Privacy Policy

DropPost ("DropPost", "we") is the data controller for personal information you provide. This policy explains what we collect, why, and what your rights are.

Privacy contact: privacy@droppost.com.au.

• Account data: name, email, password hash, timezone, account preferences.
• Brand data: the brand name, industry, tone notes and integration credentials you set up.
• Content: the captions, photos and videos you upload or generate, plus the platforms you post to.
• Billing data: processed by our payment processor — we only store the customer ID and subscription metadata, never your card number.
• Operational logs: IP address, user agent, API errors, request timestamps — for security and reliability.

• To run the service: store your brands, generate captions, post to the platforms you select.
• To bill you and prevent fraud.
• To send transactional email (password resets, post failures, scheduled-post confirmations, weekly digests if you opted in).
• To improve the product — aggregated, never tied back to an individual unless you ask us for help with your own account.

We don't sell your data. We don't use your captions or photos to train our own AI models.

We rely on these categories of subprocessors to operate DropPost:

• Cloud database provider — application database, file storage, authentication.
• Application hosting provider — application hosting and content delivery network.
• Payment processor — payments, invoicing and subscription management.
• AI processing provider — caption and blog generation. We send your brief + brand tone; the provider does not retain prompts for training under our commercial terms.
• Social media publishing service — the API that pushes posts to social platforms.
• AI video processing provider — long-video to short-clip generation, only if you use that feature.
• Email service provider — transactional email delivery.

A current list of named subprocessors is available on request to privacy@droppost.com.au.

Account data is stored in our secure cloud database with row-level security. Sensitive secrets like WordPress credentials and integration keys are encrypted at rest with AES-256-GCM before being written to the database. Connections to and from DropPost are TLS-encrypted.

We keep your account data while your account is active. When you delete your account we hard-delete profile, brand, post and schedule records immediately. Our payment processor retains invoice records for as long as applicable tax law requires.

You can access, correct or export your personal information at any time from your settings page, or by writing to privacy@droppost.com.au. You can delete your account from Settings → Danger zone. If you believe we've mishandled your data you can complain to the data protection authority in your jurisdiction.

We use a small number of first-party cookies needed for sign-in. We do not use ad-tech tracking pixels. We may add privacy-respecting product analytics (no third-party ad networks) in future — we'll update this policy and let signed-in users know before doing so.

Some of our processors operate globally and may process your data across multiple regions. We only use providers with reasonable data protection standards.

DropPost is not designed for use by children under 18 and we do not knowingly collect data from anyone under 18.

We'll update this policy when our practices change. Material changes will be notified by email or in-app at least 14 days before they take effect.

This policy is governed by the laws of the jurisdiction where DropPost is incorporated.