Privacy Policy

We collect information you provide directly when you create an account, connect social media platforms, or use our services. This includes:

• Account information: Your name, email address, and password. Passwords are never stored in plain text; they are securely hashed before storage.
• OAuth tokens: When you connect social media platforms such as Instagram, TikTok, Reddit, or Facebook, we store encrypted OAuth tokens that allow us to publish content on your behalf. We do not store your social media passwords.
• Website URLs: URLs you submit for brand analysis are processed by our AI to extract brand voice, messaging, and audience insights.
• AI-generated content: Posts, captions, carousel scripts, and other content generated by our AI engine are stored in your account so you can review, edit, and schedule them.
• Usage data: We automatically collect information about how you interact with our service, including pages visited, features used, timestamps, IP address, browser type, and device information.
• Payment information: Billing details are collected and processed by Stripe. We do not store your full credit card number on our servers.

We use the information we collect for the following purposes:

• Provide and operate the service: Analyze your brand, generate AI content tailored to your voice, and manage your content calendar.
• Publish content to your connected platforms: Use your OAuth tokens to post approved content to Instagram, TikTok, Reddit, Facebook, and other connected social media accounts on your behalf.
• Improve AI content quality: Analyze aggregated, anonymized usage patterns to improve our AI content generation models and platform-specific formatting.
• Send account notifications: Notify you about publishing activity, account changes, billing events, and important service updates.
• Process payments: We use Stripe to handle all subscription billing, invoicing, and payment processing.

We rely on trusted third-party services to operate Publio AI. Each of these services processes data in accordance with their own privacy policies:

• Stripe (payments): Handles all payment processing, subscription management, and billing. Stripe collects and stores your payment method details directly. See Stripe's Privacy Policy.
• Anthropic / Claude (AI content generation): We send brand analysis data and content prompts to Anthropic's Claude API to generate social media content. Anthropic processes this data per their Privacy Policy. Data sent to Claude via the API is not used to train their models.
• Social media platforms (publishing): When you connect Instagram, TikTok, Reddit, or Facebook, data is shared with those platforms as necessary to publish content. Each platform has its own privacy policy governing how they handle published content and associated data.
• Hosting provider: Our application infrastructure is hosted on secure cloud servers. The hosting provider may process server logs and network data as part of standard infrastructure operations.

We take the security of your data seriously and implement industry-standard measures to protect it:

• All data is encrypted in transit using TLS (Transport Layer Security) and encrypted at rest.
• OAuth tokens for connected social media platforms are encrypted before storage and are never exposed in plain text.
• User passwords are hashed using secure, one-way hashing algorithms. We cannot recover or view your password.
• Application data is stored in a PostgreSQL database with access controls, regular backups, and monitoring for unauthorized access.
• We regularly review and update our security practices. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

We retain your data only as long as necessary to provide our services and fulfill the purposes described in this policy:

• Account data: Retained for the duration of your active account. When you delete your account, all personal data is permanently removed within 30 days.
• Usage logs: Server and usage logs are retained for 90 days for debugging, security monitoring, and service improvement, then automatically purged.
• AI-generated content: All AI-generated posts, drafts, and brand analysis data are deleted when you delete your account.
• Billing records: We may retain certain billing records as required by law or for legitimate accounting purposes, even after account deletion.

You have the following rights regarding your personal data:

• Access your data: You can view your account information, connected platforms, and generated content at any time through the application dashboard.
• Request deletion: You can delete your account and all associated data from your account settings. Deletion is processed within 30 days.
• Export your data: You can request a full export of your account data, including brand analyses, generated content, and publishing history.
• Opt out of marketing emails: You can unsubscribe from marketing communications at any time using the link in any marketing email. Transactional emails related to your account and service will continue.

Self-hosted deployments: If you are using the self-hosted version of Publio AI, all data remains on your own infrastructure. We do not have access to any data stored in self-hosted instances. You are responsible for your own data management, backups, and compliance.

We use a minimal set of cookies to operate the service:

• Essential cookies: We use cookies for authentication and session management. These are strictly necessary for the service to function and cannot be disabled.
• No third-party tracking cookies: We do not use third-party advertising or analytics tracking cookies. We do not track you across other websites.
• Stripe cookies: Stripe may set cookies during payment processing for fraud prevention and to complete transactions. These are governed by Stripe's cookie policy.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to opt-out of sale: We do not sell your personal information to third parties. We have never sold personal information and have no plans to do so.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing or quality of service for making a privacy request.

To exercise any of these rights, contact us at privacy@publioai.com. We will verify your identity before processing any request and respond within 45 days.

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights and protections:

Lawful basis for processing: We process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Publio AI service you have signed up for, including account management, content generation, and publishing.
• Legitimate interest: Processing necessary for our legitimate business interests, such as improving our service, preventing fraud, and ensuring security, where these interests are not overridden by your rights.

Your GDPR rights: In addition to the rights described in Section 6, you have the right to:

• Rectify inaccurate data by updating your account information at any time.
• Restrict processing of your personal data in certain circumstances.
• Data portability: Receive your personal data in a structured, commonly used, and machine-readable format.
• Lodge a complaint with your local data protection authority if you believe your rights have been violated.

Data transfers: Your data is processed in the United States. By using our service, you acknowledge that your data will be transferred to and processed in the US. We implement appropriate safeguards to protect your data during international transfers.

A Data Processing Agreement (DPA) is available on request for customers who require one. Contact us at privacy@publioai.com to request a copy.

Publio AI is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@publioai.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• For material changes, we will notify you via email at the address associated with your account at least 30 days before the changes take effect.
• The "Last updated" date at the top of this page will be revised to reflect the date of the most recent update.
• Your continued use of the service after the effective date of any changes constitutes your acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@publioai.com

We aim to respond to all privacy-related inquiries within 10 business days.