gdpr compliance
effective date: april 1, 2026
1. our commitment
PostAI SAS is committed to complying with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). We act as a data controller when we process your personal data to provide our Service, and as a data processor when we handle personal data on behalf of our customers. This page explains how we fulfil our GDPR obligations and how you can exercise your rights.
2. legal bases for processing
We rely on the following legal bases under GDPR Article 6:
- Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you subscribed to, including account management, content scheduling, and payment processing.
- Legitimate interests (Art. 6(1)(f)): product analytics, fraud prevention, security monitoring, and improving the platform, where these interests are not overridden by your rights.
- Consent (Art. 6(1)(a)): optional analytics cookies and marketing communications where you have given explicit consent.
3. your rights under gdpr
Under GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectification of inaccurate or incomplete data (Art. 16).
- Erasure (“right to be forgotten”) of your data where no overriding legal basis applies (Art. 17).
- Restriction of processing in certain circumstances (Art. 18).
- Data portability in a structured, machine-readable format (Art. 20).
- Objection to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any right, contact legal@postai.app. We will respond within 30 days.
4. data portability
You can export all your personal data and content directly from the PostAI dashboard under Settings → Privacy → Export Data. The export is provided in JSON format and includes your account information, connected social account metadata, scheduled and published posts, and AI-generated drafts. Large exports are delivered via a secure download link sent to your registered email address.
5. right to erasure
You can submit an erasure request through Settings → Privacy → Delete My Data, or by emailing legal@postai.app with the subject “Erasure Request”. Requests are processed within 30 days. Deletion is permanent and irreversible. We will retain minimal data where required by law (e.g. financial records for tax compliance).
6. sub-processors list
We use the following sub-processors to operate the Service. Each has executed a Data Processing Agreement with PostAI SAS and processes data only as instructed.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | EU (Frankfurt) |
| Stripe | Payment processing and billing | EU (Ireland) |
| Trigger.dev | Background job execution and task scheduling | EU |
| Resend | Transactional email delivery | EU |
| Vercel | Application hosting and edge delivery | EU (primary region) |
| PostHog | Product analytics and session recording | EU cloud (Frankfurt) |
7. data transfers
We store and process data within the EU wherever possible. For sub-processors that transfer data outside the EU, we rely on adequacy decisions issued by the European Commission (where applicable) or on Standard Contractual Clauses (SCCs) to ensure an equivalent level of data protection.
8. data breach notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority (CNIL) within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay, as required by GDPR Article 34.
9. contact & complaints
For any GDPR-related enquiries, contact our data protection contact at legal@postai.app. You also have the right to lodge a complaint with the French supervisory authority:
Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
www.cnil.fr