Privacy Policy

1. Introduction

This Privacy Policy describes how Vibe Labs Digital (doing business as Vibe Labs Marketing), operating as "PostMimic," collects, uses, and protects your information.

This policy applies to the PostMimic website at postmimic.app, the web portal at app.postmimic.app, the PostMimic desktop application for Windows and macOS, and the PostMimic API.

By using PostMimic, you consent to the data practices described in this policy.

2. Information We Collect

Information You Provide Directly

• Account information: Email address and password at registration
• Profile information: First and last name (optional, for display purposes)
• Payment information: Processed by Stripe — we do not store credit card numbers
• Social media posting history: Uploaded or imported from connected platforms for voice training
• AI provider API keys: If using BYOK mode, stored encrypted
• Business information: Business name, address, phone, and website (if entered for the business knowledge feature)
• Brand rules and content preferences: Identity statements, alliances, forbidden topics, and content guidelines
• Enterprise inquiries: Name, email, company, and message submitted via the enterprise inquiry form

Information Collected Automatically

• Usage data: Number of posts generated, platforms used, and features accessed
• Subscription and billing status: Synced from Stripe
• Device and browser information: Via standard web server logs
• IP address: Via standard web server logs

Information from Third-Party Platforms

• OAuth tokens: Access tokens and refresh tokens for X (Twitter), LinkedIn, Facebook, and Instagram
• Public posting history: From connected platforms, used for voice training
• Profile information: Name, username, and profile ID from connected platforms

3. How We Use Your Information

We use the information we collect to:

• Provide and maintain the PostMimic service
• Analyze your posting history and create a voice profile that captures your writing style
• Generate AI content matching your voice
• Publish content to your connected social media accounts on your behalf
• Process payments and manage subscriptions via Stripe
• Communicate with you about your account, service updates, and support requests
• Enforce our Terms of Service
• Improve the service and develop new features

4. AI Processing and Third-Party Providers

When using Cloud AI, your generation prompts — including voice analysis data and content instructions — are sent to a third-party AI provider for processing. The default provider is DeepSeek. Other available providers include OpenAI, Anthropic, and xAI.

• Each provider has its own privacy policy and data handling practices
• Prompts sent to AI providers may be subject to the provider's data retention policies
• When using BYOK, requests go directly to the provider using your own API keys
• When using Local AI (Ollama), all processing happens on your device — no data is sent to any external service
• We do not log or store the raw prompts sent to AI providers after generation is complete
• We store the generated output in your post history for analytics and review purposes

5. Data Storage and Security

• Account data is stored in Supabase PostgreSQL (hosted on AWS US East)
• OAuth tokens are encrypted using Fernet symmetric encryption before storage
• BYOK API keys are encrypted using Fernet symmetric encryption before storage
• Passwords are hashed using bcrypt and are never stored in plain text
• All data is transmitted over HTTPS/TLS
• The API server is hosted on Railway with automatic SSL
• The web portal and website are hosted on Vercel with automatic SSL
• Stripe handles all payment processing — we never see or store your credit card numbers

6. Data Sharing

We share your information only with the following third parties, solely to provide the service:

• Stripe — payment processing (email, subscription data)
• Supabase — database hosting (all account data)
• Railway — API server hosting (server logs)
• Vercel — web hosting (server logs)
• Cloudflare — DNS and CDN (request logs)
• AI Providers (DeepSeek, OpenAI, Anthropic, xAI) — generation prompts when using cloud AI
• Social Media Platforms (X, LinkedIn, Facebook, Instagram) — content publishing via OAuth

We do not sell, rent, or share your personal information with any other third parties for marketing or advertising purposes.

We may disclose information if required by law, court order, or government request.

7. Data Retention

• Account data: Retained while your account is active
• Post history and analytics: Retained while your account is active
• Voice analysis data: Retained while your account is active
• OAuth tokens: Retained until you disconnect the platform or delete your account
• Server logs: Retained for up to 90 days
• Billing records: Retained for up to 7 years for tax and legal compliance

Upon account deletion, all personal data, voice analysis, post history, OAuth tokens, and API keys are deleted within 30 days. Billing records may be retained as required by law.

8. Your Rights

All Users

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and associated data
• Portability: Request your data in a machine-readable format
• Revocation: Revoke OAuth access to connected platforms at any time
• Opt-out: Unsubscribe from marketing communications (transactional emails such as password resets and billing receipts cannot be opted out of)

California Residents (CCPA)

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

To exercise your CCPA rights, contact privacy@vibelabsmarketing.com.

EU/EEA Residents (GDPR)

In addition to the rights listed above, EU/EEA residents have the following rights:

• Right to restrict processing of your personal data
• Right to object to processing of your personal data
• Right to lodge a complaint with a supervisory authority in your country of residence

Our legal basis for processing your data includes: consent (account creation), contract performance (providing the service), and legitimate interest (service improvement, security).

To exercise your GDPR rights, contact privacy@vibelabsmarketing.com.

9. Cookies and Tracking

• We use essential cookies for authentication and session management on the web portal
• Cookie name: pm_token (HttpOnly, Secure, SameSite=Lax, 30-day expiry)
• We do not use third-party tracking cookies
• We do not use analytics tracking scripts (no Google Analytics, no Facebook Pixel)
• We do not serve advertisements or use advertising cookies

10. Children's Privacy

PostMimic is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18.

If we discover that we have collected information from a child under 18, we will delete it promptly.

If you believe a child under 18 has provided us with personal information, please contact privacy@vibelabsmarketing.com.

11. Data Deletion Requests

You may request complete account and data deletion at any time using any of the following methods:

• Email privacy@vibelabsmarketing.com with your account email address
• Use the account deletion feature in your account settings

Deletion is processed within 30 days. Upon deletion, we remove:

• Account information (email, name, password hash)
• Voice analysis data and training history
• Generated content history
• OAuth tokens and BYOK API keys
• Profile data, brand rules, business knowledge, schedules, and all associated records

Billing records are retained as required by law. If you connected PostMimic via Facebook Login, you may also request deletion through Facebook's app settings — see our Data Deletion page for details.

12. Third-Party Links

PostMimic may contain links to third-party websites and services. We are not responsible for the privacy practices of third-party sites. We encourage you to review the privacy policies of any third-party services you interact with.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect.

The "Last Updated" date at the top of this policy reflects the most recent revision. Continued use of PostMimic after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, please contact us:

• Privacy: privacy@vibelabsmarketing.com
• Legal: legal@vibelabsmarketing.com
• Support: support@vibelabsmarketing.com
• Address: Vibe Labs Digital, San Antonio, Texas, United States