GDPR Compliance

Last updated: November 2, 2025

1. Introduction

PostFaster is committed to protecting the privacy and data rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland. This page explains how we comply with the General Data Protection Regulation (GDPR) and your rights under this regulation.

This GDPR Compliance page supplements our Privacy Policy and provides additional information specific to GDPR requirements.

2. Data Controller Information

PostFaster acts as the data controller for personal data processed through our Service.

Data Controller: PostFaster

Contact Email: [email protected]

Data Protection Officer: [email protected]

3. Legal Basis for Processing

Under GDPR, we must have a legal basis to process your personal data. We process your data based on the following legal grounds:

Contract Performance (Article 6(1)(b))

Processing necessary to provide the Service and fulfill our contract with you:

  • Creating and managing your account
  • Generating AI-powered content
  • Publishing content to social media platforms
  • Processing subscription payments
  • Providing customer support

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests:

  • Improving and optimizing the Service
  • Analyzing usage patterns and trends
  • Detecting and preventing fraud and security threats
  • Training and improving AI models
  • Marketing to existing customers (with opt-out option)

Consent (Article 6(1)(a))

Processing based on your explicit consent:

  • Marketing communications to prospects
  • Optional analytics and tracking cookies
  • Sharing testimonials or case studies
  • Processing special categories of data (if applicable)

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations:

  • Tax and accounting requirements
  • Responding to law enforcement requests
  • Maintaining records as required by law

4. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to access that data. You can request a copy of your personal data in a structured, commonly used format.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data in certain circumstances. You can delete your account at any time through your account settings, or contact us at [email protected].

Right to Restriction of Processing (Article 18)

You can request that we restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability (Article 20)

You can request to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Article 7)

Where processing is based on consent, you can withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with GDPR.

5. How to Exercise Your Rights

To exercise any of your GDPR rights:

  1. Send an email to [email protected] with your request
  2. Include your name, email address, and specific right you wish to exercise
  3. Provide any additional information needed to verify your identity
  4. We will respond to your request within one month (may be extended by two months for complex requests)

We do not charge a fee for most requests, but may charge a reasonable fee for manifestly unfounded or excessive requests.

6. Data Transfers

PostFaster may transfer your personal data outside the EEA to countries that may not provide the same level of data protection. When we do so, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs with third-party service providers
  • Adequacy Decisions: We transfer data to countries deemed adequate by the European Commission
  • Privacy Shield (where applicable): For US-based processors certified under relevant frameworks

Key data transfers include:

  • AI service providers (OpenAI, Anthropic) in the United States
  • Cloud infrastructure providers (Vercel, AWS, MongoDB Atlas)
  • Authentication services (Firebase/Google) in the United States
  • Payment processors (Stripe) in the United States
  • Social media platforms (LinkedIn, Twitter/X, Instagram, Facebook, TikTok) for content publishing

7. Data Retention

We retain personal data only for as long as necessary for the purposes outlined in our Privacy Policy:

  • Account Data: Retained while your account is active and for up to 90 days after deletion to allow for account recovery
  • Content and Usage Data: Deleted within 30 days of account deletion, except where needed for legal compliance
  • Payment Records: Retained for 7 years to comply with tax and accounting regulations
  • Marketing Data: Deleted immediately upon opt-out or within 2 years of last engagement
  • Logs and Analytics: Anonymized after 90 days, retained in aggregate form for service improvement

8. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

  • Encryption of data in transit (TLS/SSL) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Employee training on data protection and security
  • Incident response and breach notification procedures
  • Regular backups with secure storage
  • Monitoring and logging of system access

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • We will notify affected individuals without undue delay if the breach is likely to result in a high risk
  • Notifications will include the nature of the breach, likely consequences, and measures taken or proposed

10. Automated Decision-Making and Profiling

PostFaster uses AI to generate content based on your inputs. However:

  • We do not use automated decision-making that produces legal or similarly significant effects
  • AI-generated content is provided as suggestions that you review and approve before publishing
  • You maintain full control over what content is published to your social media accounts
  • We may use profiling for service personalization, which you can opt out of

11. Children's Data

Our Service is not directed to children under 16 years of age. We do not knowingly collect or process personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that information.

12. Supervisory Authority

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with your local data protection authority:

However, we encourage you to contact us first at [email protected] so we can address your concerns.

13. Updates to GDPR Compliance

We may update this GDPR Compliance page to reflect changes in our practices or legal requirements. Material changes will be communicated via email to affected users. The "Last updated" date at the top of this page indicates when the most recent changes were made.

14. Contact Information

For questions about GDPR compliance or to exercise your data protection rights:

Data Protection Officer: [email protected]

Privacy Inquiries: [email protected]

General Support: [email protected]