Supapost
Start free

Legal

Privacy Policy

Last updated: 14 April 2026

This Privacy Policy explains what personal data we collect when you use Supapost (the "Service"), how we use it, who we share it with, and the rights you have under UK data protection law (the UK GDPR and the Data Protection Act 2018).

The Service is operated by an individual sole trader based in the United Kingdom, who is the data controller for personal data processed through the Service. You can reach us at [email protected].

1. Data we collect

Account data

When you create an account we collect your email address, name (if provided), authentication identifiers from any sign-in provider you use, and your account preferences and settings.

Content you create or upload

This includes prompts, images, video, audio, text, characters, brand assets, scheduled posts, drafts, and any other material you upload or generate through the Service. You may also upload product data from connected stores.

Connected accounts

If you connect a third-party account (for example TikTok, Instagram, YouTube, X, Shopify, or Etsy), we receive the data and access tokens that the third party returns, such as your account identifier, handle, avatar, and the permissions you granted. We use these tokens to act on your behalf when you ask us to (for example, to schedule and publish content).

Usage and device data

We automatically collect technical information about how you interact with the Service, including your IP address, browser and device type, operating system, pages viewed, actions taken, timestamps, and error diagnostics. This helps us operate, secure, and improve the Service.

Billing data

Monthly subscription payments are processed by Stripe, which collects your payment details directly. We receive transaction metadata such as your customer and subscription identifiers, billing country, the amount, currency, plan, and payment status. We do not see or store full card numbers. Stripe processes your payment data as an independent controller under its own privacy policy.

Cookies

We use strictly necessary cookies to keep you signed in and to keep the Service secure. We may also use a small number of analytics cookies or similar technologies to understand how the Service is used in aggregate. Where required by law, we will ask for your consent before setting non-essential cookies.

2. How we use your data

We use personal data to:

  • Provide, maintain, and secure the Service, including authentication, storage, and delivery;
  • Run AI generation on your behalf by sending your prompts and inputs to model providers;
  • Publish or schedule content to the third-party platforms you have connected;
  • Process payments and manage billing;
  • Communicate with you about your account, updates, and support;
  • Prevent fraud, abuse, and security incidents;
  • Analyse usage to improve and develop the Service; and
  • Comply with our legal and regulatory obligations.

3. Legal bases for processing

Under UK GDPR we rely on the following legal bases:

  • Contract — to provide the Service you have signed up for;
  • Legitimate interests — to secure, improve, and understand how the Service is used, and to prevent misuse;
  • Consent — for non-essential cookies and any optional marketing; and
  • Legal obligation — where we must process data to comply with law.

You can withdraw consent at any time without affecting processing based on consent before it was withdrawn.

4. AI model providers

To generate images, video, characters, and text, we send your prompts and related inputs to third-party model providers (including, for example, Anthropic, OpenAI, Google, and hosted model gateways such as fal.ai). Those providers process data under their own agreements and privacy policies. We choose providers that contractually commit not to use our API traffic to train their general-purpose models, but you should not include information in prompts that you would not want processed by a third-party model provider.

5. Who we share data with

We share personal data only with:

  • Infrastructure providers that host and run the Service (for example database, storage, and compute providers);
  • AI model providers as described above, to perform the generation you request;
  • Third-party platforms you connect, to publish or schedule content on your behalf;
  • Stripe, for processing monthly subscription payments, and analytics providers that support product operations;
  • Legal or regulatory authorities where required by law or to protect our rights, users, or the public; and
  • Successors in the event of a merger, acquisition, or sale of assets, under equivalent confidentiality protections.

We do not sell your personal data.

6. International transfers

Some providers we rely on are located outside the UK, including in the European Economic Area and the United States. When personal data is transferred outside the UK, we use safeguards recognised under UK data protection law, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with supplementary measures where appropriate.

7. How long we keep data

We keep personal data for as long as your account is active or as needed to provide the Service. When you delete content or your account, we remove or anonymise personal data within a reasonable period, except where we need to retain it to comply with law, resolve disputes, enforce agreements, or for backups that expire on a rolling schedule.

8. Security

We use technical and organisational measures to protect personal data, including encryption in transit, authentication, access controls, and audit logging. No system is perfectly secure, and we cannot guarantee absolute security. You are responsible for choosing a strong password and for keeping your account credentials confidential.

9. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you;
  • Ask us to correct inaccurate or incomplete data;
  • Ask us to delete your data ("right to erasure");
  • Restrict or object to certain processing;
  • Receive your data in a portable format;
  • Withdraw consent where processing is based on consent; and
  • Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email [email protected]. We will respond within one month, as required by law.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Automated decision-making

We do not make decisions producing legal or similarly significant effects based solely on automated processing of your personal data.

12. Changes to this Policy

We may update this Policy from time to time. If changes are material, we will let you know (for example, by email or an in-product notice) before they take effect.

13. Contact

Questions or requests about your personal data? Email [email protected].