Legal

Privacy Policy

Effective: April 28, 2026 · Last updated: June 7, 2026

We keep this short and honest. Here’s what we do with your data. Post is operated by Novel, LLC.

What we collect

Account details. When you create an account, we collect your email address and name. Authentication is handled by Supabase Auth; we never see your password.

Financial platform data. When you connect a platform (YouTube, TikTok, Instagram, Snapchat, Stripe, etc.), we access your earnings and engagement data through read-only OAuth connections. We never request write access.

Bank data via Plaid. When you connect a bank account, Plaid Inc. collects your banking credentials directly inside Plaid Link and returns transaction and balance data to Post. We do not see or store your bank login credentials. Plaid runs its own consent flow at the time of connection, and Plaid’s handling of your data is governed by the Plaid End User Privacy Policy, which we recommend reviewing before connecting.

Receipts and documents. When you capture a receipt, we process the image to extract transaction details (see “AI processing” below). Receipt images are stored in an access-controlled bucket accessible only to you and any collaborators you invite.

Tax inputs. You may voluntarily provide filing status, home state, dependents, spouse W-2 income, prior-year AGI, and prior-year tax to power accurate tax calculations. These fields are optional but enable core features.

Usage and error data. We collect standard diagnostic data (error stack traces, performance metrics) via Sentry to keep the product stable.

How we use it

  • To provide the Post service — tracking your income, expenses, and tax obligations across platforms
  • To generate tax-preparation documents (Schedule C draft, General Ledger, quarterly payment log, 1099 reconciliation)
  • To send product notifications you’ve opted into (weekly digests, quarterly tax reminders, receipt-parse failures)
  • To secure your account and detect abuse
  • To improve the product (aggregated, non-identifying metrics only)

What we do not do: we do not sell your data. We do not share your financial information with advertisers. We do not use your financial data to train third-party AI models (see “AI processing” below).

AI processing

To read receipts and suggest categories, we send the receipt image or transaction text to Anthropic (Claude API). Anthropic represents in its commercial API terms that it does not use customer submissions to train its general models. We do not perform any in-house model training on creator data.

AI-suggested categories are always drafts — you confirm before anything is saved. No financial decision is made by Post or by an AI model on your behalf without your confirmation, and AI outputs do not constitute financial or tax advice.

Third-party services (subprocessors)

We rely on the following vendors to operate Post. Each has its own privacy policy; we only share data necessary for the service to function.

  • Supabase — database, authentication, file storage (hosted in US-West-2)
  • Vercel — web application hosting
  • Plaid — bank account connection and transaction data
  • Stripe — subscription billing (for your Post plan) and read-only Stripe Connect ingestion (for your creator payouts)
  • Anthropic — receipt image parsing and transaction categorization
  • Inngest — background job processing (receipt parsing, nightly syncs)
  • Upstash — rate limiting (no personal data stored)
  • Postmark — inbound receipt forwarding via email
  • Resend — outbound transactional email
  • Sentry — error tracking (stack traces + user IDs; no secrets or full request bodies)
  • PostHog — product analytics (consent-gated; fires only after you accept our cookie banner)
  • Google (YouTube) — OAuth and YouTube Analytics / AdSense data on your authorization
  • TikTok, Meta (Instagram), Snap — OAuth and platform analytics on your authorization

If we add a new sub-processor that will access personal or financial data, we’ll notify existing users by email at least 30 days before activating them. You can opt out by deleting your account during that window; continued use after the notice constitutes consent.

Email communications

Transactional emails (account alerts, receipts, tax estimate reminders, security notifications) are required by your account; you can’t opt out without deleting the account.

Marketing emails (digests, feature announcements, promotions) include an unsubscribe link in every message and are honored within 10 business days. You can also update your notification preferences in Settings → Notifications.

Data retention

We retain your active financial data while your account is active. After deletion, we keep a minimal record (account email, deletion timestamp, type of deletion) for up to 7 years to comply with IRS Publication 583 and IRC §6001. All other data is permanently deleted within 30 days of the soft-delete window closing. Encrypted database backups may persist for up to 30 days but are not restored.

If you delete your account, you have a 30-day grace period during which you can restore it. After that, the deletion is permanent except for the minimal IRS-retention record described above.

Your rights

  • Access — export all your data at any time from Settings (CSV and PDF formats)
  • Correction — edit any transaction, deal, or receipt record in-app
  • Deletion — delete your account from Settings with a 30-day grace period
  • Portability — exports include General Ledger, Trial Balance, Schedule C draft, 1099 reconciliation, and raw transaction CSVs

California residents (CCPA / CPRA)

If you live in California, you have the right to know what personal information we collect, to request deletion, to correct inaccurate data, and to opt out of “sale” or “sharing” of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising — see our dedicated Do Not Sell or Share My Personal Information page for details and to submit a request. To exercise any other CCPA right, email legal@postforcreators.com. Exercising any right will not affect your access to Post or the price you pay.

Collaborators

You can invite collaborators — for example, your CPA — to view or work with your financial data. Collaborators see the data you grant them access to and are bound by the same terms you are. You can revoke access at any time from Settings.

Security

We encrypt data in transit (TLS) and at rest (database-level encryption + application-level encryption for OAuth tokens via pgcrypto). We enforce row-level security in the database so your data is never exposed to other creators. Administrative access to production systems is restricted to the minimum number of people and protected by multi-factor authentication.

We follow a documented information security policy covering access control, incident response, key rotation, and vendor management. We plan to pursue SOC 2 Type I certification once operationally ready.

Incident response & breach notification

Detection. Production systems are covered by automated error tracking and alerting. We aim to classify security incidents by severity within one hour of detection.

Containment. Exposed credentials (OAuth tokens, API keys, database credentials) are rotated within 4 hours of confirmation of exposure, and affected sessions are revoked.

Notification. If we confirm that your personal data was accessed or disclosed without authorization, we will email you at the address on your account within 72 hours of that confirmation. The notice will describe what data was affected, the date range, what happened, and steps you should take. Where state law requires a shorter timeline (for example, California’s 48-hour SSN-exposure rule), the shorter timeline takes precedence.

Children

Post is intended for users 18 and older. We do not knowingly collect personal information from anyone under 18, and we do not knowingly collect personal information from children under 13 in any context. If you believe a minor has provided us with data, email legal@postforcreators.com and we will delete it.

International users

Post is operated from the United States and our primary data storage is in US-West-2. If you access Post from outside the United States, your data will be transferred to and processed in the U.S. We do not currently offer service in the European Union or United Kingdom.

Changes to this policy

We’ll notify you of material changes via email at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Contact

Questions about this policy? Email us at legal@postforcreators.com.

Post uses cookies for sign-in and light product analytics so we can make things better. No ads, no resale. See privacy.