Privacy Policy
Effective: July 11, 2026
- We store your account, your ideas, specs, architectures, and SOWs — that's the product.
- We never store source code you submit for verification. Verification runs in memory; only the report is kept.
- Your content is processed by our AI provider (Groq) to generate results. Groq is contractually prohibited from training on it.
- No advertising, no analytics trackers, no selling of data. Only strictly necessary session cookies.
- You can delete your account at any time; deletion is immediate and cascading.
1. Who we are
PostIdea (postidea.app) is operated by an individual proprietor based in Karachi, Pakistan ("we", "us", "our"). This policy explains what information we collect when you use PostIdea, why we collect it, and the choices you have. Questions or requests: support@postidea.app.
2. What we collect
Account data
Your email address, a hash of your password (if you register with one — we never store the password itself), your OAuth provider identifier and display name (if you sign in with Google or GitHub), and your role selection from onboarding. If you join the waiting list, we store the email address and role you submit so we can contact you about access.
Content you create
Your idea conversations, specifications, architecture documents, decisions, and statements of work. This is the substance of the product and is stored in our database for as long as your account and projects exist. Your conversation and specification content is sent to our AI provider to generate results (see Subprocessors).
Content you submit for verification
We do not store your source code. Verification runs entirely in memory: the file listing, file contents, and code diff you submit are processed to produce a report, and then discarded. What we keep is the report — verdicts, coverage scores, and SHA-256 fingerprints of the inputs and outputs — never the code itself. The optional AI audit (off by default) sends your code diff — never full file contents — to our AI provider for one-time advisory review; the prompt is not stored, only its fingerprint. The temporary cache that supports safe retries holds a copy of the report with all AI-generated advisory text removed, for at most one hour.
Technical data
Standard server logs (IP address, user agent, request identifiers), security event logs (for example, failed sign-in attempts, recorded with the email and IP involved), and short-lived security counters (sign-in failure counts, rate-limit state) that expire automatically within minutes. We use these to keep the service running and to detect abuse.
3. AI processing
PostIdea's generation features (idea refinement, specifications, architecture, statements of work, risk scoring, and the optional verification audit) are powered by models hosted by Groq, Inc. (currently Llama-family models such as llama-3.3-70b-versatile).
Groq is contractually prohibited from using your inputs or outputs to train or fine-tune models (Groq Services Agreement §4.2, effective October 15, 2025). Your data is processed to generate your results and is not retained by the provider for training. See Groq's Services Agreement and Data Processing Addendum.
To be precise about the limits of that promise: "not used for training" does not mean "never accessed." The provider may access data as necessary to operate the service and enforce its acceptable-use policy.
4. Subprocessors
We use a small number of service providers to run PostIdea:
| Provider | Purpose | Location |
|---|---|---|
| Groq, Inc. | AI inference (generation and optional verification audit) | United States |
| DigitalOcean, LLC | Application and database hosting | India (Bangalore) |
| Creem | Merchant of record — payment and subscription processing (activates when paid plans launch) | United States / EU |
| Google LLC | "Sign in with Google" authentication; web fonts on marketing pages | United States |
| GitHub, Inc. | "Sign in with GitHub" authentication; fetching file listings of public repositories you point us at | United States |
When you buy a paid plan, payment is handled by Creem as merchant of record. Creem processes your checkout and payment details as an independent controller under its own privacy notice — we never receive or store your full card details.
We may substitute subprocessors with providers offering equivalent data protections and will update this list when we do. We also plan to add product analytics (for example, PostHog), error monitoring (for example, Sentry), and a transactional email provider; each will be added to this list and take effect only after this policy is updated to name it. We do not use any of them today.
PostIdea's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access only your basic profile (email address and name) for authentication.
5. Retention
- Projects, conversations, architectures, SOWs: kept while your account and the project exist.
- Specifications: we keep the 10 most recent versions per project; older versions are pruned automatically.
- Deleted projects: held for a roughly 30-second undo window, then permanently deleted along with their specs, architectures, and conversations.
- Verification: submitted code is never stored. The report summary is kept with your project; the retry cache holds a stripped report copy for at most 1 hour.
- Risk-score reports: expire automatically after 7 days.
- Security counters: sign-in failure and rate-limit counters expire automatically within about 15 minutes.
- Account deletion: removes your projects, specifications, architectures, conversations, and account record immediately and cascadingly.
6. Cookies and third-party requests
We use only strictly necessary cookies: a session cookie that keeps you signed in (HttpOnly, so scripts cannot read it) and a CSRF-protection cookie. There are no advertising cookies, no analytics trackers, and no third-party tracking of any kind.
One honest caveat: our marketing pages (including this one) load fonts and scripts from third-party CDNs (Google Fonts, Tailwind CDN). Your browser discloses your IP address to those services when it fetches these files. The app itself (/app) is stricter — it loads no third-party scripts at all, enforced by our Content Security Policy.
7. Your rights
You can access and correct your data in the app. You can copy or download your specifications and SOWs from the app directly; for a full export of your data, email us. You can delete your account and all associated data at any time from the app; deletion is immediate and cascading. For any other request — access, correction, deletion, portability, or objection — email support@postidea.app and we will respond within 30 days.
8. International transfers
We operate from Pakistan and use subprocessors in the locations listed above (primarily the United States). By using PostIdea you understand that your data is processed in those locations under the protections described in this policy and our subprocessors' agreements.
9. Children
PostIdea is not directed to children and requires users to be at least 18 years old. We do not knowingly collect data from anyone under 18; if we learn we have, we will delete it.
10. Security
We take specific, verifiable measures to protect your data — including HttpOnly session cookies, CSRF protection, brute-force lockouts, TLS everywhere, and a strict Content Security Policy. The full list, including what we don't yet claim, is on our Security page.
11. Changes to this policy
When we change this policy, we will update the effective date at the top and keep prior versions available at /legal/archive/. For material changes we will notify you in the app or by email before they take effect.
12. Contact
Privacy questions and requests: support@postidea.app. Security reports: security@postidea.app (see security.txt).