Privacy Policy

Oynayo Pty Ltd ("Oynayo", "we", "us", or "our"), operator of the Postazo platform, is committed to protecting your privacy. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how we protect it, and what rights you have in relation to it.

This Policy applies to all users of the Postazo website, web application, and related services (collectively, the "Service"). It forms part of our Terms of Service. By using the Service, you consent to the practices described in this Policy.

We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also comply with the General Data Protection Regulation (GDPR) (EU/EEA users) and the California Consumer Privacy Act (CCPA) (California users).

1. Information We Collect

1.1 Information You Provide Directly

• Account registration: name, email address, and password (hashed — we never store your plaintext password).
• Business profile: business name, industry, brand voice, tone preferences, logos, and other brand assets you upload.
• Content: text, images, captions, and any other content you create, import, or schedule through the Service.
• Payment information: billing name, address, and card details. Card numbers are processed directly by our payment provider (Stripe) and are never stored on our servers.
• Support communications: any messages, emails, or feedback you send to us.

1.2 Information We Collect Automatically

• Usage data: pages visited, features used, actions taken, session duration, and interaction logs.
• Device and browser information: IP address, browser type and version, operating system, device identifiers, and time zone.
• Cookies and similar technologies: session cookies (required for login), preference cookies, and analytics cookies. See clause 7 for details.
• Log data: server access logs, error logs, and API request logs, retained for up to 90 days for security and debugging purposes.

1.3 Information from Third Parties

• Social media platforms: when you connect accounts (e.g., Instagram, Facebook, LinkedIn, X/Twitter, TikTok), we receive OAuth access tokens and, where the platform provides it, basic profile information such as your username and profile picture.
• Content sources: if you connect RSS feeds, websites, or third-party libraries as content sources, we fetch and temporarily process that content to generate posts.
• Single sign-on: if you register or log in via a third-party identity provider (e.g., Google), we receive the profile information that provider shares with us pursuant to your consent given to them.

2. How We Use Your Information

We use personal information for the following purposes:

• Providing the Service: creating and managing your account, generating and publishing content, processing payments, and delivering features you have requested.
• AI content generation: your brand information, uploaded content, and preferences are passed to AI models (operated by third-party providers) to generate captions, posts, and images on your behalf.
• Autopilot publishing: where you have enabled Autopilot, your connected social media credentials are used to publish content automatically on your schedule.
• Billing and payments: processing subscription fees, managing invoices, and handling refunds.
• Communications: sending transactional emails (e.g., account confirmation, payment receipts, post-published notifications), service updates, and — where you have opted in — marketing communications.
• Security and fraud prevention: detecting, investigating, and preventing unauthorised access, abuse, or violations of our Terms.
• Service improvement: analysing aggregate usage patterns to improve performance, features, and user experience. We use anonymised or aggregated data where possible.
• Legal compliance: meeting our obligations under applicable law, including tax, accounting, and regulatory requirements.
• Dispute resolution: enforcing our Terms and resolving any disputes that arise.

3. Legal Bases for Processing (GDPR)

Where the GDPR applies, we rely on the following lawful bases to process your personal data:

• Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you have subscribed to, including account management, content generation, publishing, and billing.
• Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, log retention, product analytics, and direct marketing to existing customers (where not overridden by your interests or rights).
• Legal obligation (Art. 6(1)(c)): retaining financial records, responding to lawful requests from authorities, and complying with applicable regulations.
• Consent (Art. 6(1)(a)): optional marketing emails and non-essential cookies, which you may withdraw at any time.

4. How We Share Your Information

We do not sell your personal information. We share your data only in the following circumstances:

4.1 Service Providers (Sub-processors)

We engage trusted third-party service providers to help operate the Service. These include:

• Cloud infrastructure: Supabase (database and authentication), Vercel (hosting and edge functions).
• AI — text generation:Anthropic (Claude models) for caption writing, idea generation, and content structuring. Your brand data and content prompts are transmitted to Anthropic's API to generate text on your behalf.
• AI — image generation: OpenAI (GPT Image) and Leonardo.ai (Flux and related models) for generating visual assets. Your brand colours, style preferences, and image prompts are transmitted to these providers.
• AI — video generation:Leonardo.ai (which may use Google's Veo model internally) for short-form video clip generation.
• Social publishing platform: Post for Me (a third-party OAuth and publishing intermediary) to connect your social media accounts and deliver posts. Post for Me manages OAuth token storage and revocation on your behalf.
• Payment processing: Stripe (credit card processing and subscription management).
• Email delivery: transactional email providers for service notifications.
• Analytics: privacy-focused analytics tools to understand aggregate usage.

All sub-processors are contractually required to process personal data only on our instructions, to maintain appropriate security, and to comply with applicable privacy law.

4.2 Social Media Platforms

When you connect a social media account and instruct us to publish content, we transmit that content and any associated metadata to the relevant platform via their API. Social media connections are managed through our publishing partner Post for Me, which handles OAuth authorisation, token storage, and token revocation on your behalf. Your use of those platforms is subject to their own privacy policies, which we encourage you to review.

4.3 Business Transfers

If Oynayo undergoes a merger, acquisition, asset sale, or restructuring, your personal information may be transferred to the acquiring entity. We will notify you via email or in-app notice before your data is transferred and becomes subject to a different privacy policy.

4.4 Legal Requirements

We may disclose your personal information if required to do so by law, court order, or government authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Oynayo, our users, or the public.

4.5 With Your Consent

We may share your information with third parties not listed above where you have given explicit consent for us to do so.

5. International Data Transfers

Oynayo is based in Australia. Our sub-processors (including cloud and AI providers) may process your data in countries outside Australia, including the United States and European Union member states.

Where we transfer personal data of EU/EEA residents outside the EEA, we do so under appropriate safeguards — primarily Standard Contractual Clauses (SCCs) approved by the European Commission — or on the basis that the destination country has been deemed adequate by the European Commission.

Transfers of Australian personal information overseas are conducted in accordance with Australian Privacy Principle 8, and we take reasonable steps to ensure overseas recipients handle the information consistently with the APPs.

6. Data Retention

• Account data: you can permanently delete your account at any time from Settings → Account → Danger zone. All account data is permanently deleted immediately upon confirmed deletion. Financial records subject to legal retention obligations (see below) are anonymised and retained separately.
• Financial records: invoices, payment records, and associated personal data are retained for a minimum of 7 years to comply with Australian taxation and accounting laws.
• Published content logs: records of content published via the Service are retained for 2 years for dispute resolution purposes.
• Server and access logs: retained for up to 90 days for security monitoring purposes.
• Support communications: retained for up to 3 years after resolution to assist with recurring issues.
• Social media credentials (OAuth tokens): stored only while your connection is active and deleted promptly when you disconnect an account.

7. Cookies and Tracking Technologies

We use the following types of cookies:

• Strictly necessary cookies: session and authentication cookies required for you to log in and use the Service. These cannot be disabled without breaking core functionality.
• Preference cookies: cookies that remember your settings (e.g., dark mode preference). Disabling these may require you to re-set preferences each visit.
• Analytics cookies: cookies that help us understand how the Service is used in aggregate. We use privacy-respecting analytics that do not fingerprint individual users or share data with advertising networks.

You can control or delete cookies through your browser settings. Note that disabling strictly necessary cookies will prevent you from using the Service. We do not use third-party advertising or tracking cookies.

8. Security

We implement commercially reasonable technical and organisational measures to protect your personal information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Hashed password storage (bcrypt or equivalent).
• Role-based access controls limiting staff access to personal data.
• Regular security reviews and dependency updates.
• OAuth token encryption for stored social media credentials.

Despite these measures, no system is completely secure. In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and relevant authorities (including the Office of the Australian Information Commissioner (OAIC) and, where applicable, the relevant EU supervisory authority) as required by law.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us at admin@postazo.com and we will delete it promptly.

10. Your Rights

10.1 All Users

Regardless of your location, you may:

• Access your data: request a copy of the personal information we hold about you.
• Correct your data: update inaccurate or incomplete information via your account settings or by contacting us.
• Delete your account: request deletion of your account and personal data (subject to our legal retention obligations set out in clause 6).
• Withdraw consent: opt out of marketing emails at any time via the unsubscribe link in any email or via account settings.

10.2 EU/EEA Users (GDPR Rights)

In addition to the rights above, you have the right to:

• Restriction of processing (Art. 18): request that we restrict processing of your data in certain circumstances (e.g., while accuracy is contested).
• Data portability (Art. 20): receive your personal data in a structured, machine-readable format and transmit it to another controller.
• Object to processing (Art. 21): object to processing based on legitimate interests, including profiling and direct marketing.
• Erasure ("right to be forgotten", Art. 17): request deletion of your personal data where there is no compelling legitimate reason for continued processing.
• Lodge a complaint: you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

10.3 Australian Users

If you believe we have mishandled your personal information in breach of the APPs, you may complain to us first (see clause 14). If unresolved, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10.4 California Users (CCPA)

California residents have the right to know what personal information we collect and share, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at admin@postazo.com.

To exercise any of the above rights, contact us at admin@postazo.com. We will respond within 30 days (or such shorter period as required by law). We may ask you to verify your identity before acting on your request.

11. AI and Automated Decision-Making

Postazo uses AI models to generate content on your behalf. This process involves sending your brand information, prompts, and preferences to third-party AI providers via their APIs. We do not use fully automated decision-making that produces legal or similarly significant effects on you without human involvement. You retain full control over whether to approve or reject AI-generated content before it is published (depending on your plan settings).

We do not use your content to train our own AI models, nor do we knowingly permit our AI sub-processors to train on your content without your consent. Where our AI providers have their own data use terms, links to their policies are available on request.

12. Social Media Credentials

Social media connections are managed through our publishing partner, Post for Me. When you connect a social media account, Post for Me handles OAuth authorisation and stores the resulting access token on your behalf. Post for Me's handling of those tokens is subject to their own privacy policy. From Postazo's side, we store only a reference identifier for your Post for Me account, not the raw OAuth tokens.

When you disconnect a social media account via your Brand Kit settings, Postazo instructs Post for Me to immediately revoke and delete the token for that connection. You can also revoke access directly from the relevant social media platform's app settings or security panel, which immediately invalidates the token regardless of Post for Me's systems.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. If we make material changes, we will notify you by email to the address associated with your account or via a prominent notice within the Service, at least 14 days before the changes take effect.

Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the revised terms. If you do not agree, you should discontinue use of the Service before the changes take effect.

14. Contact and Complaints

For any questions, requests, or complaints regarding this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If we cannot resolve your complaint to your satisfaction, you may refer it to the OAIC (Australian users) or your local data protection authority (EU/EEA users).