The short version: PostCraft collects only what it needs to work. We don't sell your data. We don't share it with advertisers. We store it securely in Australia. You can delete your account and all your data at any time.
1. Who we are
PostCraft is operated by Vikas (ABN: [YOUR ABN]) trading as PostCraft, based in Australia. References to "PostCraft", "we", "us", or "our" in this policy refer to this entity.
For privacy questions or requests, contact us at: privacy@postcraft.com.au
2. What information we collect
Information you provide directly
- Account information: Your name, email address, and password (stored as a bcrypt hash — we cannot see your password).
- Post content: The text, images, and videos you create and schedule through PostCraft.
- Social account connections: OAuth tokens from platforms you connect (Facebook, Instagram, LinkedIn, X/Twitter, TikTok). We store these tokens to publish on your behalf.
- Payment information: If you subscribe to a paid plan, payment is processed by Stripe. We store only a reference to your Stripe customer ID — we never see or store your card details.
- Support communications: Any emails or messages you send to our support address.
Information collected automatically
- Usage data: Pages viewed, features used, actions taken within the app (stored in our audit log for security and debugging purposes).
- Technical data: IP address, browser type, operating system, and session tokens (used for authentication and rate limiting).
- Error logs: When errors occur, we log technical details to diagnose and fix problems. These logs are retained for 30 days.
Information we do NOT collect
- We do not collect biometric data, government identifiers, or sensitive personal information as defined under the Privacy Act 1988.
- We do not track your activity outside of PostCraft.
- We do not build advertising profiles or sell data to third parties.
3. How we use your information
| Purpose | Data used | Legal basis |
|---|
| Providing the PostCraft service | Account info, post content, social tokens | Contract performance |
| Publishing posts to social platforms | OAuth tokens, post content | Contract performance |
| Sending transactional emails (verification, password reset) | Email address | Contract performance |
| Sending service notifications (post failures, token expiry) | Email address, notification preferences | Legitimate interest |
| Sending marketing emails (product updates, tips) | Email address | Consent (opt-in only) |
| Preventing abuse and rate limiting | IP address, usage data | Legitimate interest |
| Improving the product | Aggregated, anonymised usage data | Legitimate interest |
| Processing payments | Stripe customer reference | Contract performance |
| Complying with legal obligations | Any required data | Legal obligation |
4. Artificial intelligence and your content
PostCraft uses the Anthropic Claude API to generate post suggestions. When you request AI-generated content:
- Your topic, tone preferences, and platform selection are sent to Anthropic's API to generate a response.
- We do not send your personal information, client data, or account credentials to Anthropic.
- Anthropic's use of this data is governed by Anthropic's Privacy Policy. Anthropic's API does not train on customer data by default.
- Generated content is stored in your PostCraft account until you delete it.
5. Sharing your information
We share your data only in these circumstances:
- Social media platforms: When you schedule or publish a post, we send your post content and the relevant OAuth token to the chosen platform (Facebook, Instagram, LinkedIn, X/Twitter, TikTok). Their privacy policies govern how they handle this data.
- Service providers: We use a small number of trusted providers who process data on our behalf under strict data processing agreements: Anthropic (AI generation), Stripe (payments), our hosting provider (Limitless Hosting / cPanel, Australia).
- Legal requirements: We may disclose information if required by law, court order, or to protect the rights, property, or safety of PostCraft, our users, or others.
- Business transfer: If PostCraft is acquired or merged with another entity, your data may be transferred as part of that transaction. We will notify you beforehand.
We do not sell, rent, or share your personal information with advertisers, data brokers, or unrelated third parties.
6. Data storage and security
PostCraft stores all data on servers located in Australia (provided by Limitless Hosting). We do not transfer personal data outside Australia except to the extent necessary for the services described above (Anthropic API, Stripe).
Security measures include:
- Passwords stored using bcrypt hashing (minimum cost factor 12) — we cannot retrieve or view your password
- All web traffic encrypted via HTTPS/TLS
- Session tokens are cryptographically random and expire automatically
- OAuth tokens encrypted at rest
- Rate limiting on all authentication endpoints to prevent brute-force attacks
- Audit logging of all significant account actions
- Regular database backups retained for 7 days
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@postcraft.com.au.
7. Data retention
- Account data: Retained while your account is active and for 30 days after deletion (to allow recovery if deletion was accidental).
- Scheduled posts: Retained until you delete them or delete your account.
- Published post history: Retained indefinitely unless you delete it, so you have a record of your social media activity.
- Audit logs: Retained for 12 months for security purposes.
- Error logs: Retained for 30 days.
- Rate limit records: Automatically purged after 2 hours.
- Waitlist/marketing emails: Retained until you unsubscribe or request deletion.
8. Your rights
Under the Australian Privacy Act 1988 and its Australian Privacy Principles, you have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Ask us to correct inaccurate or incomplete information.
- Deletion: Request deletion of your account and personal data.
- Portability: Request your data in a machine-readable format.
- Opt out of marketing: Unsubscribe from marketing emails at any time via the unsubscribe link in any email or by emailing privacy@postcraft.com.au.
- Complaints: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have mishandled your information.
To exercise any of these rights, email privacy@postcraft.com.au. We will respond within 30 days.
9. Cookies and tracking
PostCraft uses one first-party cookie: pc_session — a secure, HTTP-only session token used to keep you logged in. It expires after 30 days or when you log out.
We do not use third-party tracking cookies, advertising pixels, or analytics cookies that track you across other websites. If we add analytics in the future we will update this policy and notify users.
10. Children's privacy
PostCraft is a professional business tool intended for adults. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has created an account, contact us and we will delete it promptly.
11. Third-party links and platforms
PostCraft connects to social media platforms (Facebook, Instagram, LinkedIn, X/Twitter, TikTok). Once data is published to these platforms, it is subject to their privacy policies. We are not responsible for how these platforms handle your data after publication.
12. Changes to this policy
We may update this privacy policy from time to time. If we make material changes, we will notify you by email (at the address associated with your account) and update the "Last updated" date at the top of this document. Your continued use of PostCraft after the effective date constitutes acceptance of the revised policy.
13. Contact us
For any privacy-related questions, requests, or concerns:
- Email: privacy@postcraft.com.au
- Business name: PostCraft (operated by Vikas Ruhela)
- ABN: [YOUR ABN]
- Address: [YOUR BUSINESS ADDRESS OR PO BOX]