Privacy Policy

PostCrew ("we", "us", "our"), operated by Group Taiga, is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have regarding your information.

This policy applies to all users of the PostCrew Service available at postcrew.taigalab.com.

PostCrew acts as a Data Controller for account and usage data, and as a Data Processor for the User Content you provide for processing through AI agents and publishing to connected social platforms.

2.1 Account Information

• Organization name and contact email address;
• User profile data (display name, role) for authenticated team members;
• Authentication identifiers (in future releases, when Clerk or similar provider is enabled).

2.2 Brand & Content Data

• Brand DNA records you create: brand name, website URL, sector, tone of voice, mission, vision, audience profile, design preferences, social handles;
• Brand assets you upload: logos, images, sample captions, brand guidelines;
• Content templates, slots, asset pools, and generated content (captions, hashtags, AI-generated images);
• Publishing schedules and content approval history.

2.3 Connected Social Media Data

When you connect a social account (Meta — Facebook/Instagram, LinkedIn, X, TikTok) we receive and store:

• OAuth access tokens and refresh tokens (encrypted at rest with AES-256-GCM);
• External account identifiers (page id, instagram business id, etc.);
• Username, display name, profile picture URL;
• Granted permission scopes;
• Post-publishing metadata (external post id, timestamp, error responses).

We do not read DMs, personal feeds, friend lists, or any data outside the scopes you explicitly grant.

2.4 Usage Data

• Server logs: IP address (truncated/hashed where possible), user agent, requested URL, response status, timestamp;
• Generated content trace (which AI agent ran, token counts, request duration) for billing and debugging.

2.5 Cookies

We use only essential session cookies required for authentication and CSRF protection. We do not use third-party tracking or advertising cookies.

• To operate, maintain, and improve the Service;
• To process content generation requests through AI providers (Anthropic, OpenAI, Google);
• To publish content to your connected social media accounts when you approve or schedule it;
• To send transactional communications (account confirmations, publishing failures, billing receipts);
• To detect and prevent fraud, abuse, and security incidents;
• To comply with legal obligations, court orders, or government requests.

For users in the European Economic Area (EEA), United Kingdom, and Türkiye (KVKK), we process personal data under the following legal bases:

• Contract performance — to deliver the Service you have subscribed to;
• Legitimate interests — to secure the platform, prevent fraud, and improve features;
• Consent — for connecting social accounts and for any optional analytics;
• Legal obligation — to comply with applicable laws.

We share data with the following sub-processors to operate the Service. Each is bound by data protection agreements:

• Anthropic, PBC (Claude AI) — text generation, content analysis (US);
• OpenAI, L.P. (GPT, gpt-image-2) — text and image generation (US);
• Google LLC (Gemini API) — text generation (US/EU);
• Meta Platforms Inc.— Instagram & Facebook Graph API for publishing (US);
• LinkedIn Corporation — LinkedIn API for publishing (US);
• X Corp. — X (Twitter) API v2 for publishing (US);
• TikTok Pte. Ltd. — TikTok Content Posting API (Singapore);
• GitLab Inc. — source code and container registry hosting (US/EU);
• VPS infrastructure provider — server hosting in Türkiye/EU (PostgreSQL, container runtime).

AI providers may use your prompts and content for model improvement unless you opt out via their respective policies. We strongly encourage opting out of training on the provider dashboards.

• Account data: retained for the lifetime of your account, plus 30 days after deletion to honor undo requests;
• Brand & content data: retained while your account is active; deleted within 30 days of account closure unless legal hold applies;
• OAuth tokens: deleted immediately when you disconnect a social account or close your account;
• Server logs: retained 90 days for security analysis;
• Billing records: retained 10 years per tax regulations.

Depending on your jurisdiction (GDPR, KVKK, CCPA, etc.), you have the right to:

• Access — request a copy of your personal data;
• Rectification — correct inaccurate data;
• Erasure — request deletion of your data (see Data Deletion Instructions);
• Portability — receive your data in a structured, machine-readable format;
• Restriction / Objection — restrict or object to certain processing activities;
• Withdraw consent — disconnect any social account at any time from the dashboard.

To exercise any of these rights, email developer@grouptaiga.com with the subject "Privacy Request". We respond within 30 days.

We implement reasonable technical and organizational measures to protect your data, including:

• TLS 1.3 encryption for all data in transit;
• AES-256-GCM encryption at rest for OAuth tokens and other sensitive secrets;
• Database access restricted to application servers;
• Hosted on isolated Kubernetes (K3s) namespace with RBAC;
• Container images signed and scanned for known CVEs;
• Quarterly security reviews of access logs and dependencies.

No method of transmission or storage is 100% secure. We commit to notifying affected users within 72 hours of discovering any material data breach.

Some sub-processors are located outside the EEA/Türkiye. When transferring personal data internationally, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

PostCrew is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us personal data, contact us and we will delete the information.

We may update this Privacy Policy. Material changes will be communicated via dashboard notification or email at least 14 days before taking effect. The "Last updated" date at the top reflects the latest revision.

Privacy questions and data subject requests:
Group Taiga — Data Protection
Email: developer@grouptaiga.com