This policy explains what we collect, why we collect it, who else sees it, how long we keep it, and how you can get it back or delete it. We have tried to write it in plain language rather than legal boilerplate.
Information We Collect
Account Information
- Email address (for authentication and service email)
- Password, stored only as a bcrypt hash — we never see or store the plaintext
- Instagram access tokens, encrypted at rest with AES-256-GCM
- If you sign in with Facebook or Google, the basic profile information those services return to us
Your Content
- Images and videos you upload
- Captions, hashtags, tagged usernames, and scheduling preferences
- Post history and the results of each publish attempt
Usage Data
- IP address and approximate location
- Device and browser information
- Feature usage, pageviews, and interaction events
- Security and audit events (logins, permission changes, deletions)
Billing
Payments are processed by Lemon Squeezy, our merchant of record. Your card details go to them directly — we never receive or store your card number.
Who Else Sees Your Data
To run the product we pass data to the service providers below. They may only process it on our instructions, for the stated purpose.
Worth being explicit about: when you use AI captions or subtitles, your images, video, or audio are sent to third-party AI providers (Google Gemini, AssemblyAI, Shotstack) so they can generate that output. If you would rather that not happen, do not use those features — the rest of the product works without them.
| Provider | Purpose | Data shared |
|---|---|---|
| Neon | Primary database hosting | Account data, post metadata, settings |
| Vercel | Application hosting | Request logs, IP addresses |
| Cloudflare R2 | Image and video storage | Your uploaded photos and videos |
| Bunny.net | Video transcoding (iPhone/HEVC footage) | Your uploaded videos |
| Meta / Instagram | Publishing your posts | Your captions, images, videos, account tokens |
| Google (Gemini) | AI caption generation | The images you ask us to caption |
| AssemblyAI | Subtitle transcription | The audio track of videos you subtitle |
| Shotstack | Burning subtitles into video | Your videos and their subtitle files |
| Lemon Squeezy | Payments and subscriptions | Billing details, email address |
| Resend | Sending email | Your email address and message content |
| Upstash (Redis) | Rate limiting and abuse prevention | Transient request counters |
| PostHog | Product analytics | Pageviews, clicks, feature usage |
| Google Analytics 4 | Website analytics | Pageviews (IP anonymised) |
| Microsoft Clarity | Session replay and heatmaps | Anonymised interaction recordings |
We do not sell or rent your personal information, and we do not share it with third parties for their own marketing.
Several of these providers operate outside Israel and the EEA, primarily in the United States. Where required, transfers rely on the providers’ standard contractual clauses.
Cookies & Analytics
We use cookies and similar technologies for two things:
- Strictly necessary: keeping you signed in, protecting against cross-site request forgery. The product cannot work without these.
- Analytics: Google Analytics 4 (with IP anonymisation and advertising signals disabled), PostHog, and Microsoft Clarity. Clarity records anonymised session replays — a reconstruction of clicks, scrolls, and mouse movement — so we can see where people get stuck. It is configured to mask the content of text and password fields, so what you type is not captured.
We do not use advertising or cross-site tracking cookies. You can block cookies in your browser; the strictly necessary ones are required to stay signed in.
How We Use Your Information
- To publish the posts you schedule, to the account you connected
- To generate captions and subtitles when you ask for them
- To send service email (post failures, password resets, trial status, security alerts)
- To send product and marketing email — only if you opted in, and you can opt out at any time
- To bill you, if you are on a paid plan
- To detect abuse, prevent fraud, and keep the service up
- To understand which features are used, so we know what to improve
How Long We Keep It
- Account and content: for as long as your account is open.
- When you delete your account: your images, videos, captions, scheduled posts, post history and settings are deleted immediately and irreversibly. There is no recovery window — please export your data first if you want to keep it.
- What survives that: a single anonymised account record (your email is replaced with a placeholder), kept for up to 30 days so we can reconcile billing and abuse investigations, then permanently erased.
- Media you delete individually: removed from storage shortly after deletion.
- Security and audit logs: retained longer where we need them to investigate abuse or meet a legal obligation.
- Billing records: retained as long as tax and accounting law requires, even after account deletion.
How We Protect Your Data
- Encryption at rest: access tokens and other sensitive fields are encrypted with AES-256-GCM; passwords are bcrypt-hashed
- Encryption in transit: all traffic is HTTPS/TLS
- Multi-factor authentication: available on your account, and enforced at sign-in when enabled
- Rate limiting: protection against brute force and abuse
- CSRF protection on state-changing requests
- Audit logging: security-critical operations are recorded
- Sessions expire after 7 days of inactivity, with a 30-day absolute cap
No system is perfectly secure. If we ever discover a breach affecting your personal data, we will notify you and the relevant authority as the law requires.
Your Rights
Under the Israeli Privacy Protection Law and the GDPR, you have the right to:
- Access: get a copy of the data we hold about you
- Rectification: correct anything inaccurate
- Erasure: delete your account and its data
- Portability: export your data as machine-readable JSON
- Object / withdraw consent: opt out of marketing email, or of optional processing
You can do all of this yourself, right now, from Account settings — export your data, change your email preferences, or delete your account. If you would rather a human did it, or you cannot sign in, contact us and we will do it for you.
Contact Us
Questions about this policy, or about how we handle your data:
- Email: support@post-pilots.com
- Contact form: Send us a message
If you are in the EEA or Israel and you think we have mishandled your data, you also have the right to complain to your data protection authority.