Skip to main content
    Legal · Privacy Policy

    Privacy Policy

    Last updated: July 14, 2026

    This policy explains what we collect, why we collect it, who else sees it, how long we keep it, and how you can get it back or delete it. We have tried to write it in plain language rather than legal boilerplate.


    Information We Collect

    Account Information

    • Email address (for authentication and service email)
    • Password, stored only as a bcrypt hash — we never see or store the plaintext
    • Instagram access tokens, encrypted at rest with AES-256-GCM
    • If you sign in with Facebook or Google, the basic profile information those services return to us

    Your Content

    • Images and videos you upload
    • Captions, hashtags, tagged usernames, and scheduling preferences
    • Post history and the results of each publish attempt

    Usage Data

    • IP address and approximate location
    • Device and browser information
    • Feature usage, pageviews, and interaction events
    • Security and audit events (logins, permission changes, deletions)

    Billing

    Payments are processed by Lemon Squeezy, our merchant of record. Your card details go to them directly — we never receive or store your card number.


    Who Else Sees Your Data

    To run the product we pass data to the service providers below. They may only process it on our instructions, for the stated purpose.

    Worth being explicit about: when you use AI captions or subtitles, your images, video, or audio are sent to third-party AI providers (Google Gemini, AssemblyAI, Shotstack) so they can generate that output. If you would rather that not happen, do not use those features — the rest of the product works without them.

    Third-party service providers that receive Post Pilots user data
    ProviderPurposeData shared
    NeonPrimary database hostingAccount data, post metadata, settings
    VercelApplication hostingRequest logs, IP addresses
    Cloudflare R2Image and video storageYour uploaded photos and videos
    Bunny.netVideo transcoding (iPhone/HEVC footage)Your uploaded videos
    Meta / InstagramPublishing your postsYour captions, images, videos, account tokens
    Google (Gemini)AI caption generationThe images you ask us to caption
    AssemblyAISubtitle transcriptionThe audio track of videos you subtitle
    ShotstackBurning subtitles into videoYour videos and their subtitle files
    Lemon SqueezyPayments and subscriptionsBilling details, email address
    ResendSending emailYour email address and message content
    Upstash (Redis)Rate limiting and abuse preventionTransient request counters
    PostHogProduct analyticsPageviews, clicks, feature usage
    Google Analytics 4Website analyticsPageviews (IP anonymised)
    Microsoft ClaritySession replay and heatmapsAnonymised interaction recordings

    We do not sell or rent your personal information, and we do not share it with third parties for their own marketing.

    Several of these providers operate outside Israel and the EEA, primarily in the United States. Where required, transfers rely on the providers’ standard contractual clauses.


    Cookies & Analytics

    We use cookies and similar technologies for two things:

    • Strictly necessary: keeping you signed in, protecting against cross-site request forgery. The product cannot work without these.
    • Analytics: Google Analytics 4 (with IP anonymisation and advertising signals disabled), PostHog, and Microsoft Clarity. Clarity records anonymised session replays — a reconstruction of clicks, scrolls, and mouse movement — so we can see where people get stuck. It is configured to mask the content of text and password fields, so what you type is not captured.

    We do not use advertising or cross-site tracking cookies. You can block cookies in your browser; the strictly necessary ones are required to stay signed in.


    How We Use Your Information

    • To publish the posts you schedule, to the account you connected
    • To generate captions and subtitles when you ask for them
    • To send service email (post failures, password resets, trial status, security alerts)
    • To send product and marketing email — only if you opted in, and you can opt out at any time
    • To bill you, if you are on a paid plan
    • To detect abuse, prevent fraud, and keep the service up
    • To understand which features are used, so we know what to improve

    How Long We Keep It

    • Account and content: for as long as your account is open.
    • When you delete your account: your images, videos, captions, scheduled posts, post history and settings are deleted immediately and irreversibly. There is no recovery window — please export your data first if you want to keep it.
    • What survives that: a single anonymised account record (your email is replaced with a placeholder), kept for up to 30 days so we can reconcile billing and abuse investigations, then permanently erased.
    • Media you delete individually: removed from storage shortly after deletion.
    • Security and audit logs: retained longer where we need them to investigate abuse or meet a legal obligation.
    • Billing records: retained as long as tax and accounting law requires, even after account deletion.

    How We Protect Your Data

    • Encryption at rest: access tokens and other sensitive fields are encrypted with AES-256-GCM; passwords are bcrypt-hashed
    • Encryption in transit: all traffic is HTTPS/TLS
    • Multi-factor authentication: available on your account, and enforced at sign-in when enabled
    • Rate limiting: protection against brute force and abuse
    • CSRF protection on state-changing requests
    • Audit logging: security-critical operations are recorded
    • Sessions expire after 7 days of inactivity, with a 30-day absolute cap

    No system is perfectly secure. If we ever discover a breach affecting your personal data, we will notify you and the relevant authority as the law requires.


    Your Rights

    Under the Israeli Privacy Protection Law and the GDPR, you have the right to:

    • Access: get a copy of the data we hold about you
    • Rectification: correct anything inaccurate
    • Erasure: delete your account and its data
    • Portability: export your data as machine-readable JSON
    • Object / withdraw consent: opt out of marketing email, or of optional processing

    You can do all of this yourself, right now, from Account settings — export your data, change your email preferences, or delete your account. If you would rather a human did it, or you cannot sign in, contact us and we will do it for you.


    Contact Us

    Questions about this policy, or about how we handle your data:

    If you are in the EEA or Israel and you think we have mishandled your data, you also have the right to complain to your data protection authority.