GDPR Compliance
Last updated: February 9, 2026
Introduction
Postprism is committed to protecting the privacy and personal data of individuals in the European Union (EU) and European Economic Area (EEA) in compliance with the General Data Protection Regulation (GDPR). This GDPR Compliance page explains how we meet our obligations under GDPR and outlines your rights as a data subject.
This policy supplements our Privacy Policy and provides specific information relevant to individuals protected by GDPR. If you are located in the EU/EEA, both documents apply to you.
Postprism, Inc. acts as a "data controller" for the personal data we collect and process through our services. We determine the purposes and means of processing your personal data and are responsible for ensuring GDPR compliance.
Legal Basis for Processing
Under GDPR, we must have a lawful basis to process your personal data. We rely on the following legal bases:
1. Contractual Necessity
Processing is necessary to perform our contract with you (our Terms of Service) or to take steps at your request before entering into a contract.
Examples:
Creating and managing your account
Providing our social media management services
Publishing content to connected platforms
Processing payments for subscriptions
Providing customer support
2. Legitimate Interests
Processing is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not overridden by your rights and freedoms.
Examples:
Improving and optimizing our services
Detecting and preventing fraud and security threats
Analyzing usage patterns and user behavior
Marketing our services to existing customers
Managing business operations and internal administration
3. Consent
You have given clear, affirmative consent for us to process your personal data for specific purposes.
Examples:
Sending marketing emails to prospects (not existing customers)
Using non-essential cookies and tracking technologies
Processing special category data (if applicable)
You have the right to withdraw consent at any time, which will not affect the lawfulness of processing based on consent before withdrawal.
4. Legal Obligations
Processing is necessary to comply with our legal obligations under EU or Member State law.
Examples:
Retaining financial records for tax purposes
Responding to lawful requests from authorities
Complying with data protection laws
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights regarding your personal data:
1. Right of Access (Article 15)
You have the right to obtain confirmation that we are processing your personal data and to receive a copy of your data. We will provide:
Categories of personal data we process
Purposes of processing
Recipients of your data
Retention periods
Information about your rights
2. Right to Rectification (Article 16)
You have the right to request correction of inaccurate or incomplete personal data. We will update your information promptly upon request.
3. Right to Erasure / "Right to Be Forgotten" (Article 17)
You have the right to request deletion of your personal data in certain circumstances:
Data is no longer necessary for the purposes collected
You withdraw consent and there is no other legal basis
You object to processing and there are no overriding legitimate grounds
Data has been unlawfully processed
Erasure is required to comply with a legal obligation
This right does not apply when we need to retain data for legal obligations, to establish or defend legal claims, or for other specified reasons under Article 17(3).
4. Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your personal data in certain situations:
You contest the accuracy of the data (restriction during verification)
Processing is unlawful but you prefer restriction to erasure
We no longer need the data but you need it for legal claims
You have objected to processing (restriction pending verification)
5. Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to transmit that data to another controller. This right applies when:
Processing is based on consent or contract
Processing is carried out by automated means
6. Right to Object (Article 21)
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
You can object to direct marketing at any time by clicking "unsubscribe" in marketing emails or by contacting us.
7. Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. Currently, we do not make such automated decisions.
We use AI to generate content suggestions, but you always have full control and must explicitly approve content before publication.
8. Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Data Protection Principles
We process personal data in accordance with the GDPR principles outlined in Article 5:
1. Lawfulness, Fairness, and Transparency
We process data lawfully, fairly, and in a transparent manner. We clearly communicate how and why we process your data through this policy and our Privacy Policy.
2. Purpose Limitation
We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.
3. Data Minimization
We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
4. Accuracy
We take reasonable steps to ensure personal data is accurate and up to date. We provide ways for you to update your information and promptly correct inaccuracies when notified.
5. Storage Limitation
We retain personal data only for as long as necessary for the purposes for which it was collected or to comply with legal obligations. See our data retention policies below.
6. Integrity and Confidentiality
We implement appropriate technical and organizational measures to ensure data security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
7. Accountability
We are responsible for demonstrating compliance with GDPR principles. We maintain records of processing activities, conduct data protection impact assessments when required, and implement privacy by design and by default.
How We Process Your Data
We process personal data for the following purposes, with corresponding legal bases:
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Account creation and management | Name, email, password, company | Contract |
| Service delivery | Content, scheduling data, platform credentials | Contract |
| Payment processing | Billing information, transaction data | Contract |
| Customer support | Contact details, support messages | Contract, Legitimate Interest |
| Service improvement | Usage data, analytics | Legitimate Interest |
| Security and fraud prevention | IP address, device data, usage patterns | Legitimate Interest |
| Marketing (existing customers) | Email, usage behavior | Legitimate Interest |
| Marketing (prospects) | Email, name | Consent |
| Legal compliance | All relevant data | Legal Obligation |
International Data Transfers
Postprism is headquartered in the United States, and your personal data may be transferred to, stored, and processed in countries outside the EU/EEA. We ensure appropriate safeguards are in place for international transfers:
Standard Contractual Clauses (SCCs)
We use Standard Contractual Clauses approved by the European Commission (Decision 2021/914) when transferring data to third countries without an adequacy decision. These clauses provide enforceable rights and effective legal remedies for data subjects.
Adequacy Decisions
Where possible, we transfer data to countries that have received an adequacy decision from the European Commission, meaning they provide an adequate level of data protection.
Supplementary Measures
In addition to SCCs, we implement supplementary technical and organizational measures to ensure data protection:
End-to-end encryption for data in transit
Encryption at rest using AES-256
Access controls and authentication mechanisms
Regular security audits and assessments
Data minimization and pseudonymization where appropriate
Third-Party Processors
We work with third-party service providers that may be located outside the EU/EEA. We ensure all processors comply with GDPR requirements and have appropriate data transfer mechanisms in place:
Vercel (US) - Hosting and infrastructure
Supabase (US) - Database and authentication
Upstash (US/EU) - Redis and queue management
Stripe (US) - Payment processing
Anthropic (US), OpenAI (US), Google (US) - AI services
Data Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Technical Measures
Encryption in transit (TLS 1.3) and at rest (AES-256)
Secure password hashing using bcrypt
Two-factor authentication (2FA) support
Regular security patches and updates
Intrusion detection and prevention systems
Automated security monitoring and alerting
Secure backup and disaster recovery procedures
Organizational Measures
Data protection policies and procedures
Staff training on data protection and security
Role-based access controls with principle of least privilege
Confidentiality agreements with employees and contractors
Regular security audits and penetration testing
Incident response and data breach procedures
Vendor security assessments
Data Retention Policies
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Account lifetime + 30 days | Service provision, account recovery |
| Content data | User-controlled + 30 days after deletion | Service provision, backup retention |
| Payment records | 7 years | Legal obligation (tax, accounting) |
| Usage logs | 90 days | Security, operations, analytics |
| Marketing data | Until consent withdrawn + 30 days | Marketing purposes |
| Support communications | 3 years | Customer service, quality improvement |
| Backup data | 90 days | Disaster recovery |
Data Breach Procedures
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
Breach Detection and Assessment
Detect breaches through monitoring systems and incident reports
Assess the nature, scope, and potential impact of the breach
Determine affected data subjects and data categories
Evaluate risk level and potential consequences
Notification to Supervisory Authority
If a breach is likely to result in a risk to rights and freedoms, we will notify the relevant supervisory authority (Irish Data Protection Commission, as our lead supervisory authority) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk.
Notification to Data Subjects
If a breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay. Our notification will include:
Description of the nature of the breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact point for further information
Remediation and Prevention
We will take immediate steps to contain the breach, mitigate harm, and prevent future occurrences. We maintain records of all breaches, including facts, effects, and remedial actions taken.
Children's Data
Our services are not directed to children under 16 years of age (or the applicable age of consent in your country). We do not knowingly collect or process personal data from children without parental consent as required by GDPR Article 8.
If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete such information promptly. If you believe we have inadvertently collected data from a child, please contact our Data Protection Officer immediately at dpo@postprism.com.
Exercising Your Rights
To exercise any of your GDPR rights, you can:
1. Use Account Settings
Many rights can be exercised directly through your account settings:
Update or correct your personal information
Export your data (data portability)
Delete your account (right to erasure)
Manage cookie preferences
Opt out of marketing communications
2. Contact Us
For rights that cannot be exercised through account settings, contact us at:
Email: privacy@postprism.com
Data Protection Officer: dpo@postprism.com
Subject Line: "GDPR Rights Request"
3. Verification Process
To protect your privacy, we will verify your identity before responding to rights requests. We may request additional information to confirm your identity, such as:
Email address associated with your account
Account details only you would know
Government-issued ID (in exceptional cases)
4. Response Timeline
We will respond to your request within one month of receipt. If your request is complex or we receive multiple requests, we may extend this period by two additional months. We will inform you of any extension and the reasons for the delay.
5. No Fee (Usually)
We do not charge a fee for exercising your rights, except in cases where requests are manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable fee or refuse to act on the request.
Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
Our lead supervisory authority is:
Irish Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28, Ireland
Phone: +353 (0)761 104 800
Email: info@dataprotection.ie
Website: www.dataprotection.ie
However, we encourage you to contact us first at dpo@postprism.com so we can address your concerns directly.
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance and data protection practices. You can contact our DPO for any questions, concerns, or requests related to data protection:
Data Protection Officer
Postprism, Inc.
123 Social Media Lane
San Francisco, CA 94102, USA
Email: dpo@postprism.com
Updates to This Policy
We may update this GDPR Compliance page from time to time to reflect changes in our practices, legal requirements, or GDPR guidance. We will notify you of material changes by:
Updating the "Last Updated" date at the top of this page
Posting a notice on our website
Sending an email notification for significant changes
We encourage you to review this policy periodically to stay informed about how we protect your personal data and ensure GDPR compliance.
For general privacy information, please also review our Privacy Policy.