Legal

Privacy Policy

Last updated: April 21, 2026

DRAFT — This policy will be reviewed by legal counsel before launch. It describes our current practices and intentions.

We keep this short and honest. Here’s what we do with your data. Post is operated by Novel LLC.

What we collect

Account details. When you create an account, we collect your email address and name. Authentication is handled by Supabase Auth; we never see your password.

Financial platform data. When you connect a platform (YouTube, TikTok, Instagram, Snapchat, Stripe, etc.), we access your earnings and engagement data through read-only OAuth connections. We never request write access.

Bank data via Plaid. When you connect a bank account, Plaid Inc. collects your banking credentials on our behalf and returns transaction and balance data to Post. We do not see or store your bank login credentials. Plaid’s own handling of your data is governed by the Plaid End User Privacy Policy. By connecting a bank via Plaid through Post, you accept that policy.

Receipts and documents. When you capture a receipt, we process the image to extract transaction details (see “AI processing” below). Receipt images are stored in an access-controlled bucket accessible only to you and any collaborators you invite.

Tax inputs. You may voluntarily provide filing status, home state, dependents, spouse W-2 income, prior-year AGI, and prior-year tax to power accurate tax calculations. These fields are optional but enable core features.

Usage and error data. We collect standard diagnostic data (error stack traces, performance metrics) via Sentry to keep the product stable.

How we use it

  • To provide the Post service — tracking your income, expenses, and tax obligations across platforms
  • To generate tax-preparation documents (Schedule C draft, General Ledger, quarterly payment log, 1099 reconciliation)
  • To send product notifications you’ve opted into (weekly digests, quarterly tax reminders, receipt-parse failures)
  • To secure your account and detect abuse
  • To improve the product (aggregated, non-identifying metrics only)

What we do not do: we do not sell your data. We do not share your financial information with advertisers. We do not use your financial data to train third-party AI models (see “AI processing” below).

AI processing

To read receipts and suggest categories, we send the image or transaction text to Anthropic (Claude API). Anthropic does not train on data submitted through their commercial API under the terms of our agreement. We do not perform any in-house model training on creator data today.

AI-suggested categories are always drafts — you confirm before anything is saved. No financial decision is made autonomously.

Third-party services (subprocessors)

We rely on the following vendors to operate Post. Each has its own privacy policy; we only share data necessary for the service to function.

  • Supabase — database, authentication, file storage (hosted in US-West-2)
  • Vercel — web application hosting
  • Plaid — bank account connection and transaction data
  • Stripe — subscription billing (for your Post plan) and read-only Stripe Connect ingestion (for your creator payouts)
  • Anthropic — receipt image parsing and transaction categorization
  • Inngest — background job processing (receipt parsing, nightly syncs)
  • Upstash — rate limiting (no personal data stored)
  • Postmark — inbound receipt forwarding via email
  • Resend — outbound transactional email
  • Sentry — error tracking (stack traces + user IDs; no secrets or full request bodies)
  • Google (YouTube) — OAuth and YouTube Analytics / AdSense data on your authorization
  • TikTok, Meta (Instagram), Snap — OAuth and platform analytics on your authorization

Data retention

We retain your financial data for as long as your account is active, plus 7 years after account deletion to comply with IRS record-keeping requirements. Archived records have personally identifiable fields stripped.

If you delete your account, there is a 30-day grace period during which you can restore it. After that, your active data is permanently removed, though encrypted database backups may persist for up to 30 days before they roll off.

Your rights

  • Access — export all your data at any time from Settings (CSV and PDF formats)
  • Correction — edit any transaction, deal, or receipt record in-app
  • Deletion — delete your account from Settings with a 30-day grace period
  • Portability — exports include General Ledger, Trial Balance, Schedule C draft, 1099 reconciliation, and raw transaction CSVs

California residents (CCPA / CPRA)

If you live in California, you have the right to know what personal information we collect, to request deletion, to correct inaccurate data, and to opt out of “sale” or “sharing” of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising. To exercise any right, email privacy@postforcreators.com.

Collaborators

You can invite collaborators — for example, your CPA — to view or work with your financial data. Collaborators see the data you grant them access to and are bound by the same terms you are. You can revoke access at any time from Settings.

Security

We encrypt data in transit (TLS) and at rest (database-level encryption + application-level encryption for OAuth tokens via pgcrypto). We enforce row-level security in the database so your data is never exposed to other creators. Administrative access to production systems is restricted to the minimum number of people and protected by multi-factor authentication.

We follow a documented information security policy covering access control, incident response, key rotation, and vendor management. Our SOC 2 Type I audit is targeted for 2027.

Breach notification

If we become aware of a security incident affecting your data, we will notify you within 72 hours of confirmation, or sooner if required by applicable state law. Notification will describe what happened, what data was affected, and steps we’re taking.

Children

Post is intended for users 18 and older. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with data, email privacy@postforcreators.com and we will delete it.

International users

Post is operated from the United States and our primary data storage is in US-West-2. If you access Post from outside the United States, your data will be transferred to and processed in the U.S. We do not currently offer service in the European Union or United Kingdom.

Changes to this policy

We’ll notify you of material changes via email at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Contact

Questions about this policy? Email us at privacy@postforcreators.com.

Post uses cookies for sign-in and light product analytics so we can make things better. No ads, no resale. See privacy.