispute windows.
• Generated images and brand data: as long as your account is active, deleted within 30 days of account closure.
• Billing records: 7 years (required for tax and accounting).
• Error logs: 90 days.

6. Your rights (GDPR Articles 15–22)

You have the right to:

• Access the personal data we hold about you
• Correct data that's wrong or out of date
• Delete your account and the data associated with it ("right to be forgotten")
• Restrict or object to certain processing
• Receive a copy of your data in a portable format
• Lodge a complaint with your local supervisory authority (e.g. CNIL in France, ICO in the UK, the Hamburg DPA in Germany)

To exercise any of these rights, email our contact form. We'll respond within 30 days and there is no fee.

7. Security

Passwords are hashed. Data at rest is encrypted by our database provider. Connections are encrypted in transit (TLS). We use row-level security on every customer-data table so one customer cannot read another's data.

If we discover a personal data breach that risks your rights, we will notify the relevant supervisory authority within 72 hours and notify you directly if the risk is high (GDPR Articles 33 and 34).

8. Cookies

We use essential cookies for session management (you have to be logged in for the portal to work). We do not use advertising or tracking cookies.

9. Children

The service is not intended for users under 16. We do not knowingly collect data from anyone under that age. If you believe we have, email us and we'll delete it.

10. Changes to this policy

If we change anything material — new sub-processors, new data types, changed retention — we'll update this page, change the "Last updated" date, and email active users.