سياسة الخصوصية

1. Information we collect

When you create an Airpost account we collect your name, email address, and a hashed password. When you use AI features we process the prompts you write plus the brand context (name, description, website) you provide. If you add your own third-party API keys (Google Gemini, OpenAI), those are stored in an encrypted column. Payment card details are never stored by Airpost — PayPal handles them entirely.

2. How we use your data

We use your data to run the Airpost service: generating AI copy and designs, scheduling posts, publishing through Publer, and sending transactional email (verification, password reset, billing receipts, low-balance warnings, publish-failure alerts). If you opt in to marketing email, we also send onboarding tips, weekly digest recaps, and occasional product announcements — these are opt-out at any time via a one-click unsubscribe. We never sell your data.

3. Third-party processors

• Google Gemini — text generation (your brand context and prompts are sent to Google).
• OpenAI — image and reel generation when the platform routes through gpt-image-2.
• Anthropic Claude — reel composition authoring (when using advanced video templates).
• Cloudinary — image/video asset hosting on a CDN.
• Publer — social posting to your connected Instagram, Facebook, LinkedIn, TikTok, and X accounts.
• Brevo — transactional and marketing email delivery.
• PayPal — payment processing for subscriptions and credit top-ups.
• Sentry — error monitoring (no personal content, just stack traces).
• Render.com — application hosting and database storage.

Each service has its own privacy policy. We share only the minimum data required for each to perform its function.

4. Data storage, security, and retention

Your workspace data lives on Render.com (US/EU regions) with HTTPS for all traffic and encrypted-at-rest storage for secrets. Sessions use HTTP-only, SameSite=Lax cookies with a 7-day lifetime. Every database query that touches tenant data is scoped by an owner ID — your posts, clients, and brand memory are never visible to another workspace. We keep backups for 30 days. Deleted-account data is purged within 30 days of deletion (with exceptions only for records we are legally required to retain, e.g. payment logs).

5. Your rights

You can export your full data as JSON from Settings → Data & Privacy (GDPR Article 20), update your profile in Settings, manage your email preferences at Settings → Notifications, and delete your entire account from Settings → Danger Zone. Account deletion is permanent and cascades through posts, clients, AI memory, and analytics. EU/UK residents also have the right to request correction, portability, or a GDPR-scoped report by emailing us.

6. Cookies and tracking

We set a session cookie for authentication and a CSRF token cookie for request integrity. We store UI preferences (theme, dismissed banners) in localStorage on your device. We do not use cross-site tracking cookies, advertising pixels, or third-party analytics SDKs.

7. Children

Airpost is not intended for users under 16. We do not knowingly collect data from minors.

8. Changes to this policy

We'll update this page when the practices above change materially and push a notification to the dashboard inbox when we do. The "Last updated" date at the top reflects the most recent change.

9. Contact

For privacy questions, data-deletion requests, or anything else covered here, email support@airpost.agency. Operator: Eclipse Agency, Riyadh, Saudi Arabia.