1. Introduction

PostHive, Inc. ("PostHive," "we," "us," or "our") operates the PostHive platform, a social media management service accessible at post-hive.com and through associated applications (collectively, the "Service"). This Privacy Policy describes how we collect, use, process, share, retain, and protect your personal information when you use our Service.

This Privacy Policy applies to all users of the Service, including but not limited to individual users, team members, organization administrators, and visitors to our website. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, you must not access or use the Service.

We are committed to protecting your privacy and handling your data in an open and transparent manner. We process personal data in accordance with applicable data protection laws including, but not limited to, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the UK Data Protection Act 2018, the Australian Privacy Act 1988, the Brazilian Lei Geral de Proteção de Dados ("LGPD"), and other applicable national and international privacy laws.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, IP address, device identifiers, and online identifiers.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
"Data Controller" means the entity that determines the purposes and means of processing Personal Data. For the purposes of this Policy, PostHive, Inc. is the Data Controller.
"Data Processor" means any entity that processes Personal Data on behalf of the Data Controller.
"Data Subject" means any identified or identifiable natural person whose Personal Data is processed.
"Connected Account" means any third-party social media, email, or communication account you link to your PostHive account through OAuth or similar authorization mechanisms.
"Organization" means a team, company, or entity account within PostHive under which multiple users may operate.
"Content" means any text, images, videos, files, or other materials you create, upload, schedule, or publish through the Service.
"AI Features" means any artificial intelligence or machine learning-powered features within the Service, including but not limited to content generation, content suggestions, analytics insights, and automated recommendations.

3. Information We Collect

3.1 Information You Provide Directly

When you register for, access, or use PostHive, you may provide us with the following categories of Personal Data:

Account Registration Data: Full name, email address, password (stored as a secure hash via Firebase Authentication), profile photo, and account preferences.
Billing & Payment Data: Billing name, billing address, payment method details. Note: Payment transactions are processed by our third-party payment processor (Lemon Squeezy). We do not store your full credit card number, CVV, or complete payment instrument details on our servers.
Organization Data: Organization name, team member information, roles, permissions, department/division structure, and organization settings.
Content Data: Social media posts, drafts, scheduled content, media files (images, videos, documents), captions, hashtags, and any other content you create or upload through the Service.
Communication Data: Messages you send to us through support channels, feedback forms, survey responses, and any other direct communications.
Social Media Credentials: OAuth tokens and access credentials for connected social media accounts. We access these through secure OAuth 2.0 processes and do not store your social media passwords.
Email Account Data: When using our Email Hub feature, OAuth tokens for connected email accounts (Gmail, Outlook). We do not store your email passwords.
API Key Data: When you create API keys for programmatic access to the PostHive Public API, we store a cryptographic hash (SHA-256) of each key, along with the key name, assigned scopes, rate-limit configuration, IP whitelist/blacklist settings, and optional webhook URLs you provide. We do not store the plain-text API key after initial generation.

3.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

Device & Browser Information: Browser type and version, operating system, device type, device identifiers, screen resolution, and language preferences.
Log Data: IP address, access dates and times, pages viewed, time spent on pages, referring/exit pages, click-through data, and error logs.
Usage Data: Features used, frequency of use, actions taken within the Service, search queries, and interaction patterns.
Performance Data: Page load times, application errors, server response times, and technical diagnostics.
Location Data: Approximate geographic location derived from your IP address. We do not collect precise GPS location data.
API Usage Data: When you use the Public API, we automatically log request timestamps, source IP addresses, endpoints accessed, response status codes, and per-key request counts. This data is used for rate-limit enforcement, abuse prevention, and usage analytics visible in your API key dashboard.

3.3 Information from Connected Accounts

When you connect third-party accounts (social media, email, etc.), we may receive the following information from those platforms, subject to the permissions you grant and the respective platform's privacy policies:

Social Media Data: Profile information, follower/following counts, post analytics (impressions, reach, engagement, clicks), audience demographics, content performance data, and platform-specific metrics.
Email Data (Email Hub): Email metadata (sender, recipient, subject, date/time), email body content (for display within the Email Hub only), attachment metadata, and email categorization data. We access this data solely to provide the Email Hub functionality and do not use email content for advertising or unrelated purposes.
Messaging Data (Chat Hub): Platform messages and direct messages received through connected social media accounts, for the purpose of centralized inbox management.

3.4 Information from Third Parties

Authentication Providers: We use Firebase Authentication and may receive your name, email address, and profile photo from identity providers (Google, Apple, etc.) when you use social login.
Payment Processors: Our payment processor (Lemon Squeezy) may provide us with transaction confirmation data, subscription status, and billing-related information.
Analytics Services: We may receive aggregated analytics data from third-party analytics services we use to understand Service usage patterns.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Provision & Operation

To create, maintain, and secure your account
To provide the core social media management features (posting, scheduling, analytics, monitoring)
To operate the Email Hub and Chat Hub features with your connected accounts
To process and manage your subscription and billing
To provide customer support and respond to your inquiries
To manage team and organization features, including role-based access control

4.2 Service Improvement & Development

To analyze usage patterns and improve the Service's functionality and user experience
To develop new features, products, and services
To conduct internal research and analytics
To test and implement technical improvements
To train and improve our AI models (using aggregated, anonymized data only — never individual user content without explicit consent)

4.3 Communication

To send transactional emails (account verification, password resets, billing receipts)
To send Service-related notifications (scheduled post confirmations, error alerts, security notices)
To send marketing communications (only with your opt-in consent, and you may opt out at any time)
To notify you of changes to our Terms, Privacy Policy, or Service

4.4 Security & Fraud Prevention

To detect, prevent, and address technical issues, security incidents, and fraudulent activity
To enforce our Terms of Service and other policies
To protect the rights, property, and safety of PostHive, our users, and the public
To monitor and log access for audit and compliance purposes
To implement rate limiting and abuse prevention measures

4.5 Legal Compliance

To comply with applicable laws, regulations, and legal processes
To respond to lawful requests from government authorities
To establish, exercise, or defend legal claims

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your Personal Data on the following legal bases under the GDPR:

Performance of a Contract (Article 6(1)(b)): Processing necessary for the performance of our contract with you (i.e., providing the Service as described in our Terms of Service).
Consent (Article 6(1)(a)): Where you have given explicit consent for specific processing activities, such as receiving marketing communications, connecting email accounts to Email Hub, or enabling AI-powered content generation.
Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Service, ensuring security, preventing fraud, and conducting analytics. We balance our interests against your rights and freedoms.
Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, such as tax and financial reporting requirements.

You may withdraw your consent at any time where consent is the legal basis for processing. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7. Email Hub & Communication Data

Our Email Hub feature allows you to connect your email accounts (Gmail, Microsoft Outlook) for centralized communication management. When you use Email Hub:

Authorization: We use OAuth 2.0 to connect to your email provider. We never store your email password.
Data Access: We access email metadata (sender, recipient, subject, timestamp) and email body content solely for the purpose of displaying, organizing, and managing your emails within PostHive.
Data Use Limitations: We do NOT use your email content for advertising, marketing, or any purpose unrelated to providing the Email Hub functionality. We do NOT sell email data to third parties. We do NOT use email content to train AI models without your explicit, separate consent.
Data Storage: Email content is cached temporarily for performance purposes and is not permanently stored on our servers beyond what is necessary for the Email Hub functionality.
Google API Compliance: Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data to provide and improve user-facing features that are prominent in our requesting application's interface.
Microsoft Compliance: Our use of Microsoft Graph API data complies with Microsoft's applicable API terms of use and privacy requirements.
Disconnection: You may disconnect your email account at any time. Upon disconnection, we will cease accessing your email data and delete cached email content within 30 days.

8. AI-Powered Features

PostHive includes AI-powered features for content generation, optimization suggestions, analytics insights, and automated recommendations. Regarding these features:

AI Processing: Your content prompts and contextual data may be sent to third-party AI service providers (currently Groq) for processing. These providers process data according to their own privacy policies and data processing agreements with us.
No Training on Individual Content: We do not use your individual, identifiable content to train AI models. Any model improvement uses only aggregated, anonymized, and de-identified data.
AI Output Ownership: Content generated by AI features is provided to you as suggestions. You are solely responsible for reviewing, editing, and approving AI-generated content before use. PostHive does not claim ownership of AI-generated content created at your direction.
Opt-Out: You may choose not to use AI features. Using AI features is entirely optional and not required to use the core Service functionality.
Data Minimization: We send only the minimum data necessary for the AI feature to function. We do not send your full account data, connected account credentials, or billing information to AI service providers.

9. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of the Service. Technologies we use include:

9.1 Essential Cookies

These cookies are strictly necessary for the Service to function and cannot be disabled. They include:

Authentication session cookies (Firebase authentication tokens)
Organization context cookies (httpOnly cookie for multi-tenant organization selection)
Security cookies (CSRF protection, rate limiting)

9.2 Functional Cookies

These cookies enable enhanced functionality and personalization:

User preference cookies (theme, language, dashboard layout)
Feature state cookies (sidebar state, recent selections)

9.3 Analytics Cookies

With your consent, we may use analytics cookies to understand how visitors interact with the Service:

Google Analytics 4 (page views, user journeys, feature usage)
Error tracking services (Sentry for crash and error reporting)

9.4 Local Storage & Session Storage

We use browser local storage and session storage for:

Caching user preferences and UI state
Temporarily storing draft content
Performance optimization (reducing server requests)

9.5 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent the Service from functioning correctly. You can opt out of analytics cookies without affecting Service functionality.

10. Third-Party Service Providers

We engage third-party service providers to assist in providing the Service. Each provider has access only to the data necessary for their specific function and is contractually obligated to protect your data:

Provider	Purpose	Data Shared
Firebase (Google)	Authentication & identity	Email, name, auth tokens
MongoDB Atlas	Database hosting	All application data (encrypted at rest)
Redis Cloud	Caching & job queues	Session data, job metadata
Cloudinary	Media storage & processing	Uploaded media files
Lemon Squeezy	Payment processing	Billing name, email, payment data
Groq	AI content generation	Content prompts & context
Resend	Transactional emails	Email address, notification content
DigitalOcean	Cloud infrastructure	Application hosting
Vercel	Frontend hosting & CDN	Static assets, edge functions

All third-party service providers are bound by data processing agreements that require them to protect your data in accordance with applicable privacy laws.

12. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your country of residence, including the United States, where data protection laws may differ from those of your jurisdiction.

When we transfer Personal Data from the EEA, UK, or Switzerland to countries not deemed to provide an adequate level of data protection, we implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all service providers
Technical measures including encryption in transit (TLS 1.2+) and at rest (AES-256)
Organizational measures including access controls and security training

By using the Service, you consent to the transfer of your information to the United States and other countries as described in this Policy. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

13. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

Account Data: Retained for the duration of your account and for up to 30 days following account deletion to allow for account recovery.
Content & Posts: Retained for the duration of your account. Deleted within 90 days of account deletion.
Analytics Data: Retained for up to 24 months from the date of collection. Aggregated, anonymized analytics may be retained indefinitely.
Billing Data: Retained for up to 7 years as required by tax and financial regulations.
Email Hub Data: Cached temporarily; purged within 30 days of disconnecting the email account.
Log & Security Data: Retained for up to 12 months for security and debugging purposes.
Audit Logs: Retained for up to 3 years for compliance and security audit purposes.
Backup Data: Database backups containing your data may persist for up to 90 days after deletion from the primary database.

Upon expiration of the applicable retention period, we will securely delete or anonymize your Personal Data. You may request earlier deletion of your data as described in the "Your Rights" sections below.

14. Data Security

We implement appropriate technical and organizational security measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256-GCM.
Authentication: Multi-layer authentication via Firebase Authentication, with support for multi-factor authentication (MFA).
Access Controls: Role-based access control (RBAC) with principle of least privilege. Organization-level, team-level, and project-level permissions.
Infrastructure Security: Hosted on enterprise-grade cloud infrastructure (DigitalOcean, Vercel) with built-in DDoS protection, firewalls, and intrusion detection.
Secure Development: Security-first development practices including input validation, parameterized queries, CSRF protection, XSS prevention, and regular security audits.
Monitoring: Continuous monitoring for security incidents, suspicious activity, and unauthorized access attempts.
Rate Limiting: API rate limiting to prevent abuse and brute-force attacks.
API Key Security: Public API keys are stored as irreversible SHA-256 hashes. Per-key rate limits, IP whitelisting/blacklisting, scope restrictions, and automatic expiration provide defense-in-depth for programmatic access. Webhook payloads are signed with HMAC-SHA256 so you can verify their authenticity.
Secure Headers: Implementation of Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, and other security headers.

Despite these measures, no method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. We will promptly notify you and any applicable authority of a data breach as required by applicable law.

16. Your Rights Under CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

16.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of Personal Information:

Identifiers: Name, email address, IP address, account name, unique personal identifiers
Personal Information (Cal. Civ. Code § 1798.80(e)): Name, address, telephone number
Internet or Network Activity: Browsing history, search history, interactions with our Service
Geolocation Data: Approximate location from IP address
Professional or Employment-Related Information: Organization name, team role (if provided)
Inferences: Preferences, behavior patterns derived from usage data

16.2 Your CCPA/CPRA Rights

Right to Know: You have the right to request disclosure of the Personal Information we have collected, used, disclosed, and sold about you.
Right to Delete: You have the right to request deletion of your Personal Information, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate Personal Information.
Right to Opt-Out of Sale/Sharing: We do NOT sell or share your Personal Information for cross-context behavioral advertising. Therefore, there is no need to opt out.
Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of Sensitive Personal Information to what is necessary for providing the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your rights, contact us at legal@post-hive.com. We will verify your identity before processing your request. You may also designate an authorized agent to make requests on your behalf.

17. Other Privacy Laws

17.1 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados, including the right to confirm processing, access data, correct data, anonymize/block/delete unnecessary data, data portability, information about sharing, and to revoke consent.

17.2 Australia (Privacy Act 1988)

If you are located in Australia, we comply with the Australian Privacy Principles (APPs). You have the right to access your Personal Data, request correction, and make complaints about breaches of the APPs.

17.3 Canada (PIPEDA)

If you are located in Canada, we comply with the Personal Information Protection and Electronic Documents Act. You have the right to access your Personal Data and challenge its accuracy.

17.4 Other Jurisdictions

We are committed to complying with applicable data protection laws in all jurisdictions where we operate. If you are located in a jurisdiction not specifically mentioned above, you may still have privacy rights under local law. Please contact us to exercise any applicable rights.

18. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the minimum age required in your jurisdiction). We do not knowingly collect Personal Data from children under 16. If you become aware that a child has provided us with Personal Data without parental consent, please contact us at legal@post-hive.com. If we become aware that we have collected Personal Data from a child under 16 without verification of parental consent, we will take immediate steps to delete that information from our servers.

19. Automated Decision-Making

PostHive uses automated processing in certain features, including:

AI Content Suggestions: Automated generation of content suggestions based on your prompts and context. These are suggestions only and require your review and approval.
Optimal Posting Times: Algorithmic analysis of your audience engagement data to suggest optimal posting times. These are recommendations, not mandatory scheduling decisions.
Analytics Insights: Automated analysis of performance data to generate reports and insights. These are informational only.
Email Categorization: Automated categorization of emails in Email Hub based on content analysis. You can manually override any categorization.

None of these automated processes make legally binding decisions or produce legal effects concerning you. All automated suggestions can be overridden by you at any time. If you have concerns about automated processing, contact us at legal@post-hive.com.

20. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms (as required by GDPR Article 34)
Comply with breach notification requirements under CCPA, LGPD, and other applicable laws
Document all breaches and our response actions
Take immediate steps to contain and remediate the breach

21. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no uniform standard for interpreting DNT signals, we currently do not respond to DNT signals. However, you can manage your cookie preferences and opt out of analytics tracking as described in Section 9.

22. Team & Organization Data

When you are part of an Organization on PostHive:

Your Organization administrator may control certain aspects of your account, including access permissions, connected accounts, and content visibility within the Organization.
Content created within an Organization may be visible to other Organization members based on their roles and permissions.
If your Organization administrator deletes the Organization, all associated data (including your content within that Organization) may be deleted. You are responsible for exporting any data you wish to retain before Organization deletion.
Your Organization administrator may access audit logs that include your activity within the Organization.
If you leave an Organization, content you created within that Organization may be retained by the Organization as determined by the Organization administrator.

23. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

We will update the "Last Updated" date at the top of this page
We will notify you by email and/or a prominent notice within the Service at least 30 days before the changes take effect
For material changes that affect how we process your data, we may request renewed consent where required by law
Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes

We encourage you to periodically review this Privacy Policy for the latest information on our privacy practices.

24. Contact Us & Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

PostHive, Inc.

Email: legal@post-hive.com

Privacy Inquiries: privacy@post-hive.com

Data Protection Officer: dpo@post-hive.com

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

For EU residents, you may contact the relevant supervisory authority in your member state. A list of supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en

Privacy Policy

Table of Contents