Privacy Policy

Postria is an AI-powered LinkedIn growth platform operated by Nacre Technology. We take your privacy seriously. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have over your information.

By accessing or using Postria, you acknowledge that you have read and understood this Privacy Policy. If you do not agree to its terms, please do not use our services.

1. Who We Are

Postria is operated by Nacre Technology ("we," "us," or "our"), the maker of Postria — an AI-powered social media management platform focused on LinkedIn. Our service helps professionals and businesses plan, write, schedule, and publish LinkedIn content.

For the purposes of applicable data protection law, Nacre Technology is the data controller of all personal data collected through Postria.

2. Information We Collect

2.1 Account Information

When you create a Postria account, we collect:

• Full name and email address
• Password (stored as a one-way cryptographic hash — we never store plaintext passwords)
• Organisation name and workspace slug
• Profile avatar (if provided)
• User role within your organisation (owner, admin, editor, or viewer)

2.2 LinkedIn Account Data

When you connect a LinkedIn personal profile or company page via OAuth, we collect and store:

• Authentication tokens: LinkedIn OAuth 2.0 access tokens and refresh tokens. These are encrypted at rest using AES-256 and never exposed to other users or organisations.
• Profile information: LinkedIn member ID (URN), full name, professional headline, profile picture URL, and follower count — retrieved via the LinkedIn API at connection time and periodically refreshed.
• Email address: If you grant the email scope, we store your LinkedIn-verified email address to link your LinkedIn identity to your Postria account.
• Company page information: Page name, organisation ID (URN), logo URL, and follower count — collected only for pages where you are an admin and have explicitly authorised access.
• Post analytics: Impressions, reactions, reposts, and comment counts for posts published through Postria, retrieved via the LinkedIn API after publishing.
• OAuth scopes granted: We record which LinkedIn API scopes you authorised so we can accurately represent the permissions we hold.

2.3 Knowledge Base Content

To generate content in your voice and business context, you may upload or connect:

• Documents (PDFs, text files, Word documents)
• Website URLs (crawled for publicly accessible content)
• Blog post or article URLs
• Manually entered text or voice samples

This content is processed and stored as text chunks and vector embeddings in your private workspace. It is used solely to generate personalised content for your organisation and is never shared with other users, organisations, or used to train AI models.

2.4 Usage and Technical Data

We automatically collect the following when you use Postria:

• Server log data: IP address, browser type, pages visited, and timestamps
• Device information: device type and operating system
• Feature usage events (e.g., "post approved," "account connected")
• Error logs used solely for debugging and service stability

2.5 Payment Information

All payment processing is handled by Stripe, Inc. We do not collect or store your credit card number, CVV, expiry date, or full banking details. Stripe processes these directly and provides us only with a customer ID, subscription status, plan tier, and billing email for our records.

2.6 Communications

If you contact us by email or through our support channels, we retain your messages and contact details to respond to your inquiry and, in aggregate, to improve our service. We do not share individual support communications with third parties.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: Authenticate your account, generate AI-powered content drafts in your voice, schedule and publish posts to connected LinkedIn accounts, surface the Intel feed, and display post analytics — all as directed by you.
• Personalisation: Build a voice profile specific to your organisation using your knowledge base content and writing style. The voice profile is used exclusively to make AI-generated content sound like you.
• Publishing on your behalf: Use your LinkedIn OAuth token to publish posts, post comments, and retrieve analytics — strictly for actions you explicitly approve within Postria. We never take actions on your LinkedIn account without your explicit per-action approval.
• Security and abuse prevention: Detect and prevent unauthorised access, fraud, and violations of our Terms of Service. We maintain an immutable audit log of all write operations for this purpose.
• Customer support: Respond to your questions, diagnose technical issues, and resolve problems with your account.
• Service improvement: Understand in aggregate how features are used to improve the product. Aggregate analysis is always anonymised — we never read individual drafts or posts to improve our models.
• Billing and subscriptions: Process payments, issue receipts, notify you of upcoming renewals, and handle plan changes.
• Legal compliance: Comply with applicable laws, regulations, court orders, and lawful requests from competent authorities.

4. LinkedIn API Data — Specific Disclosures

Because Postria is a LinkedIn API application, we are required — and committed — to provide full transparency about how we handle LinkedIn member data. Our use of LinkedIn API data complies with the LinkedIn API Terms of Use.

5. AI Processing

Postria uses large language models (LLMs) to generate content drafts, voice profiles, strategy suggestions, Intel comment drafts, and other AI-powered outputs. To do this, we send relevant context — such as excerpts from your knowledge base, your voice profile descriptor, and the text you are currently editing — to third-party AI providers via their APIs.

AI providers we currently use:

• OpenAI, Inc. (GPT series models)
• Anthropic, PBC (Claude series models)
• Google LLC (Gemini series models)
• Moonshot AI
• Perplexity AI (web-search-augmented generation for Intel)

All AI providers are engaged under data processing agreements that prohibit the use of your prompts or outputs to train their foundation models. Your content is never used to train any AI model — ours or any third party's.

Postria supports a Bring Your Own Key (BYOK) model where you may provide API keys for supported AI providers. Your keys are encrypted at rest and used only to make API requests on your behalf. They are never logged or shared.

The specific AI provider used for a given task depends on your plan and any per-use-case configuration you have set. You can view and change your AI provider settings in Settings → AI Providers.

6. Data Sharing and Subprocessors

We do not sell your personal data. We share data only in the following circumstances:

6.1 Infrastructure Subprocessors

We use the following third-party services to operate Postria. Each is bound by a data processing agreement (DPA) and may process personal data only to provide their contracted service:

Not all subprocessors process all categories of data. Processing depends on the features you use.

6.2 Legal Requirements

We may disclose your data if required by applicable law, a valid court order, or a lawful request from a competent public authority (e.g., law enforcement). We will notify you before disclosing unless we are legally prohibited from doing so or there is a credible, time-sensitive threat to safety.

6.3 Business Transfers

If Postria or Nacre Technology undergoes an acquisition, merger, asset sale, or corporate restructuring, your data may be transferred to the successor entity. We will provide at least 30 days' notice before any such transfer takes effect, and the successor will be required to honour this Privacy Policy.

6.4 Aggregate and Anonymised Statistics

We may publish or share aggregate, anonymised statistics (e.g., "users who post three times per week see X% higher engagement") that cannot reasonably be used to identify any individual.

7. Data Retention

We retain your data for as long as your account is active or as required by law. The table below describes specific retention periods by data type:

When you delete your account, we initiate permanent deletion of all personal data within 30 days, except for data we are legally required to retain (e.g., financial records). We will confirm deletion upon request.

8. Data Security

We implement industry-standard technical and organisational security measures to protect your data:

• All data in transit is encrypted via HTTPS/TLS
• LinkedIn OAuth tokens and user API keys are encrypted at rest using AES-256
• Row-level security (RLS) policies enforce strict multi-tenant data isolation — your organisation's data is inaccessible to any other user or organisation
• API keys are hashed before storage using a one-way hash — plaintext keys are never persisted after initial delivery to you
• All write operations are captured in an immutable audit log retained for 12 months
• Access to production systems and databases is restricted to authorised personnel via role-based access controls
• Subprocessors are contractually required to maintain equivalent security standards

Despite our best efforts, no internet service can guarantee absolute security. If you discover or suspect a security vulnerability, please report it responsibly to security@postria.app. We will acknowledge your report within 48 hours.

9. Your Rights

Depending on your location, you have the following rights over your personal data. We honour all of these rights regardless of where you are located:

To exercise any of these rights, email privacy@postria.app. We will respond within 30 days (or sooner as required by law). We may ask you to verify your identity before processing a request.

9.1 GDPR Rights (EU / EEA / UK Residents)

If you are located in the European Union, European Economic Area, or United Kingdom, the GDPR (or equivalent UK law) applies. The lawful basis for each category of processing is:

• Contract (Art. 6(1)(b)): Processing necessary to deliver the service you signed up for — authenticating your account, operating your LinkedIn integrations, generating drafts, and publishing posts you approve.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, audit logging, and anonymised product analytics.
• Legal obligation (Art. 6(1)(c)): Retaining financial records for the period required by applicable tax law.
• Consent (Art. 6(1)(a)): Marketing communications. You may withdraw consent at any time.

If you have a complaint about how we handle your personal data, you have the right to lodge a complaint with your local supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the Information Commissioner's Office (ICO).

9.2 CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following additional rights:

• Right to Know: The specific categories and pieces of personal information we have collected about you, the purposes for which we use them, and the categories of third parties with whom we share them.
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions (e.g., legal obligations).
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioural advertising. No opt-out action is required.
• Right to Non-Discrimination: You will not receive degraded service or different pricing for exercising your CCPA rights.

To exercise CCPA rights, email privacy@postria.app with the subject line "CCPA Request."

10. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

We do not use advertising cookies, cross-site tracking pixels, third-party retargeting, or behavioural advertising of any kind.

You can control cookie behaviour through your browser settings. Disabling essential cookies will prevent you from logging in to Postria.

11. International Data Transfers

Postria is operated primarily from infrastructure hosted in the United States (Vercel and Supabase). If you are located outside the US, your data may be transferred to, stored, and processed in the US or other countries where our subprocessors operate (see Section 6).

For transfers of personal data from the EU/EEA to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with relevant subprocessors. We verify that all subprocessors receiving EU personal data have appropriate transfer safeguards in place (adequacy decisions, SCCs, or equivalent measures).

If you would like a copy of the SCCs governing any specific transfer, contact privacy@postria.app.

12. Children's Privacy

Postria is not directed at children under the age of 16. We do not knowingly collect, process, or store personal data from individuals under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@postria.app. We will promptly delete any such data.

13. Third-Party Links

Our service and website may contain links to third-party websites, including LinkedIn, Stripe, and others. This Privacy Policy applies only to Postria. We are not responsible for the privacy practices of third-party websites and encourage you to review their respective privacy policies. In particular, your use of LinkedIn is governed by the LinkedIn Privacy Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will notify you by email to the address associated with your account and by displaying a prominent notice within the Postria application, at least 30 days before the changes take effect. For non-material changes (e.g., clarifications, corrections), we will update the "Last updated" date at the top of this page.

Continued use of Postria after the effective date of an updated policy constitutes your acceptance of the revised terms.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy, your personal data, or how we handle LinkedIn data, please contact us: