PostMine
Privacy Policy
How PostMine handles your data: what we store, the processors we use, account deletion and cookies. Questions go to support@postmine.tech.
What we store
- Your account email. For most users this is your Google or GitHub account email (the entire account). If PostMine provisioned an email and password login for you (for example, an app reviewer), we also keep a salted password hash via Supabase Auth and never see the plaintext password.
- Your connected-platform credentials, encrypted at rest with AES-256-GCM.
- Your connected account's profile basics: the handle and display name of each account you connect, and its profile image URL for X, used to show your account across the dashboard and to render your avatar in the reply composer.
- The content of your posting rounds: source text, adapted variants, one image per round, and their statuses.
- Your tone profile: style traits derived from recent posts of your connected accounts. Delete it any time in Settings.
- Your analytics-consent choice, stored server-side as a single row: your user id, whether you accepted, and when. We keep it only so your choice is honoured even for events that have no browser session, such as a subscription renewal, and never to track you.
- The opportunities we surface for you: the public thread we found, its fit score, and the reply draft we generate for you to copy. For an X thread we store the author display name, handle and avatar, the post text, the link, and public counts such as likes, reposts, replies and views. For a Reddit thread we store the subreddit, the author's username, the thread text, the link, and public counts such as upvotes and comments. For a Hacker News thread we store the title, the thread text, the author's username, the link, and public counts such as points and comments.
Processors we use
- Supabase for the database and authentication.
- Vercel for hosting and the scheduler cron.
- Polar for billing and subscription management.
- Resend for transactional email (failure and token-expiry alerts) and the daily digest and re-engagement reminder emails.
- PostHog (EU region) for product analytics and session replay, so we can see how the product is used and where it breaks. Enabled only after you accept analytics cookies. Session replays record your session, including the content you type and view, such as draft posts and captions; passwords are excluded.
- AI model providers (Google Gemini API and OpenRouter) to adapt your text per platform and to write your project documents. Your source text is sent to them only to generate the variants and documents; they do not use it to train their models.
- Web research providers (Tavily, Jina, Firecrawl, Exa and Serper) to read the public web page you ask us to analyze and to find and read competitors’ public pages for the Competitor Analysis document. We send them the public URLs being analyzed, not your account data.
- X (api.x.com) recent search to gather public posts for the Customer Research document and to find live threads where your product fits (the opportunity finder). We send a search query built from your project’s product name, category and pain terms; we never send your account data or private content, and only public posts are returned, quoted with their author handle and link. For the opportunity finder we store the surfaced thread (author display name, handle and avatar, text, link, and public counts such as likes, reposts, replies and views) so it can be shown in your dashboard.
- Apify (a Reddit scraping provider) and Serper (a Google Search API) to find public Reddit threads where your product fits (the Reddit opportunity finder). We send a search query built from your project’s product name, category and pain terms; we never send your account data or private content, and only public threads are returned. We store the surfaced thread (the subreddit, the author’s username, the thread text, the link, and public counts such as upvotes and comments) so it can be shown in your dashboard. We do not use the official Reddit API, and we never post to Reddit for you.
- Algolia (the Hacker News Search API at hn.algolia.com) to find public Hacker News threads where your product fits (the Hacker News opportunity finder). We send a search query built from your project’s product name, category and pain terms; we never send your account data or private content, and only public threads are returned. We store the surfaced thread (the title, the thread text, the author’s username, the link, and public counts such as points and comments) so it can be shown in your dashboard. There is no Hacker News account connection, and we never post to Hacker News for you.
- Google PageSpeed Insights (Google APIs) to audit the public site you ask us to analyze, for the Analytics column (PageSpeed, SEO and GEO signals). We send only that public URL, never your account data.
- Each connected platform’s own API at publish time (Telegram, Dev.to, Threads, X, LinkedIn).
Reminder emails
- We send a daily digest email, at most once a day, letting both free and paid users know when fresh posts or reply opportunities are waiting in PostMine. We email only when something new is ready; for accounts that stay away we ease off the come-back reminders and eventually stop them.
- You can turn the daily digest off any time from Settings in the app, and every email also carries a one-click unsubscribe link (no login needed). Once you opt out we honour it and stop sending reminders; you can turn it back on from the same place. Important account emails, such as a failed post or an expiring connection, are transactional and always come through.
What we never do
- We never post on your behalf without an explicit action: Post now, a schedule you set, or an MCP call signed with your key.
- We never post replies to other people's posts for you: opportunity reply drafts are yours to copy and post manually.
- We never use your content to train any model.
- We never sell your data.
Deletion
- Deleting your account removes everything: connections, rounds, drafts and API keys, immediately. Posts already published stay on their platforms, because they are no longer ours to remove.
- Removing PostMine from your Threads (Meta) account, or sending a Meta data-deletion request, automatically deletes your Threads connection and its publishing records from PostMine.
Cookies
- Essential cookies for sign-in and your session, plus a cookie that records your analytics-consent choice.
- Analytics cookies (PostHog) are set only after you click Accept in the consent banner, and never for advertising. If you Reject, no analytics cookies are set. You can change your choice any time by clearing cookies in your browser.