Privacy Policy

1. About This Policy

PostPilot is operated by PostPilot Pty Ltd (ACN pending), based in Melbourne, Victoria, Australia ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and disclose your personal information when you use the PostPilot platform, website, and related services (the "Service").

We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using PostPilot, you agree to the collection and use of information as described in this Policy.

2. Information We Collect

We collect the following categories of personal information:

Account information: Your name, email address, and password when you create an account.

Business information: Your business name, industry, brand colours, fonts, logo, tagline, and brand voice — provided during onboarding and editable in Settings.

Social media handles: Your Instagram handle and Facebook Page ID, used to facilitate auto-posting. We do not collect your social media passwords.

Uploaded content: Video clips and photos you upload to PostPilot each week for content production. These are stored securely in our cloud storage and used solely to produce your weekly content output.

Payment information: Billing is processed by Stripe. We do not store your credit card number, CVC, or full payment details on our servers. Stripe's privacy policy governs the handling of your payment information.

Usage data: Information about how you use the Service, including pages visited, features used, and actions taken within the app. This is used to improve the Service and is not sold to third parties.

Device and technical data: IP address, browser type, operating system, and device identifiers collected automatically when you use the Service.

When you connect your Instagram or Facebook account to PostPilot, we collect and store an access token issued by Meta Platforms, Inc. This token allows PostPilot to publish content to your Instagram and Facebook accounts on your behalf. We also store your Instagram Business Account ID and Facebook Page ID where available. We do not access your personal Facebook profile, private messages, friends list, or any data beyond what is required to publish your approved content.

3. How We Use Your Information

We use your personal information to:

• •Provide and operate the PostPilot Service, including producing your weekly content
• •Process your account registration and manage your subscription
• •Send you transactional emails (content ready notifications, billing receipts, account alerts)
• •Send you SMS notifications if you have opted in
• •Improve and develop the Service based on usage patterns
• •Respond to your support requests
• •Comply with our legal obligations
• •Detect and prevent fraud and abuse of the Service

We will only send you marketing communications with your explicit consent, and you can unsubscribe at any time via the link in any marketing email or by emailing us at hello@postpilot.solutions.

Access tokens obtained through Meta's OAuth process are used solely to publish content you have reviewed and approved within PostPilot. These tokens are stored securely in our database and are never shared with third parties other than Meta's Graph API infrastructure required to complete the posting action.

4. Third-Party Services

PostPilot uses the following third-party services to operate the platform. Each service processes data only to the extent necessary to provide PostPilot's functionality:

- Supabase (Supabase Inc.) — Database and authentication infrastructure. Stores your account information, brand profile, uploaded content metadata, and social media access tokens. Data hosted in Tokyo, Japan (AWS ap-northeast-1). Privacy policy: supabase.com/privacy

- Make.com (Celonis SE) — Automation platform that orchestrates our AI content pipeline. Processes your brand profile data and clip metadata to produce your weekly content. Privacy policy: make.com/en/privacy-notice

- Shotstack (Shotstack Pty Ltd) — Video and image rendering service. Receives your brand colours, fonts, and clip URLs to render your Reels and static posts. Privacy policy: shotstack.io/privacy

- OpenAI (OpenAI, LLC) — AI model provider. Your brand profile information and clip metadata are sent to GPT-4o to generate content direction and captions. No raw video footage is transmitted to OpenAI. Privacy policy: openai.com/privacy

- Vercel (Vercel Inc.) — Hosting and deployment platform for the PostPilot web application. Privacy policy: vercel.com/legal/privacy-policy

- Meta Platforms, Inc. — When you connect your Instagram or Facebook account, you authorise PostPilot to publish content via Meta's Graph API. Your access token is transmitted to Meta's servers to complete each post. Privacy policy: facebook.com/privacy/policy

5. Sharing Your Information

We do not sell your personal information. We share your information only as follows:

Service providers: We use third-party services to operate PostPilot, including Supabase (database and file storage), Make.com (workflow automation), Shotstack (video rendering), OpenAI (AI caption generation), AssemblyAI (transcription), Stripe (payments), Resend (transactional email), and Twilio (SMS). These providers process your data on our behalf under data processing agreements and are not permitted to use your data for their own purposes. Further detail on each processor is set out in Section 4.

Meta Platforms: When you connect your Instagram or Facebook account, we interact with the Meta Graph API to schedule and post your content. Your content is transmitted to Meta's servers in accordance with Meta's Privacy Policy and Terms of Service.

Legal requirements: We may disclose your information if required by law, court order, or government authority, or if we believe disclosure is necessary to protect our rights or the safety of others.

Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

6. Your Uploaded Content

Video clips and photos you upload to PostPilot are stored in secure cloud storage (Supabase). This content is:

• •Used exclusively to produce your weekly PostPilot content output
• •Not used to train any AI models without your explicit consent
• •Not shared with any third party except the rendering and processing services listed in Section 4
• •Retained for the duration of your subscription plus 30 days, after which it is permanently deleted

You retain full ownership and copyright of all content you upload. By uploading content, you grant PostPilot a limited licence to process, transform, and store that content solely for the purpose of providing the Service.

7. Data Storage and Security

Your data is stored on servers located in the Asia-Pacific region (Tokyo, Japan) via Supabase. Some data may be processed by our service providers in other regions, including the United States and European Union, where different privacy laws may apply. We ensure appropriate safeguards are in place for any international transfers.

We implement industry-standard security measures including encryption in transit (TLS) and at rest, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

8. Cookies and Tracking

PostPilot uses cookies and similar technologies to:

• •Maintain your login session
• •Remember your preferences
• •Understand how you use the Service (analytics)

We do not use third-party advertising cookies. You can control cookies through your browser settings, though disabling certain cookies may affect the functionality of the Service.

9. Your Rights

Under the Australian Privacy Act 1988 (Cth), you have the right to:

- Access the personal information we hold about you

- Request correction of inaccurate or incomplete information

- Request deletion of your personal information

- Withdraw consent for processing at any time

To exercise any of these rights, contact us at hello@postpilot.solutions. We will respond within 30 days. To delete your account and all associated data, email hello@postpilot.solutions with the subject line 'Account Deletion Request'. We will confirm deletion within 7 business days.

To disconnect PostPilot from your Instagram and Facebook accounts at any time, go to Settings → Socials → Disconnect. You can also revoke PostPilot's access directly from your Facebook account under Settings → Security and Login → Business Integrations.

10. Data Retention

We retain your account data for as long as your PostPilot account is active. Uploaded video and photo clips are retained for 90 days after the weekly job they were submitted for is completed, after which they are deleted from our storage. Rendered content (your finished Reels and static posts) is retained for 12 months. Meta access tokens are stored until you disconnect your account via Settings → Socials → Disconnect, or until you request account deletion. Analytics data is retained for 24 months.

11. Children's Privacy

PostPilot is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us immediately and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a prominent notice in the Service. Your continued use of PostPilot after changes are made constitutes acceptance of the updated Policy. The date of the most recent revision is shown at the top of this page.

13. Contact Us

For any privacy-related questions or concerns, contact our privacy team at hello@postpilot.solutions. PostPilot is operated by John Bamba, Melbourne, Australia.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Social Media Connection (Meta)

PostPilot connects to your Facebook and Instagram accounts via Meta's official OAuth system. When you connect your accounts, we collect and store: your Meta access token (used to publish posts on your behalf), your Instagram Business Account ID, your Facebook Page ID, and your token expiry date. We do not collect your personal Facebook profile data, friends list, messages, or any content beyond what is required to publish your scheduled posts. Your Meta access token is stored securely in our database and is never shared with third parties other than those listed below. Tokens expire after 60 days and must be reconnected via your Settings page.

What We Post on Your Behalf

When you approve content in PostPilot, we schedule and automatically publish that content to your connected Instagram and Facebook accounts at the times you have approved. You retain full ownership of all content. You can disconnect PostPilot from your social accounts at any time via Settings → Socials → Disconnect. Disconnecting immediately revokes PostPilot's ability to post on your behalf.

Third-Party Processors

PostPilot uses the following third-party services to deliver our product. Each processor has access only to the data required for their specific function.

Data Retention

We retain your account data for as long as your PostPilot account is active. If you delete your account, we will delete your personal data, brand profile, uploaded media, and social tokens within 30 days. Rendered video content hosted on third-party CDNs (Shotstack) may take up to 90 days to be fully purged from their systems. Analytics data may be retained in anonymised aggregate form.

Your Rights (Australian Privacy Act 1988)

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the right to: access the personal information we hold about you; request correction of inaccurate information; request deletion of your personal information; withdraw consent for data processing at any time; lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. To exercise any of these rights, contact us at hello@postpilot.solutions.

Meta Data Deletion

If you connected PostPilot to your Facebook account and wish to have your data deleted, you can: (1) Disconnect via PostPilot Settings → Socials → Disconnect, which immediately clears your tokens from our system, or (2) Use Facebook's app removal process at facebook.com/settings → Apps and Websites → Remove PostPilot. Upon removal, we will delete your Meta tokens within 30 days in accordance with our data deletion callback. For any questions about data deletion, contact hello@postpilot.solutions.