Privacy Policy

1. Data Controller

PlanPost is operated by PlanPost Ltd, a company registered in England and Wales.

• Email: privacy@planpost.app
• Website: planpost.app

2. Information We Collect

Account Data

When you create an account, we collect your email address, name, and company name. If you use magic link authentication, we store your email address for login purposes.

Business Data

To generate content for your business, we collect your chosen sector(s), brand settings (tone, language, region), and reference images you upload. Reference images are stored in our secure cloud storage (Cloudflare R2).

Content Data

We store AI-generated posts, images, and videos created for your account. This includes captions, hashtags, and platform-specific variations.

Platform Connection Data

When you connect social media accounts for auto-posting, we collect:

• Facebook/Instagram (Meta): Page access tokens, page IDs, and publishing permissions via OAuth. We request pages_manage_posts, pages_read_engagement, and instagram_basic scopes.
• TikTok: Access tokens and user IDs via OAuth. We request video.publish and user.info.basic scopes.
• LinkedIn: Access tokens and organisation IDs via OAuth. We request w_member_social scope.
• Google Business: Access tokens and location IDs via OAuth.
• Other platforms: Access tokens and minimal identifiers required for publishing.

We use these tokens solely to publish scheduled content on your behalf. We do not read your private messages, access your followers' data, or collect data beyond what is needed for publishing.

Usage Data

We collect analytics data about how you use the site (pages visited, features used) through Google Analytics and Microsoft Clarity. This data is only collected with your consent (see our Cookie Policy).

Payment Data

Payment processing is handled by Stripe. We do not store your card details. We store your subscription status, plan tier, and billing cycle for account management.

3. How We Use Your Information

• Content generation: Your business data (sector, tone, reference images) is used as input for AI content generation.
• Account management: Email address for login, notifications, and support.
• Billing: Subscription management via Stripe.
• Platform publishing: OAuth tokens to publish content to your connected social media accounts.
• Analytics: Understanding site usage to improve the product (consent required).
• Communication: Service updates, billing notifications, and support responses.

4. AI-Generated Content Disclosure

PlanPost uses artificial intelligence models to generate social media content. This includes:

• Text captions and hashtags generated by large language models (Claude by Anthropic, DeepSeek, and others).
• Images generated by AI image models (Google Gemini and others).
• Reference images you upload are sent to AI providers as input for image generation. These images are processed by third-party AI services.

AI-generated content may not always be accurate or appropriate. You are responsible for reviewing content before publishing. PlanPost does not guarantee content quality, accuracy, or suitability for any particular purpose.

5. Third-Party Data Sharing

We share data with the following third parties, solely for the purposes described:

• Stripe — Payment processing and subscription management.
• LLM/AI providers — Prompts, business context, and reference images are sent to Claude (Anthropic), OpenAI, Google Gemini, DeepSeek, and Groq for content generation. We do not send your personal data (name, email) to AI providers.
• Social media platforms — When auto-posting is enabled, content is published to your connected accounts (Meta/Facebook/Instagram, TikTok, LinkedIn, Google Business, Pinterest, YouTube, Twitter/X).
• Cloudflare — Infrastructure hosting, CDN, and security.
• Postmark — Transactional email delivery.
• Google Analytics — Website analytics (consent required).
• Microsoft Clarity — Session recording and heatmaps (consent required).

6. Data Retention

• Account data is retained while your account is active.
• Generated content is retained according to your tier limits.
• Reference images are stored while your account is active and deleted within 30 days of account deletion.
• Platform connection tokens are deleted immediately when you disconnect an account or delete your PlanPost account.
• All data is deleted within 30 days of a confirmed account deletion request.

7. Your Rights (UK GDPR)

Under UK GDPR, you have the right to:

• Access: Request a copy of your personal data.
• Rectification: Correct inaccurate personal data.
• Erasure: Request deletion of your personal data (see Data Deletion).
• Portability: Receive your data in a machine-readable format.
• Restriction: Restrict processing of your data.
• Objection: Object to processing of your data.

To exercise any of these rights, email privacy@planpost.app. We will respond within 30 days.

8. Data Deletion

You can delete your data in two ways:

1. Self-service: Dashboard → Settings → Delete Account
2. Email: Send a request to privacy@planpost.app with subject "Data Deletion Request"

For more details, see our Data Deletion page.

9. International Data Transfers

Your data may be processed outside the UK/EEA by our infrastructure and AI providers. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the UK Information Commissioner's Office (ICO) within 72 hours.
• We will notify affected users without undue delay.

11. Platform-Specific Disclosures

Meta (Facebook & Instagram)

• We access your Facebook Pages and Instagram Professional accounts via OAuth.
• We request permissions to publish content and read basic engagement metrics.
• We use this data solely to publish scheduled content on your behalf and report on post performance.
• You can revoke access at any time from your Facebook Settings → Apps and Websites, or by disconnecting the platform in your PlanPost dashboard.
• Meta data deletion callback: When Meta sends a data deletion request, we process it automatically. See Data Deletion.

TikTok

• We access your TikTok account via OAuth to publish video content.
• We request minimal permissions required for posting.
• You can revoke access from TikTok Settings → Security → Manage app permissions.

LinkedIn, Google Business, Pinterest, YouTube, Twitter/X

• For each connected platform, we request only the permissions needed to publish content.
• We do not access private messages, contact lists, or personal data beyond what is needed for publishing.
• You can revoke access through each platform's settings or by disconnecting in your PlanPost dashboard.

12. Cookies

For information about how we use cookies, please see our Cookie Policy.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through the PlanPost dashboard. The "Last updated" date at the top of this page reflects the most recent revision.

14. Complaints

If you are unhappy with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

15. Contact

For any questions about this privacy policy or how we handle your data:

• Email: privacy@planpost.app
• General: hello@planpost.app