Privacy policy.

Postwyse is an AI-powered marketing platform operated at postwyse.com. This Privacy Policy explains what we collect when you use Postwyse, how we use it, and the choices you have. It applies to the public site, signed-in dashboard, marketing agents, and integrations.

For questions about this policy or your data, email hello@postwyse.com.

Account information: name, email, password (stored as a bcrypt hash, never in plaintext), organization name, role.

Brand context: your taste profile, brand guidelines, ideal-customer-profile fields, audience details, voice notes, competitors, qualification questions, and any documents you upload to the workspace.

Content: posts you draft, schedule, or publish; ideas; emails; campaigns; comments; tasks; events; documents.

Connected-account credentials: when you connect a third-party platform (LinkedIn, X, Meta, Bluesky, Medium, YouTube, TikTok, Gmail, GitHub, etc.) we receive an OAuth access token and, where applicable, a refresh token. For Bluesky we receive an app-password-derived JWT. We never receive your main account password for any platform.

Payment information: handled by our payment processor; we receive only the metadata we need to bill you (plan, status, last 4 digits of the card).

Usage data: pages visited, features used, agents enabled, API request counts, error reports. Used for product improvement and reliability.

Device data: browser, operating system, viewport size, IP address. Used for compatibility, security, and fraud prevention.

Cookies: we use a single HMAC-signed HttpOnly session cookie to keep you logged in. We do not use third-party advertising cookies. Our website analytics is first-party and privacy-friendly: no cross-site tracking, no fingerprinting.

To operate the service: render pages, run AI generations, dispatch agents, post on your behalf to platforms you connect, sync inbox messages and metrics.

To personalize: brand context flows into AI prompts so the marketing agents and Wyse Chat output matches your voice. The agent feedback loop reads your past accept/dismiss/publish signals to improve next-run quality.

To communicate: account email, billing notices, security alerts, and significant product updates. You can opt out of marketing emails any time.

To improve and secure: detect abuse, prevent fraud, and improve the platform. We may aggregate usage data into anonymized metrics that cannot identify any individual or organization.

To comply with law: respond to lawful requests when required.

When you generate or draft content, your prompts and the relevant brand context are sent to a third-party AI provider (currently Anthropic Claude or xAI Grok). The provider processes the request and returns a response. We do not train shared AI models on your data.

You can connect your own Anthropic and Grok API keys per organization. When you do, the corresponding requests go to those providers under your billing account; we still see the prompt and response in transit because they pass through our servers.

Each provider has its own data-handling terms. By default, both Anthropic and xAI commit to not training on customer API data. We recommend reviewing their privacy policies if this matters for your use case.

When you connect a platform (e.g. Facebook, LinkedIn, X), we use the OAuth access token only to perform the actions you initiate: post a draft, fetch a profile, sync mentions, read engagement metrics. We never read content outside the scopes you grant.

You can revoke any integration at any time from Settings -> Integrations. Revoking removes our token and stops all sync.

Each platform has its own privacy policy. Data we receive from those platforms (e.g. comments on your posts, channel statistics) is treated as part of your workspace data under this policy.

Subprocessors: hosting (Vercel/AWS), database (Supabase), AI providers (Anthropic, xAI), email delivery (SendGrid), payment processing. Each is contractually required to protect your data.

Within your organization: workspace members see workspace content according to their role.

With law enforcement: only when required by valid legal process.

Business transfers: if Postwyse is acquired or merges, your data may transfer to the new entity, who must continue to honor this policy or notify you of changes.

We do not sell or rent your personal data to advertisers or data brokers.

We use TLS in transit, encrypted storage at rest, bcrypt password hashing, HMAC-signed session cookies, role-based access controls, and least-privilege subprocessor access. We monitor for unauthorized access and run regular dependency audits.

No system is perfectly secure. If a security event affects your data we will notify you in line with applicable law.

We retain your account data for as long as your account is active. When you delete your account, we delete your workspace data within a reasonable period (typically 30 days for the primary record, with rolling backups expiring within an additional 60 days).

You can export your content from the dashboard before deleting. Some operational records (billing history, audit logs) may be retained longer where required by law.

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data, restrict processing, object to processing, or withdraw consent. Email hello@postwyse.com to exercise any of these rights and we will respond within the legal window applicable to your region.

EU/UK residents: Postwyse processes personal data under contract necessity and legitimate interest as defined in the GDPR/UK GDPR. The Lead Supervisory Authority for complaints is your local DPA.

California residents: under the CCPA you have the right to know, the right to delete, and the right to opt out of any "sale" or "share" of personal data. Postwyse does not sell or share your data.

Postwyse operates in the United States. If you access the service from outside the US, your data is transferred to and processed in the US. We use Standard Contractual Clauses or other appropriate mechanisms for transfers from the EU/UK.

Postwyse is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe a child has signed up, contact us and we will delete the account.

We may update this policy as the product evolves or as regulations change. Material changes will be communicated via email or in-product notice. The "Last updated" date at the top of this page reflects the most recent revision.

Privacy questions, data requests, or concerns: hello@postwyse.com.