Privacy Policy

Last updated: May 28, 2026 Effective date: May 24, 2026

This Privacy Policy describes how Omniposter (“Omniposter,” “we,” “us,” or “our”) collects, uses, stores, and discloses information when you use our website at https://omniposter.ai (the “Site”) and the related software services (collectively, the “Service”). By creating an account or otherwise using the Service, you agree to the practices described here.

If you do not agree with this Privacy Policy, do not use the Service.

1. Who we are

Omniposter is an AI-powered content engine for digital publishers. The Service helps publishers commission AI-generated editorial stories and marketing posts, schedule and publish them to third-party platforms (such as WordPress, X/Twitter, LinkedIn, Facebook, and Instagram), and analyze the resulting performance.

For privacy questions, contact us at dev@omniposter.ai.

2. Information we collect

2.1 Information you provide directly

  • Account information. When you register, we collect your email address and a password (stored only as a salted hash; we never see your password in plaintext).
  • Profile and project information. Project name, website URL, brand voice, hashtags, editorial preferences, reporter personas, publishing destinations, and other configuration you supply.
  • Third-party credentials and tokens. API keys for the AI providers you choose to use (Anthropic / Claude, OpenAI, and/or Google Gemini), WordPress Application Passwords, social-platform access tokens or app credentials, GA4 and Google Search Console authorization data, custom webhook URLs and secrets. All of these are encrypted at rest using authenticated encryption (Fernet / AES-128-CBC + HMAC-SHA256) before being written to our database.
  • Payment information. We do not store full credit-card numbers, bank account numbers, or other primary payment instruments. Payments are processed by Stripe, Inc., our payment processor. We store the Stripe customer ID, subscription ID, plan, status, billing period dates, and the last four digits / card brand that Stripe returns to us for receipts and account-management purposes. See Section 4.1.
  • Content you upload or generate. Stories, marketing posts, content seeds (e.g. ingested RSS items), reporter portraits, hero images, editorial briefs, revision notes, schedules, and any other content you create within the Service.
  • Support communications. If you email us, we keep a record of the correspondence.

2.2 Information collected automatically

  • Usage data. Server logs of API requests (timestamps, endpoints, response codes, IP addresses, user-agent strings) used to operate, secure, and debug the Service.
  • Authentication cookies. A single JWT-bearing HTTP-only cookie is set on login so we can identify your session. We do not use third-party advertising or cross-site tracking cookies.
  • Operational diagnostics. Anonymous error traces, performance metrics, and audit logs of actions taken on your account (e.g. “story #123 commissioned at 14:02 UTC”).

2.3 Information collected from third parties

  • Analytics integrations. If you connect Google Analytics 4 (GA4) and/or Google Search Console (GSC), we receive the metrics, dimensions, queries, page paths, and other report data that those services return for the properties you have authorized.
  • Social platform integrations. If you connect an X (Twitter), LinkedIn, Facebook, or Instagram account to publish on your behalf, we receive the access tokens, account identifiers (e.g. X user ID, Page ID, IG Business account ID), display name, profile image URL, and any post-level analytics returned by the platform (impressions, likes, replies, clicks, etc.).
  • Stripe. Payment status updates and webhook events delivered by Stripe for the purpose of provisioning and revoking access to paid features.
  • AI provider responses. When the Service calls the AI provider you chose (Anthropic, OpenAI, or Google), the response text and a record of which model was used is stored in association with the story or post that was generated.
  • Stock-photo provider (Pexels). Photographer attribution and image URLs returned by the Pexels API are stored on the stories that use those images.

2.4 Information from your audience or end users

Omniposter is a business-to-business Service. Other than the email addresses of the WordPress users we create on your blog when you sync reporters (which become users of your WordPress installation, not ours), we do not collect personal data of your audience. Any audience data that flows through GA4, GSC, or the social platforms is governed by the privacy policies of those services, and your relationship with your audience is your responsibility.

3. How we use information

We use the information described above to:

  • Provide and operate the Service (create your account, generate content, schedule and deliver posts, run analytics);
  • Authenticate users and authorize access to projects;
  • Process payments and manage subscriptions;
  • Send transactional emails (account verification, password reset, billing notices, critical service alerts);
  • Diagnose, debug, and improve the Service;
  • Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service;
  • Comply with legal obligations and enforce our agreements.

We do not:

  • Sell or rent your personal information to third parties;
  • Use your generated content or project configuration to train our own machine-learning models;
  • Disclose your AI API keys, social tokens, or other credentials to anyone other than the third-party service they authenticate to.

4. Sub-processors and disclosures to third parties

To operate the Service we share limited information with the following sub-processors. Each is bound by contractual privacy and security obligations. We may add or change sub-processors over time; material changes will be reflected here.

4.1 Payment processing

  • Stripe, Inc. (https://stripe.com/privacy). Receives your name, email, billing address (collected during checkout by Stripe directly), and payment instrument details. Stripe is a PCI-DSS Level 1 service provider.

4.2 Hosting and infrastructure

  • Fly.io, Inc. (https://fly.io/legal/privacy-policy/). Hosts the Service’s application and database in a US region.

4.3 AI generation

When you supply an API key for an AI provider, your prompts and the content the Service generates on your behalf are sent directly to that provider using your key. We do not proxy through our own account or insert ourselves in the data flow. Your relationship with the AI provider is governed by their terms and privacy policy.

  • Anthropic, PBC. Claude models. https://www.anthropic.com/legal/privacy
  • OpenAI, L.L.C. GPT models. https://openai.com/policies/privacy-policy
  • Google LLC (Generative AI / Gemini). https://policies.google.com/privacy

In limited cases (specifically: onboarding-time site-detection, weekly trendline briefing analysis), the Service calls Anthropic using our own platform key. These calls do not include your editorial content; they include only the site URL or the analytics summary needed for that specific feature. We disclose this so you understand exactly when our key, versus your key, is in use.

4.4 Image generation and stock photography

  • fal.ai, Inc. Provides the Flux image generation model used by the Service. Your image prompts are transmitted to fal.ai when you request AI-generated imagery. https://fal.ai/privacy
  • Pexels. Provides stock photography metadata when the editorial pipeline searches for hero images. Search queries (typically 2–4 keywords from your story) are transmitted to Pexels. https://www.pexels.com/privacy-policy/

4.5 Transactional email

  • SendGrid (Twilio Inc.). Sends transactional email (verification, password reset, billing). Recipient address and the email body are processed by SendGrid for delivery. https://www.twilio.com/en-us/legal/privacy

4.6 Google user data (Google Analytics 4 and Search Console)

If you choose to connect your Google account, Omniposter requests read-only access to your own Google Analytics 4 and Google Search Console data through the following OAuth scopes:

  • openid and .../auth/userinfo.email — to identify the Google account you connected (your email address), so you can see which account is linked.
  • .../auth/analytics.readonly — to read the GA4 reporting data (sessions, users, top pages, traffic sources, conversions, and similar metrics and dimensions) for the GA4 properties you authorize.
  • .../auth/webmasters.readonly — to read Google Search Console reporting data (search queries, clicks, impressions, click-through rate, average position, and top pages) for the verified sites you authorize.

How we use it. This access is read-only. We retrieve the data on your behalf, cache the resulting report snapshots in our database to power your in-product analytics dashboards, and summarize it into your weekly content briefing that recommends what to write next. We never create, modify, or delete any data in your Google Analytics or Search Console accounts.

How we store, share, and protect it. The OAuth refresh token used to access your Google data is encrypted at rest (Fernet / AES-128-CBC + HMAC-SHA256). Your Google user data is shown only to you and the members of your own Omniposter project. We do not sell it, use it for advertising, or use it to train generalized AI/ML models. To generate your weekly content briefing, a summary derived from your Analytics data may be sent to the AI provider that powers that feature (see Section 4.3) — solely to produce that user-facing feature at your direction, and for no other purpose. Our personnel do not read your Google user data except where necessary for security, to comply with applicable law, or with your explicit consent (for example, to resolve a support request). When you disconnect the integration or delete your account, the token is deleted and the cached report snapshots are removed (subject to the backup window in Section 5).

Limited Use. Omniposter’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Google’s own handling of your data is governed by the Google Privacy Policy.

4.7 Publishing destinations (only if you connect them)

  • WordPress sites you own. When you connect a WordPress site, the Service authenticates to its REST API using the Application Password you supply and publishes posts, manages users, and uploads media to that site. The Service does not read your WordPress site content beyond what is necessary to publish and manage authors.
  • X (Twitter, Inc.), LinkedIn (Microsoft / LinkedIn Corp.), Meta (Facebook, Inc.) — Pages and Instagram Business accounts. When you authorize a connection (either by supplying API credentials or by completing an OAuth flow), we transmit the post content, images, and any metadata to that platform on your behalf and read back post-level metrics the platform returns. The data you transmit and any data returned are also governed by that platform’s privacy policy and developer terms.

4.8 Other disclosures

We may also disclose your information when we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, legal process, or a binding governmental request;
  • Enforce our Terms of Service or other agreements;
  • Protect the rights, property, or safety of Omniposter, our users, or the public;
  • Investigate or prevent fraud, abuse, security incidents, or violations of our policies;
  • Effect a business transfer (merger, acquisition, financing, reorganization, bankruptcy, sale of assets), in which case we will require the successor to honor this Privacy Policy with respect to your information.

5. Data retention

  • Account data is retained while your account is active and for up to 90 days after termination or cancellation, after which it is deleted or anonymized except as required for tax, accounting, fraud prevention, or other legal-compliance purposes (typically up to 7 years for financial records).
  • Generated content (stories, posts, reporters) is retained while your account is active. You may delete individual items at any time. On account termination, content not already exported by you is deleted within the 90-day window.
  • Third-party tokens and credentials are encrypted at rest and are deleted immediately when you disconnect the integration, when the credential is rotated or revoked, or on account termination.
  • Backups may retain otherwise-deleted information for up to 35 days after deletion.
  • Server logs are retained for up to 90 days.
  • Audit logs of payment events are retained for up to 7 years as required for tax and accounting purposes.

6. Security

We take reasonable administrative, technical, and physical measures to protect your information, including:

  • Encryption in transit (HTTPS / TLS) for all client-server communication;
  • Authenticated encryption at rest (Fernet) for sensitive credentials and tokens;
  • Salted, hashed passwords (Argon2 / bcrypt) — we cannot recover your password and will never ask for it;
  • Strict tenant isolation — every database query in the Service is scoped to the requesting user;
  • Hosted by infrastructure providers with documented SOC 2 controls;
  • Principle-of-least-privilege access for our personnel.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk. If we become aware of a security incident affecting your information, we will notify you in accordance with applicable law.

7. Your choices and rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal information:

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Ask us to correct inaccurate or incomplete personal information.
  • Deletion. Request that we delete your personal information, subject to legal retention requirements.
  • Portability. Request a machine-readable export of your account data.
  • Restriction or objection. Ask us to restrict or object to certain processing.
  • Withdrawal of consent. Where processing is based on consent, withdraw your consent at any time.
  • Lodge a complaint with a supervisory authority (e.g., your local data-protection authority in the EU/UK, or your state attorney general in certain US states).

To exercise any of these rights, email dev@omniposter.ai from the address associated with your account. We will respond within the timeframes required by applicable law (typically 30 days).

You can also manage many of these rights yourself from the Service: delete individual stories, posts, reporters, and projects; disconnect integrations; rotate or remove AI keys; and cancel your subscription. Account deletion can be initiated by emailing us until in-app self-service deletion is available.

8. Cookies and similar technologies

We use a small number of strictly-necessary cookies and browser storage items, including:

  • An authentication cookie that holds a signed session token so you stay logged in;
  • Local storage to remember non-sensitive UI preferences (e.g., which tab you last viewed).

We do not use advertising cookies, third-party analytics trackers on the Service itself, or cross-site tracking technologies. We do not respond to “Do Not Track” browser signals because there is no consensus standard, but our default behavior is consistent with the intent of that signal: we don’t track you across other sites.

9. International data transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and in other countries where our sub-processors operate. By using the Service you consent to these transfers. We rely on standard contractual clauses or other lawful transfer mechanisms where required.

10. Children’s privacy

The Service is intended for use by businesses and is not directed to children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

11. California, Virginia, Colorado, and other US state-specific notices

To the extent any US state privacy law (CCPA/CPRA, VCDPA, CPA, etc.) applies to you, you have the right to know, access, delete, correct, opt out of certain processing, and not face discrimination for exercising your rights. We do not “sell” your personal information as that term is defined in those statutes, and we do not engage in “targeted advertising” or “profiling” with significant effects. To exercise any state-specific right, email dev@omniposter.ai.

12. European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, the UK, or Switzerland, our legal bases for processing your information are: (a) performance of a contract with you; (b) our legitimate interests in operating, securing, and improving the Service; (c) compliance with legal obligations; and (d) your consent where required. Omniposter is the controller of your personal information for the purposes of GDPR and equivalent laws.

You may contact your local supervisory authority. We do not currently have an EU representative under Article 27; if and when that requirement applies to us we will update this Policy.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this Policy and, for material changes, give you reasonable advance notice by email and/or via a notice in the Service. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact

For questions, requests, or concerns about this Privacy Policy or our handling of your information, contact:

Omniposter Email: dev@omniposter.ai