Privacy Policy
Effective Date: 2026-04-14 Last Updated: 2026-04-14
1. Who We Are
Unposted ("Unposted," "we," "us," "our") is a software-as-a-service product operated by BrandPick AI LLC, a limited liability company organized under the laws of the State of Delaware, United States (EIN 41-4757001).
- Service homepage: https://unposted.brandpick.ai
- Support: support@unposted.brandpick.ai
- Legal inquiries: legal@brandpick.ai
This Privacy Policy explains how we collect, use, share, and protect information when you use Unposted.
2. Who Uses Unposted
Unposted is a business-to-business service intended for owners, managers, and authorized staff of independent small businesses in the United States. You must be at least 18 years old and authorized to act on behalf of the business you register.
Unposted is not directed to children under 13, and we do not knowingly collect personal information from children.
3. Information We Collect
3.1 Information You Provide Directly
- Account information: your name, email address, phone number (optional), preferred language.
- Business information: business name, physical address, timezone, vertical (e.g., restaurant), cuisine type, website URL, phone number.
- Team information: names, emails, and roles of team members you invite.
- Billing information: processed by Stripe, Inc. We do not store full payment card numbers on our servers. We store a Stripe customer identifier and subscription metadata.
- Content you upload: photos, captions, post drafts, scheduling preferences.
- Support communications: messages you send to our support channels.
3.2 Information From Connected Platforms
When you authorize Unposted to connect to your business accounts, we access the following via official APIs:
- Google Business Profile: business locations, posts, reviews, review replies, business photos, basic profile metadata.
- Instagram (Meta Platforms, Inc.): your Instagram Business account ID, linked Facebook Page ID, and content publishing endpoints. We do not access your personal Instagram profile, private messages, or stories unless explicitly authorized in a future release.
- TikTok for Business: your authorized TikTok Business account ID and content publishing endpoints.
We store encrypted OAuth access and refresh tokens for each connected channel. These tokens are encrypted at rest using authenticated encryption (pgsodium or AES-GCM with keys held in a managed key service). Tokens are never exposed to client applications; only our server-side worker processes decrypt them for authorized API calls.
3.3 Information We Generate
- AI-generated content: draft captions and draft review replies created by our AI models on your behalf.
- Usage metadata: which features you use, API call counts, AI token usage, latency.
- Device tokens: if you enable push notifications, the device push token from Apple's or Google's push notification services.
3.4 Automatically Collected
- Log data: IP address, browser user agent, request timestamps, request paths (for security, fraud prevention, and debugging).
- Cookies and similar: session cookies required for authentication, and preference cookies. We do not use advertising cookies. We do not operate a cross-site advertising network.
4. How We Use Your Information
We use your information to:
- Provide the service: publish posts you approve, fetch reviews from channels you have connected, draft replies, manage your subscription.
- Improve the service: monitor errors, analyze performance, debug issues.
- Train your personal tone profile: we use your past reviews and your owner-edited replies to construct a private, per-business tone profile used only for your account's future drafts. We do not train general-purpose AI models using your data, and we do not share your data with any AI provider for training purposes. (See Section 5 for details on AI processing.)
- Communicate with you: send transactional emails (welcome, receipts, security alerts), service updates, and, with your opt-in consent, occasional product news. You can opt out of product news at any time.
- Enforce our Terms, prevent fraud, comply with legal obligations.
5. AI Processing
Unposted generates captions and review replies using large language models provided by Anthropic PBC (Claude models) via Anthropic's API.
When we call Anthropic's API, we may send:
- Business metadata you provided (name, cuisine, city)
- The specific photo you uploaded (for caption generation, so the caption matches the image)
- The text of a specific review (for reply generation)
- Your stored tone profile (persona paragraph + few-shot examples from your past content)
We do not send:
- Your OAuth tokens
- Other businesses' data
- Personally identifiable information about reviewers beyond what Google Business Profile returns publicly
Anthropic processes this data under its commercial terms as a data processor for Unposted. Anthropic does not use API inputs or outputs to train its foundation models. See Anthropic's commercial terms: https://www.anthropic.com/legal/commercial-terms
6. How We Share Information
We share information only in the following circumstances:
6.1 With Platforms You Connect
When you approve a post or reply, the content (including the photo and caption) is sent to the platform(s) you selected (Google Business Profile, Instagram, or TikTok) via their official APIs. Their use of that content is governed by their own terms, not ours.
6.2 With Our Service Providers ("Sub-processors")
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States |
| Vercel, Inc. | Web application hosting | United States |
| Railway Corp. (or Fly.io, Inc.) | Background worker hosting | United States |
| Anthropic PBC | AI caption and reply generation | United States |
| Stripe, Inc. | Payment processing and subscription management | United States |
| Sentry / Functional Software, Inc. | Error tracking | United States |
| Expo, Inc. | Push notification delivery (iOS/Android) | United States |
| Better Stack / Axiom | Log aggregation (if enabled) | United States |
| Google LLC | When you connect Google Business Profile | United States |
| Meta Platforms, Inc. | When you connect Instagram | United States |
| TikTok Pte. Ltd. / ByteDance Ltd. | When you connect TikTok | United States / Singapore |
All sub-processors are bound by contract to protect your data and use it only to provide services to us.
6.3 For Legal Reasons
We may disclose information if we believe in good faith that it is necessary to comply with a law, regulation, legal process, or governmental request; to enforce our Terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Unposted, our users, or the public.
6.4 In Business Transfers
If Unposted is involved in a merger, acquisition, financing, or sale of assets, we may transfer your information to the relevant party, subject to this Privacy Policy.
6.5 We Do Not Sell Your Personal Information
We do not sell your personal information in the ordinary meaning of "sell." Under the California Consumer Privacy Act (CCPA), certain data transfers to sub-processors for operating the service may be considered "sharing" under a narrow statutory definition, but we do not enable cross-context behavioral advertising.
7. Data Retention
| Data | Retention |
|---|---|
| Account and business records | Until you delete your account |
| Posts, reviews, replies | Until you delete your account, then hard-deleted within 60 days |
| OAuth tokens | Until you disconnect the channel or delete your account, then immediately purged |
| Photos in storage | Until you delete the post or your account |
| Billing records | 7 years (tax and financial compliance) |
| Audit and security logs | 2 years |
| AI usage metadata (token counts, not content) | 2 years |
After account deletion, data is soft-deleted for 30 days (recovery window) and then permanently purged within an additional 30 days, for a total maximum of 60 days from deletion request to permanent purge.
8. Your Rights and Choices
Regardless of where you live, you can:
- Access: request a copy of your data via the in-app Export Data button or by emailing support.
- Correct: update your account and business information in the settings at any time.
- Delete: delete your account in the settings or by emailing support. See Section 7 for retention timelines.
- Disconnect channels: revoke any connected channel in settings, which immediately purges stored tokens for that channel.
- Opt out of marketing emails: click the unsubscribe link in any marketing email.
8.1 California (CCPA / CPRA)
California residents have specific rights to know, delete, correct, and limit use of sensitive personal information. To exercise these rights, contact support@unposted.brandpick.ai. We do not sell personal information as that term is commonly understood, and we do not engage in cross-context behavioral advertising.
8.2 European Economic Area, United Kingdom, and Switzerland
If you are located in the EEA, UK, or Switzerland, the GDPR or UK GDPR applies. The legal bases for processing are: performance of a contract (to provide the service), legitimate interests (to secure and improve the service), legal obligation (tax, fraud prevention), and consent (for optional marketing communications). You have the right to access, rectify, erase, restrict or object to processing, data portability, and to lodge a complaint with your supervisory authority.
8.3 Other US States
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to access, delete, and correct. Contact support@unposted.brandpick.ai to exercise them.
9. Security
We implement industry-standard security measures:
- OAuth tokens encrypted at rest with authenticated encryption.
- TLS 1.2+ for all data in transit.
- Row-level security in our database so tenants cannot read each other's data.
- Principle of least privilege for operational access; only named engineers have production data access, logged and audited.
- Regular backups with point-in-time recovery.
- Security incident response plan.
No system is perfectly secure. We will notify affected users of material security incidents as required by applicable law.
10. International Data Transfers
Our primary infrastructure is located in the United States. If you access Unposted from outside the United States, your data will be transferred to and processed in the United States. For users in the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses (or UK IDTA) where required.
11. Children's Privacy
Unposted is a business tool and is not intended for children under 13. We do not knowingly collect information from children. If you believe a child has provided information to us, contact support@unposted.brandpick.ai and we will delete it.
12. Changes to This Policy
We may update this policy. Material changes will be announced in-app and via email at least 14 days before they take effect. Your continued use of Unposted after the effective date constitutes acceptance.
13. Contact
Questions or requests related to this policy:
BrandPick AI LLC Attn: Privacy support@unposted.brandpick.ai [Delaware registered address — Glenn to fill]