POSTPILOT PRIVACY POLICY Last Updated: 11/15/25 Effective Date: 11/15/25 INTRODUCTION Welcome to PostPilot. This Privacy Policy explains how PostPilot ("we," "us," "our," or "Company") collects, uses, discloses, and protects your personal information when you use our AI-powered social media management platform and services (the "Service"). By using PostPilot, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service. 1. INFORMATION WE COLLECT We collect several types of information from and about users of our Service. 1.1 Personal Information You Provide Account Information: Full name Email address Password (encrypted) Company or business name Phone number (optional) Billing address Payment information (processed by third-party payment processors) Profile Information: Profile photo Bio or description Social media account connections (Facebook, Instagram, TikTok, etc.) Preferences and settings Content You Create or Upload: Social media posts and captions Images and photos you upload Videos you upload AI generation prompts and parameters Scheduled content and drafts Comments and feedback Communications: Support tickets and customer service inquiries Email correspondence with us Survey responses Feedback and reviews 1.2 Biometric Information Facial Recognition Data: PostPilot uses facial recognition technology to provide editing and content creation features. When you upload images containing faces or use facial recognition features, we collect and process: Biometric identifiers: Unique numerical representations derived from facial geometry, including measurements of facial features, distances between features, and facial landmarks Facial scans: Digital scans or analyses of facial characteristics Face templates: Mathematical representations of facial features used for detection and recognition Important Disclosures: We collect biometric data ONLY when you use facial recognition features Biometric data is used solely to provide the Service features you request You can opt out of facial recognition features at any time in your account settings We will delete biometric data within 3 years of your last interaction with our Service, or within 30 days of account deletion, whichever comes first Biometric data is encrypted both in transit and at rest We do not sell biometric data to third parties We comply with Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), and similar laws Specific Purposes for Biometric Data Collection: Detecting faces in uploaded photos Applying filters and effects to faces Organizing photos by identified individuals (if enabled) Generating AI content based on facial features Improving facial recognition accuracy Your Biometric Data Rights: Right to know what biometric data we collect Right to access your biometric data Right to delete your biometric data Right to opt out of biometric data collection Right to receive information about our retention and destruction schedule 1.3 Automatically Collected Information Usage Data: Pages or screens you visit Time and date of visits Time spent on pages Features you use Actions you take within the Service Search queries Click patterns and navigation paths Device Information: Device type (computer, phone, tablet) Operating system and version Browser type and version Screen resolution Device identifiers (IDFA, Android ID) IP address Mobile network information Location Information: General location based on IP address Precise location (only if you grant permission) Cookies and Tracking Technologies: Cookies (session and persistent) Web beacons Pixels Local storage Analytics identifiers 1.4 Information from Third Parties Social Media Platforms: When you connect your social media accounts (Facebook, Instagram, TikTok, etc.), we collect: Profile information (name, username, profile photo) Account authentication tokens Follower/following counts Post history and engagement metrics Audience demographics Content you've posted to those platforms AI Service Providers: Metadata about AI-generated content Usage metrics for AI features Payment Processors: Transaction confirmation Payment status Billing information (last 4 digits of card) Analytics Providers: Aggregated usage statistics Performance metrics 2. HOW WE USE YOUR INFORMATION We use the collected information for the following purposes: 2.1 Service Provision Create and manage your account Provide access to Service features Process AI content generation requests Apply facial recognition features (with your consent) Schedule and publish social media posts Connect to third-party social media platforms Store and organize your content Provide analytics and insights Process payments and billing 2.2 Service Improvement Improve AI model accuracy and performance Develop new features and functionality Analyze usage patterns and trends Test and optimize Service performance Fix bugs and resolve technical issues Conduct research and development 2.3 AI Training and Development Important Notice: We may use your content and interactions to improve our AI models: AI-generated content and the prompts used to create it may be used to train and improve our AI systems Facial recognition data may be used to improve face detection accuracy User interactions and feedback may inform AI improvements You can opt out of AI training use in your account settings When used for training: Data is anonymized and aggregated where possible Personal identifiers are removed Biometric data used for training is subject to the same protections and deletion schedules 2.4 Communication Send transactional emails (account confirmations, password resets, billing) Provide customer support Send service announcements and updates Notify you of changes to Terms of Service or Privacy Policy Send marketing communications (with your consent, and you may opt out) Respond to your inquiries and requests 2.5 Legal and Security Enforce our Terms of Service and policies Detect and prevent fraud, abuse, and security incidents Comply with legal obligations Protect our rights, property, and safety Respond to law enforcement requests Resolve disputes Monitor for prohibited content 2.6 Personalization Customize your experience Provide relevant content recommendations Remember your preferences and settings Deliver targeted advertising (with appropriate consent) 3. HOW WE SHARE YOUR INFORMATION We do not sell your personal information to third parties. We share your information only in the following circumstances: 3.1 Service Providers We share information with third-party service providers who perform services on our behalf: Cloud Infrastructure: Hosting providers (servers and storage) Content delivery networks (CDNs) Database services AI and Technology Partners: OpenAI (for AI content generation) Image generation AI providers Video generation AI providers Facial recognition technology providers Payment Processors: Stripe, PayPal, or similar payment processors Credit card processing services Analytics and Monitoring: Google Analytics Error tracking and monitoring services Performance monitoring tools Customer Support: Help desk and ticketing systems Live chat providers Email Services: Email delivery platforms Marketing automation tools (if you opt in) These service providers: Are contractually obligated to protect your data May only use data for the purposes we specify Must comply with applicable privacy laws Are required to implement appropriate security measures 3.2 Social Media Platforms When you connect your social media accounts and authorize posting: We transmit your content to Facebook, Instagram, TikTok, and other platforms per your instructions These platforms receive the content, captions, and metadata you choose to post Each platform's privacy policy and terms govern their use of this data You control what is shared by managing your connected accounts and scheduled posts 3.3 Legal Requirements We may disclose your information if required to do so by law or in response to: Court orders or subpoenas Legal processes or government requests Law enforcement inquiries National security requirements Protection of our legal rights Emergency situations involving danger of death or serious physical injury 3.4 Business Transfers If PostPilot is involved in a merger, acquisition, bankruptcy, or sale of assets: Your information may be transferred to the acquiring entity You will be notified via email and/or prominent notice on our Service The acquiring entity must continue to honor this Privacy Policy You will have the opportunity to delete your account before any transfer 3.5 Aggregated or De-Identified Data We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you: Industry research and reports Usage statistics and trends Benchmark data Marketing materials This data does not contain personal information and is not subject to this Privacy Policy. 3.6 With Your Consent We may share your information for other purposes with your explicit consent: When you authorize third-party integrations When you participate in joint promotions When you explicitly agree to sharing 4. DATA RETENTION 4.1 General Data Retention We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy. Active Accounts: Account information: Retained while your account is active Content: Retained until you delete it or close your account Usage data: Typically retained for 24 months Analytics data: Aggregated and retained indefinitely Closed Accounts: Most data deleted within 30 days of account closure Some data retained for legal compliance (e.g., transaction records, tax documents) Backup systems may retain data for up to 90 days Biometric data deleted within 30 days of account closure 4.2 Biometric Data Retention Specific Retention Schedule for Biometric Data: Deleted within 3 years of your last interaction with facial recognition features Deleted within 30 days of account closure Deleted immediately upon request (subject to technical feasibility) Backup copies purged within 90 days of initial deletion We maintain documented retention and destruction schedules You may request deletion of biometric data at any time by: Disabling facial recognition in account settings Contacting us at [INSERT EMAIL] Deleting your account 4.3 Legal Requirements We may retain information longer when required by law: Tax and financial records (typically 7 years) Records subject to legal holds or litigation Evidence of Terms of Service violations Information required for legal compliance 5. YOUR PRIVACY RIGHTS Depending on your location, you may have the following rights regarding your personal information: 5.1 General Rights (Available to All Users) Access: Request a copy of the personal information we hold about you Receive information about how we process your data Correction: Update or correct inaccurate personal information Complete incomplete personal information Deletion: Request deletion of your personal information Delete your account and associated data Opt-Out: Opt out of marketing communications Opt out of AI training use of your data Disable facial recognition features Manage cookie preferences Data Portability: Receive your data in a structured, machine-readable format Transfer your data to another service 5.2 Rights for California Residents (CCPA/CPRA) If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): Right to Know: Categories of personal information we collect Sources of personal information Purposes for collection and sharing Categories of third parties with whom we share information Specific pieces of personal information we have about you Right to Delete: Request deletion of personal information we collected from you Subject to certain exceptions (e.g., legal obligations) Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information We do not sell personal information, but you may opt out of sharing for targeted advertising Right to Correct: Request correction of inaccurate personal information Right to Limit Use of Sensitive Personal Information: Biometric data (facial recognition) is considered "sensitive personal information" You may limit use to only what is necessary to provide the Service Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights Equal service, quality, and pricing To Exercise Your Rights: Email: [INSERT EMAIL] Submit via account settings Call: [INSERT PHONE NUMBER] We will respond within 45 days (may extend by 45 days if needed). 5.3 Rights for EU/UK Residents (GDPR) If you are in the European Union or United Kingdom, you have rights under the General Data Protection Regulation (GDPR): Legal Basis for Processing: We process your data based on: Consent: For optional features like facial recognition and marketing Contract: To provide the Service you signed up for Legal Obligation: To comply with laws Legitimate Interests: To improve the Service and prevent fraud Your GDPR Rights: Right of Access: Obtain confirmation of data processing and access to your data Right to Rectification: Correct inaccurate data Right to Erasure: Request deletion ("right to be forgotten") Right to Restriction: Limit how we process your data Right to Data Portability: Receive and transfer your data Right to Object: Object to processing based on legitimate interests Right to Withdraw Consent: Withdraw consent for consent-based processing Right to Lodge a Complaint: Complain to your data protection authority To Exercise Your Rights: Email: [INSERT EMAIL] Our Data Protection Officer: [INSERT DPO EMAIL] EU/UK contact address: [INSERT EU/UK ADDRESS if applicable] We will respond within 30 days. 5.4 Rights for Illinois Residents (BIPA) If you are an Illinois resident, you have specific rights regarding biometric data under the Illinois Biometric Information Privacy Act (BIPA): BIPA Compliance: We provide written notice of biometric data collection We obtain written consent before collecting biometric data We disclose the purpose and duration of biometric data storage We do not sell, lease, or trade biometric data We maintain a retention and destruction schedule We use reasonable security measures to protect biometric data Your BIPA Rights: Right to informed consent before collection Right to know the purpose of collection Right to know the retention schedule Right to sue for violations (BIPA provides a private right of action) 5.5 Rights for Texas Residents (CUBI) Texas residents have rights under the Capture or Use of Biometric Identifier Act (CUBI): Notice before biometric data capture Consent before biometric data capture Protection against unauthorized disclosure Destruction of data within reasonable time after purpose is fulfilled 6. DATA SECURITY We implement appropriate technical and organizational measures to protect your personal information: 6.1 Technical Safeguards Encryption: Data encrypted in transit using TLS/SSL Data encrypted at rest using AES-256 or equivalent Biometric data subject to additional encryption layers Password encryption using industry-standard hashing (bcrypt) Access Controls: Role-based access control (RBAC) Multi-factor authentication for administrative access Principle of least privilege Regular access reviews and audits Network Security: Firewalls and intrusion detection systems DDoS protection Regular security scanning and penetration testing Isolated network segments for sensitive data Application Security: Secure coding practices Regular security updates and patches Vulnerability scanning and remediation Security testing during development 6.2 Organizational Safeguards Policies and Procedures: Data protection policies Incident response plan Employee security training Confidentiality agreements Third-Party Management: Vendor security assessments Data processing agreements Regular audits of service providers Contractual security requirements Monitoring and Auditing: Continuous security monitoring Regular security audits Logging and monitoring of access to personal data Annual security reviews 6.3 Limitations No system is 100% secure. While we strive to protect your personal information: We cannot guarantee absolute security You are responsible for maintaining the security of your password You should use a strong, unique password You should enable two-factor authentication if available You should not share your account credentials In the Event of a Breach: We will notify you without undue delay We will notify applicable regulatory authorities as required We will take steps to mitigate harm We will investigate and remediate the cause 7. COOKIES AND TRACKING TECHNOLOGIES 7.1 What Are Cookies? Cookies are small text files stored on your device by your web browser. We use cookies and similar tracking technologies to enhance your experience. 7.2 Types of Cookies We Use Essential Cookies: Required for the Service to function Enable core features like authentication and security Cannot be disabled without affecting functionality Functional Cookies: Remember your preferences and settings Enhance Service functionality Store your language preferences Analytics Cookies: Help us understand how you use the Service Measure Service performance Identify areas for improvement Typically Google Analytics and similar services Advertising Cookies: Deliver relevant advertisements (if applicable) Track ad campaign effectiveness May be placed by third-party ad networks 7.3 Managing Cookies Browser Controls: Most browsers allow you to refuse or delete cookies Browser settings vary; consult your browser's help documentation Disabling essential cookies may affect Service functionality Opt-Out Options: Opt out of Google Analytics: https://tools.google.com/dlpage/gaoptout Opt out of targeted advertising: https://optout.aboutads.info/ Your browser's "Do Not Track" setting Cookie Preferences: You can manage non-essential cookies in your account settings You can withdraw consent for cookies at any time 7.4 Other Tracking Technologies Web Beacons/Pixels: Small invisible images used in emails and web pages Track email opens and link clicks Measure ad impressions Local Storage: Similar to cookies but can store more data Used for Service functionality and preferences Session Storage: Temporary storage cleared when you close your browser Used for Service functionality during your session 8. THIRD-PARTY LINKS AND SERVICES 8.1 External Links Our Service may contain links to third-party websites and services: We are not responsible for the privacy practices of third parties We do not control third-party content We encourage you to read third-party privacy policies Links do not imply endorsement 8.2 Third-Party Integrations When you connect third-party services (Facebook, Instagram, TikTok, etc.): You authorize data sharing per each platform's terms Each platform's privacy policy governs their use of your data You can revoke access at any time in your account settings We are not responsible for third-party data practices 8.3 Social Media Features Our Service may include social media features (share buttons, etc.): These features may collect your IP address and page visited They may set cookies to function properly They are governed by the privacy policy of the company providing them 9. CHILDREN'S PRIVACY 9.1 Age Restrictions PostPilot is not intended for children under 18 years of age: We do not knowingly collect personal information from children under 18 Users must be 18 or older to create an account We comply with the Children's Online Privacy Protection Act (COPPA) 9.2 If We Learn of Child Data If we learn we have collected personal information from a child under 18: We will delete that information as quickly as possible We will close the associated account Parents or guardians may contact us at [INSERT EMAIL] 10. INTERNATIONAL DATA TRANSFERS 10.1 Data Location PostPilot operates in [INSERT PRIMARY COUNTRY] and may transfer data internationally: Data may be processed in countries other than your country of residence These countries may have different data protection laws We take steps to ensure adequate protection of your data 10.2 Legal Mechanisms For EU/UK to US Transfers: We comply with applicable transfer mechanisms (Standard Contractual Clauses, adequacy decisions, etc.) We implement appropriate safeguards You may request a copy of transfer safeguards For Other International Transfers: We use appropriate legal mechanisms We implement technical and organizational measures We ensure service providers offer adequate protection 10.3 Your Rights Regarding Transfers If you are in the EU/UK: You have the right to obtain information about data transfers You have the right to object to transfers in certain circumstances You may lodge complaints with your supervisory authority 11. CHANGES TO THIS PRIVACY POLICY 11.1 Updates We may update this Privacy Policy from time to time: Changes will be posted on this page "Last Updated" date will be revised Material changes will be notified via email or prominent notice Continued use after changes constitutes acceptance 11.2 Notification of Material Changes For material changes, we will: Send email notification to your registered email address Display prominent notice on the Service Provide at least 30 days' notice before changes take effect For changes requiring consent, request your consent 11.3 Reviewing Changes We encourage you to: Review this Privacy Policy periodically Check the "Last Updated" date Contact us with questions about changes 12. CONTACT US 12.1 Privacy Questions For questions about this Privacy Policy or our privacy practices: General Privacy Inquiries: Email: [INSERT PRIVACY EMAIL] Website: [INSERT WEBSITE URL] Address: [INSERT BUSINESS ADDRESS] Data Protection Officer (if applicable): Email: [INSERT DPO EMAIL] Address: [INSERT DPO ADDRESS] 12.2 Exercising Your Rights To exercise your privacy rights: Email: [INSERT PRIVACY EMAIL] Submit via account settings: [URL] Mail: [INSERT BUSINESS ADDRESS] We will respond to requests within the timeframes required by applicable law (typically 30-45 days). 12.3 Complaints If you have concerns about our privacy practices: Contact us first at [INSERT EMAIL] We will investigate and respond within 30 days Regulatory Complaints: EU/UK: You may lodge a complaint with your supervisory authority California: California Attorney General's office Illinois: Illinois Attorney General's office for BIPA complaints Other: Your local data protection authority 13. ADDITIONAL INFORMATION 13.1 California "Shine the Light" Law California residents may request information about personal information we disclosed to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes. 13.2 Nevada Residents Nevada law allows Nevada residents to opt out of the sale of certain covered information. We do not sell covered information as defined under Nevada law. If you are a Nevada resident and have questions, contact us at [INSERT EMAIL]. 13.3 Accessibility We are committed to ensuring this Privacy Policy is accessible to people with disabilities. If you have difficulty accessing this Policy, please contact us at [INSERT EMAIL]. APPENDIX A: CALIFORNIA PRIVACY NOTICE For California Residents This notice supplements our Privacy Policy for California residents as required by CCPA/CPRA. Categories of Personal Information We Collect: CategoryExamplesCollected?IdentifiersName, email, IP addressYESPersonal RecordsBilling address, payment infoYESProtected ClassificationsAge (to verify 18+)YESCommercial InformationPurchase history, subscriptionYESBiometric InformationFacial recognition dataYESInternet ActivityBrowsing history, interactionsYESGeolocation DataGeneral location from IPYESSensory DataImages, videos you uploadYESProfessional InformationCompany name, job titleYESInferencesPreferences, characteristicsYESSensitive Personal InformationBiometric dataYES Sources of Personal Information: Directly from you Automatically from your use of the Service From third-party social media platforms From our service providers Business Purposes for Collection: Providing the Service Security and fraud prevention Improving the Service Customer support Legal compliance Marketing (with consent) Categories of Third Parties We Share With: Service providers Social media platforms (per your instructions) AI technology providers Payment processors Analytics providers Retention Periods: See Section 4 (Data Retention) of the main Privacy Policy Your California Privacy Rights: See Section 5.2 of the main Privacy Policy APPENDIX B: BIOMETRIC DATA NOTICE Important Notice for Users of Facial Recognition Features What Biometric Data We Collect: Facial geometry and measurements Facial feature maps Face templates (mathematical representations) Why We Collect It: Face detection in photos Applying filters and effects Photo organization AI content generation How Long We Keep It: 3 years from last use OR 30 days after account deletion Whichever comes first How We Protect It: Encrypted storage Limited access No sale to third parties Secure deletion procedures Your Rights: Opt out at any time Request deletion Access your data Receive retention schedule How to Exercise Rights: Account settings → Privacy → Facial Recognition Email: [INSERT EMAIL] Delete account You must provide consent before we collect biometric data. END OF PRIVACY POLICY Last Updated: [INSERT DATE] ACKNOWLEDGMENT By using PostPilot, you acknowledge that you have read, understood, and agree to this Privacy Policy.