Privacy Policy

1. Data Controller

The controller of the personal data processed by Postou.ai is PXM CAPITAL LTDA, registered under Brazilian tax ID (CNPJ) No. 63.094.647/0001-40, with its registered office at Avenida Rosa dos Ventos, 731, Vespasiano, State of Minas Gerais, Brazil, ZIP code 33200-480.

The communication channel with our Data Protection Officer and for data subject requests is contato@postou.ai.

2. Information We Collect

• Account data: name, email address, profile picture, phone number and password (stored only as a hash).
• Business data: business name, category, description, brand colors, visual style and logo.
• Generated content: AI-generated images, captions and text.
• Instagram data: username, Instagram Business account ID and access token — collected only when you connect your account.
• Payment data: customer and subscription identifiers and payment method, processed by Stripe. We never store your credit card number.
• Usage and device data: IP address, browser user-agent, navigation pages and events, access dates and times.
• Communications: messages exchanged with the platform over WhatsApp and email.
• Audio recordings: voice notes you send over WhatsApp, transcribed to interpret your command (transcription is performed by an AI provider — see section 6).
• Cookie and tracking identifiers, as described in our Cookie Policy.

3. Instagram Data (Graph API)

When you connect an Instagram Business or Creator account to Postou.ai:

• We request only the instagram_business_basic and instagram_business_content_publish permissions.
• We store your Instagram username, account ID and long-lived access token in an access-controlled database that is encrypted at rest.
• We use the access token only to: (1) verify your account identity (GET /me); (2) create a media container when you publish a post you created and approved; and (3) publish that media container as a feed post or story after your explicit action.
• We never publish without your explicit action. We never fetch followers, insights, messages, comments, stories or any other data beyond what is strictly required to verify your identity and publish content on your behalf.
• You can disconnect your Instagram account at any time in Settings → Instagram. Disconnecting deletes the access token from our database immediately.

4. Purposes and Legal Bases

• Provide the service (generate content, schedule, publish, support): performance of a contract.
• Process payments and recurring billing: performance of a contract and compliance with legal obligations.
• Authenticate access and protect the account and platform, including keeping a security audit trail: legitimate interest and legal obligation.
• Send service communications: performance of a contract.
• Send communications about your purchase and checkout recovery (payment reminders and completing a checkout you started), over WhatsApp and email: performance of a contract and legitimate interest. You may opt out of these messages at any time.
• Measure and improve the platform (product analytics): legitimate interest.
• Marketing, advertising and campaign measurement using non-essential cookies. These cookies are not essential and you can disable them at any time, as described in our Cookie Policy.
• Comply with legal obligations and exercise rights in proceedings: legal obligation and regular exercise of rights.

5. Cookies and Tracking

We use cookies and similar technologies for authentication, platform operation, usage measurement and advertising. Strictly necessary cookies are essential to the service; analytics and advertising cookies are non-essential and can be disabled at any time. Details are available in our Cookie Policy at postou.ai/cookies.

6. Data Sharing and Processors

We never sell your data. We share data with processors strictly to operate the service:

• Stripe: payment processing and recurring billing.
• Meta / Instagram: publishing content you authorized to your Instagram account.
• Meta (Pixel and Conversions API): advertising measurement and optimization.
• OpenAI and Google (Gemini): AI content generation. To generate content, we send these providers the business context and the instructions you provide; we do not send personal data beyond what is needed for that purpose.
• Google: audience measurement (Google Analytics).
• Supabase: database and file storage.
• Vercel: application hosting.
• PostHog: product analytics.
• Sentry: error monitoring.
• Resend: transactional email delivery.
• WhatsApp (Meta): messaging.
• Chatwoot: customer support (self-hosted), including support conversation content and the account data needed to assist you.

7. International Data Transfer

Some of the processors above (including Stripe, OpenAI, Google, Meta, PostHog, Sentry and Vercel) process data on servers located outside Brazil, particularly in the United States. These international transfers are made to provide the service and rely on adequate safeguards, through contractual clauses and the data protection commitments of those processors, in accordance with article 33 of the LGPD.

8. Data Retention

We keep personal data for as long as necessary for the purposes described in this policy and while your account is active. After the account is closed, data is deleted or anonymized, except where retention is required by law or necessary to exercise rights.

9. Your Rights

Under the LGPD, you may at any time:

• confirm the existence of processing and access your data;
• correct incomplete, inaccurate or outdated data;
• request anonymization, blocking or deletion of unnecessary or excessive data;
• request data portability;
• request deletion of data processed based on consent;
• obtain information about the entities we share data with;
• withdraw consent.

To exercise these rights, contact us at contato@postou.ai.

10. Security

We apply technical and organizational measures to protect personal data, including HTTPS/TLS encryption in transit, a database encrypted at rest, access control and per-user data segregation (Row Level Security), passwords stored only as a hash, and a security audit trail for incident detection and investigation. No system is fully immune to incidents; if a security incident occurs that may pose a relevant risk, we will notify the Brazilian Data Protection Authority (ANPD) and the affected users as required by law.

11. Account and Data Deletion

To request deletion of your account and data, you can:

• contact our support on WhatsApp;
• email us at contato@postou.ai;
• revoke access via Instagram: Settings → Apps and Websites → Postou.ai → Remove, which triggers our automatic data deletion process.

Our data deletion callback URL is https://postou.ai/api/meta/data-deletion. After deletion, we provide a confirmation code that you can check at https://postou.ai/data-deletion-status. We complete deletion within 30 days, except for data we are legally required to keep.

12. Children

The platform is not directed to anyone under 18 years of age and we do not knowingly collect data from children or adolescents.

13. Changes to This Policy

This policy may be updated. Material changes will be communicated by email or by notice on the platform. The last updated date is shown at the top of this page.

14. Contact and Authority

Questions or requests about the processing of your personal data can be sent to contato@postou.ai. You also have the right to file a complaint with the Brazilian Data Protection Authority (ANPD). We follow the Meta Platform Terms and Developer Policies. Postou.ai is not affiliated with, sponsored by, or endorsed by Meta Platforms, Inc.