Privacy Policy

1. Introduction

This Privacy Policy describes how Foundry 88 Labs LLC, doing business as PostPilot (“PostPilot,” “Foundry 88 Labs,” “we,” “us,” or “our”), collects, uses, shares, and protects personal information when you use the PostPilot service (the “Service”).

This Policy is designed to comply with the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable privacy laws. Where those laws give you specific rights, those rights are summarized in Sections 9 and 10.

By using the Service, you acknowledge that you have read and understand this Policy.

2. Who We Are (Data Controller)

For the purposes of GDPR / UK GDPR and similar laws, the data controller for personal information processed through the Service is:

Foundry 88 Labs LLC
Clark County, Washington, United States
Email: privacy@mypostpilot.app

3. Information We Collect

We collect the following categories of personal information:

3.1 Information you provide directly

• Account information: name, email address, password (stored as a salted hash by our authentication provider), and optional profile fields you fill in (headline, industries, expertise areas, content pillars).
• Content: post drafts, ideas, captions, hashtags, scheduled publication times, images you upload, and any other content you create or import into the Service.
• Payment information: if you subscribe to a paid plan, billing details are collected and processed by our payment processor (Stripe). We do not store your full payment card number on our servers; we store only a Stripe customer and subscription identifier.
• Communications: messages you send to support, feedback you submit through the in-app help center, and replies in any conversation thread you open.

3.2 Information collected automatically

• Device and connection: IP address, browser type and version, operating system, device type, and approximate geolocation derived from IP address.
• Usage data: pages and features you interact with, timestamps, action counts (e.g. number of brainstorms, posts created), referrer URL, and error / diagnostic events.
• Cookies and similar technologies: see Section 7.

3.3 Information from third parties

• LinkedIn: when you connect your LinkedIn account, LinkedIn sends us an OAuth access token, an OAuth refresh token (when granted), your LinkedIn member identifier, and the profile information you authorize us to read (typically your name and email). Tokens are stored encrypted at rest. Token data is used solely to publish posts on your behalf and to verify the connection is healthy.
• Authentication providers: if you sign in via a third-party identity provider, we receive the identifiers and basic profile fields the provider returns.

4. How We Use Your Information

We use personal information to:

• Provide and operate the Service, including drafting, scheduling, and publishing posts on your behalf;
• Process AI-assisted content generation through third-party AI providers (see Section 6);
• Authenticate you and protect your account;
• Process payments and manage subscriptions;
• Communicate with you about the Service, including transactional, security, and policy-update messages;
• Provide customer support and respond to your requests;
• Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service;
• Measure, analyze, and improve the Service;
• Comply with legal obligations and enforce our agreements;
• Display advertising on Free and Personal plans (see Section 7).

5. Legal Bases for Processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, we process your personal information on one or more of the following legal bases:

• Contract (Art. 6(1)(b) GDPR): processing necessary to deliver the Service to you under our Terms of Service.
• Legitimate interests (Art. 6(1)(f) GDPR): improving and securing the Service, preventing fraud, understanding usage, and direct communications about features you already use. We have balanced these interests against your rights and freedoms.
• Consent (Art. 6(1)(a) GDPR): non-essential cookies, marketing emails (where required), and optional features. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c) GDPR): tax, accounting, and other obligations to which we are subject.

6. How We Share Your Information

We do not sell your personal information for monetary consideration. We share information only as described below.

6.1 Service providers (sub-processors)

We share information with vendors that help us operate the Service, under contractual obligations to use the information only for the purposes we direct. Categories include:

• Hosting and infrastructure: Vercel Inc. (application hosting), Supabase Inc. (database, authentication, file storage).
• AI providers: Anthropic PBC, OpenAI OpCo LLC, OpenRouter Inc., and other model providers we may engage. When you use AI features, the prompts you send and the content you choose to process (post drafts, ideas, etc.) are transmitted to the relevant provider for inference. If you configure a Bring-Your-Own-Key provider in your account settings, your prompts are sent to that provider under your agreement with them.
• Payments: Stripe, Inc. for payment processing and subscription management.
• Email: the email-delivery service we use to send transactional and notification emails.
• Analytics and error monitoring: services that help us measure usage and diagnose problems.
• Advertising (Free and Personal plans only): Google LLC (AdSense). Ad networks may set cookies and collect information about your interactions with ads to serve and measure them. See Section 7.

6.2 Publishing

When you instruct the Service to publish a post, we send the content to LinkedIn using the OAuth token you provided. The post becomes governed by LinkedIn's own terms and privacy policy once published.

6.3 Legal and safety

We may disclose information if we reasonably believe disclosure is necessary to (a) comply with a law, regulation, legal process, or governmental request; (b) enforce our Terms or investigate suspected violations; (c) detect or prevent fraud, security, or technical issues; or (d) protect the rights, property, or safety of PostPilot, our users, or the public.

6.4 Business transfers

If Foundry 88 Labs LLC is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have.

6.5 With your consent

We may share information for any other purpose with your explicit consent.

7. Cookies and Tracking Technologies

We and our service providers use cookies, local storage, and similar technologies to operate and improve the Service. Categories include:

• Strictly necessary: session and authentication cookies, CSRF tokens, OAuth state cookies. These are required for the Service to function and cannot be disabled.
• Functional: theme preference, workspace selection, dismissed onboarding banners, and similar UX state.
• Analytics: aggregated usage measurement.
• Advertising (Free and Personal plans): Google AdSense and any partner cookies it sets to serve, measure, and limit the frequency of ads. You can opt out of personalized advertising at Google Ads Settings and via the industry tools at optout.aboutads.info.

Most browsers allow you to block or delete cookies through their settings. Blocking strictly necessary cookies will break parts of the Service.

8. International Data Transfers

We are based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where our service providers operate, which may have different data protection laws than your country.

For transfers of personal data from the EEA, the UK, or Switzerland to the United States, we rely on safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) entered into with our sub-processors. You can request a copy of the relevant safeguards by contacting privacy@mypostpilot.app.

9. Your Rights (GDPR / UK GDPR)

If you are in the EEA, the UK, or another jurisdiction with similar protections, you have the following rights subject to applicable conditions and exceptions:

• Right of access: obtain confirmation that we process your personal data and a copy of that data.
• Right to rectification: correct inaccurate data and complete incomplete data.
• Right to erasure (“right to be forgotten”): request deletion of your personal data in certain circumstances.
• Right to restriction of processing: ask us to limit how we use your data.
• Right to data portability: receive your data in a structured, commonly used, machine-readable format.
• Right to object: object to processing based on our legitimate interests, including profiling.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time.
• Right to lodge a complaint: with your local supervisory authority.

To exercise any of these rights, email privacy@mypostpilot.app. We will respond within the timeframes required by applicable law (generally one month under GDPR).

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

• Right to know: request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: request deletion of personal information we collected from you, subject to legal exceptions.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell personal information for monetary consideration. We may “share” identifiers and internet activity with advertising partners on Free and Personal plans for cross-context behavioral advertising as defined under CPRA. You can opt out by visiting the “Do Not Sell or Share My Personal Information” link in the Service footer (when available) or by enabling the Global Privacy Control (GPC) signal in your browser.
• Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes outside what is reasonably necessary to provide the Service.
• Right to non-discrimination: we will not discriminate against you for exercising any of these rights.

Categories of personal information collected in the past 12 months (as defined by Cal. Civ. Code § 1798.140):

• Identifiers (name, email, account ID, IP address, LinkedIn member ID).
• Customer records (billing details processed by Stripe).
• Commercial information (subscription tier, transaction history).
• Internet or other electronic network activity (usage logs, referrer, device info).
• Geolocation data (approximate, derived from IP address).
• Inferences drawn from the above (e.g. content categories you engage with).
• Professional information (your LinkedIn headline / industries / expertise areas, if you provide them).

Sources: directly from you, automatically as you use the Service, and from third parties (LinkedIn, authentication providers, payment processor). Business purposes: as described in Section 4. Categories of third parties with whom we share: as described in Section 6.

To exercise your CCPA/CPRA rights, email privacy@mypostpilot.app. You may designate an authorized agent to make a request on your behalf, subject to verification of the agent's authority. We will verify your identity before responding.

11. Data Retention

We retain personal information for as long as necessary to provide the Service and for the additional periods required to satisfy legal, tax, accounting, and dispute-resolution obligations. Specifically:

• Account data: while your account is active. When you delete your account, your data enters a 30-day soft-delete grace period (during which you can restore the account), after which it is permanently deleted from our primary systems. Backups are purged on a rolling schedule.
• LinkedIn tokens: deleted when you disconnect LinkedIn or close your account, whichever is sooner.
• Payment records: retained for the period required by tax and accounting law (typically seven years in the United States).
• Logs and security data: typically 30-90 days, longer where retention is required to investigate a security incident.

12. Children's Privacy

The Service is not intended for users under the age of 16, and we do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us at privacy@mypostpilot.app and we will delete it.

13. Security

We use administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, alteration, and destruction. These include encryption in transit (TLS), encryption at rest for sensitive fields (including LinkedIn tokens), role-based access control, regular dependency updates, and audit logging. No system is perfectly secure; if you become aware of a security issue, please report it to security@mypostpilot.app.

14. Third-Party Links

The Service may contain links to third-party websites and services (for example, LinkedIn, Stripe, our AI providers). This Policy does not apply to those third parties, and we are not responsible for their privacy practices. Please review the privacy policies of any third party before sharing information with them.

15. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. If the changes are material, we will provide additional notice (for example, by email or in-app notification) before the changes take effect. Your continued use of the Service after the update constitutes acceptance of the updated Policy.

16. Contact

For questions about this Policy or to exercise any of the rights described above:

Foundry 88 Labs LLC
Attn: Privacy
Clark County, Washington, United States
Email: privacy@mypostpilot.app