Posteflyposter maker

Privacy Policy

Last updated: 7 June 2026

This Privacy Policy explains what personal data Postefly collects, why, and what your rights are under the GDPR and other applicable laws.

1. Who we are

Postefly ("we", "us") is the data controller for personal data processed through postefly.com. Contact: support@postefly.com.

2. Data we collect

  • Account data: email address, hashed password (or OAuth identifier when you sign in with Google/Apple), account creation date.
  • Uploaded content: photos and text prompts you submit to generate posters; the generated poster images.
  • Usage data: credit balance, transactions, generation history, basic device/browser info, IP address used at signup (kept for abuse prevention for up to 24 hours, then summarised).
  • Payment data: handled by Stripe. We receive a payment confirmation and customer ID but never see your card details.

3. How we use your data

  • To provide the service (generate, store and display your posters).
  • To process payments and grant credits.
  • To prevent abuse, fraud and policy violations (signup rate-limiting, report handling).
  • To send transactional emails (verification, password reset, receipts).
  • To comply with legal obligations.

Legal bases (GDPR Art. 6): performance of contract (account, payments, generations), legitimate interest (security, abuse prevention), legal obligation (tax, compliance).

4. Sub-processors

We share the minimum data needed with these providers:

  • Supabase — database, authentication and storage (EU region).
  • Cloudflare — hosting and CDN.
  • Stripe — payment processing (acts as Merchant of Record for VAT/tax).
  • Google (Gemini) — AI image generation. Your photos and prompts are sent to Google's API to produce the poster. Google processes them as a sub-processor under its API terms.

5. Cookies

We use only essential cookies and local storage needed to keep you signed in, remember your preferences and protect the service from abuse. We do not use advertising cookies or third-party analytics trackers. No consent banner is legally required for essential cookies, but we display one for transparency.

6. Retention

  • Account data: while your account is active.
  • Posters and uploads: until you delete them or your account is purged.
  • Deleted accounts: soft-deleted for 30 days (grace period), then permanently erased.
  • Payment records: kept for the period required by tax law (typically up to 10 years).

7. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate data;
  • Erase your account and data (see "Account deletion" in Terms);
  • Object to or restrict certain processing;
  • Port your data to another service;
  • Lodge a complaint with your national data-protection authority.

To exercise any of these rights, email info@postefly.com.

8. International transfers

Some sub-processors (e.g. Google) may process data outside the EU/EEA. These transfers rely on Standard Contractual Clauses or equivalent safeguards.

9. Children

Postefly is not directed to children under 16. We do not knowingly collect personal data from children.

10. Changes

We will update this policy when our practices change. Material changes will be announced in-app or by email.

TermsPrivacyRefundsContact