Legal

Privacy Policy

Last Updated: April 2026

1. Introduction

PostPilot (“we,” “our,” or “us”) is committed to protecting the privacy and personal data of our users (“you” or “Data Principal”). This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 (IT Act), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).

By using PostPilot, you consent to the practices described in this Privacy Policy.

2. Data Fiduciary Information

PostPilot operates as a Data Fiduciary under the DPDP Act, 2023.

  • Registered Name: PostPilot Technologies Private Limited
  • Registered Address: India
  • Grievance Officer: grievance@postpilot.in
  • Contact Email: privacy@postpilot.in

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Data Provided by You

  • Account Information: Name, email address, profile picture (via authentication provider)
  • Payment Information: Processed securely through Stripe. We do not store credit/debit card numbers.
  • Content Data: Posts, text content, images, and screenshots you upload for content generation
  • Style Training Data: Past posts you provide for Writing DNA™ profile creation

3.2 Data Collected Automatically

  • Usage Data: Features used, session duration, content generated, feature interactions
  • Device Data: Browser type, operating system, device type, screen resolution
  • Log Data: IP address (anonymized), access times, referring URLs
  • Cookies: Essential cookies for authentication and session management

4. Purpose of Data Processing

We process your personal data for the following lawful purposes:

  • Service Delivery: To generate social media content personalized to your writing style
  • Style Training: To create and improve your personal Writing DNA™ profile using uploaded past posts
  • Account Management: Authentication, subscription management, and payment processing
  • Product Improvement: Analytics to improve features, performance, and user experience
  • Communication: Service updates, support responses, and product announcements (with opt-out)
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes

5. Legal Basis for Processing (DPDP Act)

Under the DPDP Act, 2023, we process personal data based on:

  • Consent: Your explicit consent provided during registration and use of services
  • Legitimate Uses: As specified under Section 7 of the DPDP Act for performing contractual obligations
  • Legal Obligation: To comply with Indian law and regulatory requirements

6. Data Storage and Security

6.1 Storage

  • User data is stored on Supabase cloud infrastructure with data centres providing enterprise-grade security
  • Writing DNA™ profiles are stored as vector embeddings in PostgreSQL with pgvector
  • Images are processed through Cloudinary with automatic encryption and CDN delivery
  • Payment data is processed through Stripe, which is PCI DSS Level 1 compliant

6.2 Security Measures

  • SSL/TLS encryption for all data in transit
  • AES-256 encryption for data at rest
  • Row-level security (RLS) in the database
  • Regular security audits and penetration testing
  • Access controls with principle of least privilege
  • Two-factor authentication for administrative access

These measures comply with the reasonable security practices required under Section 8A of the IT Act, 2000 and Rule 8 of the SPDI Rules, 2011.

7. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

  • Anthropic (Claude API): For AI content generation. Content is processed and not stored by Anthropic for training.
  • Supabase: Database and authentication infrastructure
  • Stripe: Payment processing
  • Cloudinary: Image processing and delivery
  • Vercel: Application hosting and delivery
  • PostHog: Privacy-focused analytics (no PII tracked)

All third-party processors are bound by data processing agreements and are contractually required to protect your data.

8. Your Rights (Under DPDP Act, 2023)

As a Data Principal, you have the following rights:

  • Right to Access: Request a summary of your personal data being processed and the processing activities (Section 11)
  • Right to Correction: Request correction or completion of inaccurate or incomplete personal data (Section 12)
  • Right to Erasure: Request deletion of your personal data when it is no longer necessary for the purpose collected (Section 12)
  • Right to Withdraw Consent: Withdraw previously given consent at any time (Section 6(6)). Withdrawal does not affect lawfulness of processing before withdrawal.
  • Right to Grievance Redressal: Lodge a complaint with our Grievance Officer or the Data Protection Board of India (Section 13)
  • Right to Nominate: Nominate another individual to exercise your rights in case of death or incapacity (Section 14)

To exercise any of these rights, email: privacy@postpilot.in

9. Data Retention

  • Account data: Retained as long as your account is active
  • Generated content: Stored for 90 days after generation, then automatically deleted
  • Writing DNA™ profiles: Retained until account deletion or profile reset
  • Payment records: Retained for 8 years as required under Indian tax law
  • Analytics data: Retained for 24 months in anonymized form

Upon account deletion, all personal data is permanently erased within 30 days, except where retention is required by Indian law.

10. Children's Privacy

PostPilot does not knowingly collect personal data from children under 18 years of age. In compliance with Section 9 of the DPDP Act, 2023, we require verifiable parental consent before processing any data of individuals below the age of 18. If we become aware that we have collected data from a minor without proper consent, we will delete it immediately.

11. Cross-Border Data Transfer

Your data may be processed by third-party services with servers outside India. Such transfers comply with Section 16 of the DPDP Act, 2023 and are made only to jurisdictions or entities that ensure an adequate level of data protection. We ensure appropriate contractual safeguards (Standard Contractual Clauses) are in place.

12. Cookies Policy

We use the following types of cookies:

  • Essential Cookies: Required for authentication, security, and basic functionality
  • Analytics Cookies: To understand usage patterns (PostHog, privacy-focused)

We do not use advertising cookies or tracking cookies. You can manage cookie preferences through your browser settings.

13. Grievance Redressal

In compliance with Rule 5(9) of the SPDI Rules, 2011, and Section 13 of the DPDP Act, 2023:

  • Grievance Officer: Privacy Team, PostPilot
  • Email: grievance@postpilot.in
  • Response Time: Within 30 days of receipt of complaint

If you are unsatisfied with our response, you may escalate your complaint to the Data Protection Board of India as established under the DPDP Act, 2023.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of PostPilot after changes constitutes acceptance of the updated policy.

15. Governing Law

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Any disputes shall be subject to the exclusive jurisdiction of the courts in India.