Privacy Policy — BlazePoster

Summary: BlazePoster collects only what it needs to operate the service. We never sell your personal data. We use your data to provide, improve, and secure the platform. You can request deletion of your data at any time.

1. Who We Are

BlazePoster ("BlazePoster", "we", "us", or "our") is a B2B SaaS platform that provides AI-powered social media content generation, scheduling, and publishing services. Our registered business contact is hello@blazeposter.com.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at blazeposter.com and our platform services (collectively, the "Service").

2. Information We Collect

2.1 Information You Provide Directly

Account registration: name, email address, and password when you sign up.
Workspace settings: business name, logo, timezone, and brand preferences.
Payment information: billing details processed securely through Stripe. We never store raw card numbers on our servers.
Content you create: topics, writing samples for Voice Studio, generated posts, uploaded documents, and graphic assets.
Team data: names and email addresses of team members you invite to your workspace.
Support communications: messages you send to our support team.
Waitlist submissions: email address submitted via our pre-launch waitlist form.

2.2 Information Collected Automatically

Usage data: pages visited, features used, time spent, clicks, and interactions with the platform.
Device and browser data: IP address, browser type and version, operating system, device type, and screen resolution.
Log data: server logs including request timestamps, API calls made, and error reports.
Cookies and similar technologies: session tokens, preference cookies, and analytics identifiers. See Section 8 for details.

2.3 Information From Third Parties

Social platform data: when you connect LinkedIn, Facebook, Instagram, or X (Twitter) to your workspace, we receive OAuth access tokens and basic profile information (name, profile picture, account ID) from those platforms. We also retrieve post analytics data (likes, impressions, shares) on your behalf.
Google OAuth: if you sign in with Google, we receive your name, email address, and profile picture from Google.

3. How We Use Your Information

We use the information we collect to:

Create and manage your account and workspace
Provide and operate the core Service features (content generation, scheduling, publishing, analytics)
Process payments and manage your subscription via Stripe
Send transactional emails (email verification, password reset, post published/failed notifications, token expiry alerts)
Send WhatsApp notifications if you have opted in and provided a number
Communicate service updates, security alerts, and support responses
Improve and develop the Service through aggregated, anonymised usage analysis
Detect, prevent, and respond to fraud, abuse, and security incidents
Comply with legal obligations
Contact waitlist subscribers when the product launches

We do not use your content (posts, writing samples, documents) to train AI models. Your content is processed by Anthropic's Claude API solely to generate responses on your behalf, governed by Anthropic's usage policies.

4. How We Share Your Information

We do not sell your personal data. We share data only in the following circumstances:

4.1 Service Providers (Sub-processors)

We engage trusted third-party vendors who process data on our behalf under strict data processing agreements:

Anthropic — AI content generation (your prompts and content are sent to Claude API)
Stripe — payment processing and subscription management
Resend — transactional email delivery
Twilio — WhatsApp notification delivery (Pro and Agency plans)
Turso / LibSQL — database hosting
Cloudflare R2 — file and media storage
Upstash / Redis — job queue and session management
Tavily / Brave — web search for content grounding (topic queries only; no personal data sent)
Unsplash / Pexels — stock image retrieval (keyword queries only)
Sentry — error monitoring and crash reporting
Railway / Vercel — infrastructure hosting

4.2 Social Platforms

When you schedule or publish posts, the content of those posts is transmitted to the relevant social platform (LinkedIn, Facebook, Instagram, or X) using your OAuth access token. Those platforms' own privacy policies govern what they do with that data.

4.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

4.4 Business Transfers

If BlazePoster is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our platform before your data becomes subject to a different privacy policy.

5. Data Retention

Account data: retained for the life of your account plus 30 days after deletion request, to allow recovery.
Published post analytics: retained for 24 months from publication date.
Voice Studio samples and profiles: retained until you delete them or close your account.
Billing records: retained for 7 years as required by financial regulations.
Audit logs (Super Admin): retained for 12 months.
Waitlist emails: retained until the product launches and you are contacted, or until you request removal, whichever comes first.
Server logs: retained for 90 days for security and debugging purposes.

6. Security

We implement industry-standard security measures to protect your data:

All data transmitted over HTTPS/TLS encryption
Passwords hashed with bcrypt (cost factor 12) — never stored in plain text
Social platform OAuth tokens encrypted at rest with AES-256-GCM before database storage
JWT access tokens with 15-minute expiry; refresh tokens stored hashed in the database
Rate limiting and brute-force protection on authentication endpoints
Regular automated database backups with 30-day retention
Access to production systems restricted to authorised personnel only

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you suspect a security incident, please contact us immediately at security@blazeposter.com.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Rectification: request correction of inaccurate or incomplete data.
Erasure ("right to be forgotten"): request deletion of your personal data.
Portability: request your data in a structured, machine-readable format.
Restriction: request that we limit processing of your data in certain circumstances.
Objection: object to processing based on legitimate interests.
Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@blazeposter.com. We will respond within 30 days. We may need to verify your identity before processing the request.

To remove your email from our waitlist, email us at hello@blazeposter.com with the subject line "Remove from waitlist".

8. Cookies

We use the following types of cookies:

Strictly necessary: session authentication tokens required for the platform to function. Cannot be disabled.
Preference: remember your settings such as timezone and dark/light mode.
Analytics: anonymised usage data to help us understand how the product is used and improve it. No cross-site tracking.

We do not use advertising cookies or sell data to ad networks. You can manage cookies through your browser settings, though disabling strictly necessary cookies will prevent you from logging in.

9. Children's Privacy

BlazePoster is a professional B2B service not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

10. International Data Transfers

BlazePoster operates globally. Your data may be stored and processed in countries other than your own (including the United States) where our service providers maintain infrastructure. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses where required.

11. Third-Party Links

The Service may contain links to third-party websites (for example, social platforms). We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing them with personal data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) and update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related questions, requests, or concerns:

Email: privacy@blazeposter.com
General enquiries: hello@blazeposter.com