PostIdea PostIdea
Legal

Privacy Policy

Effective: July 11, 2026

The short version

1. Who we are

PostIdea (postidea.app) is operated by an individual proprietor based in Karachi, Pakistan ("we", "us", "our"). This policy explains what information we collect when you use PostIdea, why we collect it, and the choices you have. Questions or requests: support@postidea.app.

2. What we collect

Account data

Your email address, a hash of your password (if you register with one — we never store the password itself), your OAuth provider identifier and display name (if you sign in with Google or GitHub), and your role selection from onboarding. If you join the waiting list, we store the email address and role you submit so we can contact you about access.

Content you create

Your idea conversations, specifications, architecture documents, decisions, and statements of work. This is the substance of the product and is stored in our database for as long as your account and projects exist. Your conversation and specification content is sent to our AI provider to generate results (see Subprocessors).

Content you submit for verification

We do not store your source code. Verification runs entirely in memory: the file listing, file contents, and code diff you submit are processed to produce a report, and then discarded. What we keep is the report — verdicts, coverage scores, and SHA-256 fingerprints of the inputs and outputs — never the code itself. The optional AI audit (off by default) sends your code diff — never full file contents — to our AI provider for one-time advisory review; the prompt is not stored, only its fingerprint. The temporary cache that supports safe retries holds a copy of the report with all AI-generated advisory text removed, for at most one hour.

Technical data

Standard server logs (IP address, user agent, request identifiers), security event logs (for example, failed sign-in attempts, recorded with the email and IP involved), and short-lived security counters (sign-in failure counts, rate-limit state) that expire automatically within minutes. We use these to keep the service running and to detect abuse.

3. AI processing

PostIdea's generation features (idea refinement, specifications, architecture, statements of work, risk scoring, and the optional verification audit) are powered by models hosted by Groq, Inc. (currently Llama-family models such as llama-3.3-70b-versatile).

Groq is contractually prohibited from using your inputs or outputs to train or fine-tune models (Groq Services Agreement §4.2, effective October 15, 2025). Your data is processed to generate your results and is not retained by the provider for training. See Groq's Services Agreement and Data Processing Addendum.

To be precise about the limits of that promise: "not used for training" does not mean "never accessed." The provider may access data as necessary to operate the service and enforce its acceptable-use policy.

4. Subprocessors

We use a small number of service providers to run PostIdea:

Provider Purpose Location
Groq, Inc.AI inference (generation and optional verification audit)United States
DigitalOcean, LLCApplication and database hostingIndia (Bangalore)
CreemMerchant of record — payment and subscription processing (activates when paid plans launch)United States / EU
Google LLC"Sign in with Google" authentication; web fonts on marketing pagesUnited States
GitHub, Inc."Sign in with GitHub" authentication; fetching file listings of public repositories you point us atUnited States

When you buy a paid plan, payment is handled by Creem as merchant of record. Creem processes your checkout and payment details as an independent controller under its own privacy notice — we never receive or store your full card details.

We may substitute subprocessors with providers offering equivalent data protections and will update this list when we do. We also plan to add product analytics (for example, PostHog), error monitoring (for example, Sentry), and a transactional email provider; each will be added to this list and take effect only after this policy is updated to name it. We do not use any of them today.

PostIdea's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access only your basic profile (email address and name) for authentication.

5. Retention

6. Cookies and third-party requests

We use only strictly necessary cookies: a session cookie that keeps you signed in (HttpOnly, so scripts cannot read it) and a CSRF-protection cookie. There are no advertising cookies, no analytics trackers, and no third-party tracking of any kind.

One honest caveat: our marketing pages (including this one) load fonts and scripts from third-party CDNs (Google Fonts, Tailwind CDN). Your browser discloses your IP address to those services when it fetches these files. The app itself (/app) is stricter — it loads no third-party scripts at all, enforced by our Content Security Policy.

7. Your rights

You can access and correct your data in the app. You can copy or download your specifications and SOWs from the app directly; for a full export of your data, email us. You can delete your account and all associated data at any time from the app; deletion is immediate and cascading. For any other request — access, correction, deletion, portability, or objection — email support@postidea.app and we will respond within 30 days.

8. International transfers

We operate from Pakistan and use subprocessors in the locations listed above (primarily the United States). By using PostIdea you understand that your data is processed in those locations under the protections described in this policy and our subprocessors' agreements.

9. Children

PostIdea is not directed to children and requires users to be at least 18 years old. We do not knowingly collect data from anyone under 18; if we learn we have, we will delete it.

10. Security

We take specific, verifiable measures to protect your data — including HttpOnly session cookies, CSRF protection, brute-force lockouts, TLS everywhere, and a strict Content Security Policy. The full list, including what we don't yet claim, is on our Security page.

11. Changes to this policy

When we change this policy, we will update the effective date at the top and keep prior versions available at /legal/archive/. For material changes we will notify you in the app or by email before they take effect.

12. Contact

Privacy questions and requests: support@postidea.app. Security reports: security@postidea.app (see security.txt).