Privacy Policy
Privacy Policy
Last updated: April 27, 2026 · Prototype release
1. Who we are
Shadow Post is operated as an early prototype by an independent operator (“we”, “us”). Contact for privacy matters: [email protected].
2. What we collect
When you sign up and use Shadow Post we collect: account data (email address, first/last name, tenant name); brand content you submit (brand profiles, tone, audience, guardrails, uploaded source material); generated content (draft posts, images you generate from drafts); and operational logs (timestamps, request metadata, error traces) used to keep the service running.
3. How we use it
We use your data only to provide the service: authenticate you, generate drafts on your behalf, store your brand profile and posts, and prevent abuse. We do not sell personal data. We do not use your content to train third-party AI models.
4. Sub-processors
Shadow Post relies on the following processors: Supabase (database, authentication, storage — EU region), OpenAI and other AI providers (text and image generation), Mailgun (transactional email), Cloudflare (CDN, DDoS protection), and Fly.io (application hosting). Each processor handles data only as needed to operate its service.
5. Your GDPR rights
If you are in the EU/EEA you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. To exercise any of these rights, email [email protected]. You can also lodge a complaint with your local supervisory authority.
6. Retention
Account and content data is retained for as long as your account exists. On deletion request, data is removed within 30 days, except where law requires longer retention. During the prototype phase, we may purge data when migrating to general availability — we will notify active users before doing so.
7. Cookies
We use a small number of strictly necessary cookies for authentication and language preference (e.g. bs_locale). We do not use third-party advertising or tracking cookies during the prototype phase.
8. Security
Data is encrypted in transit (TLS) and at rest (managed by Supabase). Access is gated by row-level security and bearer tokens. See our security overview for more.
9. Changes
We may update this policy as the product evolves. Material changes will be reflected by a new “Last updated” date above.