What we collect. What we don’t.

When you create a flypost.ai account we collect: your email (for sign-in), the website URL you provide, and any brand-kit data we extract from that URL (company name, colors, fonts, logo, descriptions, screenshots of your homepage).

When you use the product we collect: posts you generate, their captions and hashtags, your questionnaire answers (role, goal, voice preferences, attribution source), your scheduling decisions, and which posts you publish vs discard. We use this to improve future generations for you.

When you connect a social account, we receive the OAuth scope the platform grants, typically your profile metadata and permission to publish on your behalf. We don’t read your DMs, your followers, or any other accounts you have.

When you pay, our payment processor handles your card. We never see or store your card number, only an opaque customer identifier so we can match the payment to your subscription.

• To generate brand kits, posts, and images for you
• To gate features behind your subscription tier and grant the right credit balance
• To improve the model and the product (in aggregate)
• To email you about account activity, billing, and important changes
• To respond to support requests

We do not sell your data. We do not share it with third parties for advertising. We rely on a small set of service providers (hosting, database, payments, AI inference) to deliver the product, and we only share what each one needs to do its job. We maintain a current list of those providers and can share it on request, email hello@flypost.ai.

We use AI providers on API tiers that don’t train models on data sent through the API.

We use first-party cookies to keep you signed in and to remember your preferences. We use minimal analytics to understand aggregate product usage. No third-party ad networks, no Facebook pixel, no Google Ads tracking.

You can, at any time:

• Access:request a copy of your data. We’ll export it within 7 days.
• Correct:fix anything that’s wrong, either in the brand kit editor or by emailing us.
• Delete: remove your account and all associated data. We process deletion within 30 days.
• Port:move your data to another service. We’ll provide a JSON export.
• Object:object to specific processing. Email us and we’ll discuss.

If you’re in the EU/UK you have rights under GDPR; in California you have rights under CCPA. Both are covered by the above.

We retain your account data while your account is active and for 30 days after deletion (in case you change your mind), then we delete it from production systems. Encrypted backups roll off within 90 days.

Aggregate, anonymized analytics may be retained indefinitely, but these can’t be tied back to you.

Encryption everywhere. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). No exceptions.

Row-level isolation.Every database table is scoped per user. One user’s brand kit, posts, and connected-account tokens are physically unreadable from another user’s session.

Passwordless auth. We never store passwords. Sign-in runs through magic links and Google OAuth, both with rotating tokens.

Social token isolation.When you connect LinkedIn, Instagram, X, TikTok, or Reddit, OAuth tokens live encrypted in a dedicated table with strict access controls. We can publish on your behalf within the granted scope. We can’t read DMs or anything outside that scope.

Hardened infrastructure. Hosted on enterprise-grade providers that run SOC 2 Type II programs. We inherit their underlying controls.

Least-privilege access. Production database access goes through service-role keys, never bare connection strings. No employee has standing production access; mutations go through reviewed functions.

Reporting a vulnerability. Email security@flypost.ai with reproduction steps. We acknowledge reports within 24 hours and aim to patch critical issues within 72 hours.

flypost.ai is operated from the United States. Our sub-processors may store data in the US, EU, or other regions. We rely on standard contractual clauses for cross-border transfers.

flypost.aiis not intended for users under 16. We don’t knowingly collect data from children. If you believe a child has signed up, email us and we’ll delete the account.

We’ll update this page when we change anything material, and we’ll email you when the change affects you (e.g. a new sub-processor or a change to how we use your data).

Questions about your data? Email hello@flypost.ai. A real person reads it.

See also our Terms of Service.