Privacy Policy

1. Data We Collect

Account data: email address, display name, plan type.

Content data: blog posts (Markdown source and rendered HTML), blog settings, tags, meta descriptions.

Usage data: page view counts (aggregated, not per-visitor), API request counts for rate limiting.

Payment data: handled entirely by Paddle (our Merchant of Record). We store only your Paddle customer ID. We never see or store credit card numbers.

2. How We Use Your Data

• To provide and maintain the Service
• To enforce plan limits and rate limits
• To display your content on your blog
• To generate SEO metadata, OG images, and sitemaps for your content
• To send service-related notifications (account, billing, security)

We do not use your data for advertising, profiling, or training AI models.

3. Third-Party Services

• Cloudflare — Hosting, CDN, DNS, Edge Workers. Privacy Policy
• Supabase — Database and authentication. Privacy Policy
• Paddle — Payment processing (Merchant of Record). Privacy Policy

We do not sell your personal data to any third party.

4. Cookies

We use only essential cookies:

• Session cookie — For dashboard authentication (Supabase Auth)
• Theme preference — localStorage only, not a cookie

We do not use analytics cookies, tracking pixels, or third-party marketing cookies. Traffic analytics are server-side (Cloudflare Analytics) and do not track individual visitors.

5. Data Retention

• Account and content data are retained as long as your account is active.
• View count data expires after 90 days automatically.
• Upon account deletion, all data is permanently removed (see Section 6).

6. Your Rights (GDPR & CCPA)

Right to Access: Export all your data via GET /api/v1/account/export or Dashboard → Account → Export.

Right to Deletion: Delete your account and all data via POST /api/v1/account/delete or Dashboard → Account → Delete. This removes: all blogs, posts, API keys, images, KV cache, and Paddle subscription.

Right to Portability: Download all posts as Markdown via the export API.

Do Not Sell (CCPA): We do not sell personal information.

7. Data Security

• All data in transit is encrypted (HTTPS/TLS)
• API keys are stored as SHA-256 hashes (never in plaintext)
• Database access requires service role authentication
• Cloudflare provides DDoS protection and WAF

8. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect data from children.

9. Changes

We may update this policy. Material changes will be communicated via email at least 30 days in advance.

10. Contact

Data protection inquiries: privacy@postlark.ai

MintC Inc., Republic of Korea