Privacy Policy

Nanopost is operated by Huseynbala Gurbanli, a sole proprietor registered in the Republic of Azerbaijan ("the Operator"). For the purposes of applicable data protection law, the Operator is the data controller responsible for personal data processed about users of the Service, except where Nanopost acts as a data processor on behalf of its business customers as described in Section 4.

1. Scope & Application

This Privacy Policy applies to personal data we process about:

• Account holders — individuals and businesses who register for and use the Service.
• Website visitors — individuals who visit our public websites, including prospective customers who join our waitlist.
• Connected-account data subjects — individuals whose information is processed because an account holder has connected a third-party social media account (such as Instagram, LinkedIn, or TikTok) to the Service.

This Privacy Policy does not apply to third-party websites, products, or services that we do not own or control, even if they link to or are linked from the Service.

2. Definitions

Unless otherwise defined in this Privacy Policy, the following terms have the meanings set out below:

• Personal data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
• Data controller means the entity that determines the purposes and means of processing personal data.
• Data processor means an entity that processes personal data on behalf of a controller.
• Sub-processor means a third party engaged by us to process personal data in connection with the Service.
• Account holder or Customer means a person or organization that has registered for the Service.
• Generated content means captions, images, carousels, and other media produced by the Service's AI systems.

3. Information We Collect

3.1 Information you provide to us

• Account and identity data — name, email address, password (stored in hashed form), and authentication credentials used to access the Service.
• Brand and business data — business name, description, industry, target audience, website URL, hashtags, brand voice descriptions, visual style preferences, and any documents (such as PDF books or brand guidelines) you upload.
• Billing and payment data — where you subscribe to a paid plan, billing details and transaction records. Payment card details are collected and processed directly by our third-party payment processor; we do not store full payment card numbers on our systems.
• Communications — information you provide when you contact us for support, respond to surveys, or otherwise communicate with us.
• Waitlist data — the email address you submit to join our pre-launch waitlist.

3.2 Information from connected third-party accounts

When you connect a third-party social media account to the Service through an authorization (OAuth) flow, we receive and store information from that platform. Depending on the platform, this may include:

• Account identifiers (such as user ID, page ID, or open ID).
• Account username, display name, and profile picture URL.
• Aggregate metrics such as follower count, where made available.
• Account type (for example, Business or Creator).
• An access token (and, where applicable, a refresh token) that authorizes the Service to perform the specific actions you have approved, such as publishing content on your behalf.

3.3 Content data

• Publicly available content — publicly accessible social media posts from competitor accounts that you choose to monitor, collected for content analysis and inspiration.
• Generated content — captions, images, and carousels produced by the Service's AI systems, together with associated metadata.
• Feedback data — your approval, rejection, and editing decisions, used to improve the relevance and quality of generated content.

3.4 Information collected automatically

• Usage and log data — actions taken within the Service, feature usage, API usage events, computed operation costs, timestamps, and error logs.
• Device and connection data — IP address, browser type, operating system, device identifiers, and similar technical information.
• Cookies and similar technologies — as described in Section 7.

4. Controller & Processor Roles

Nanopost plays two different roles depending on the data in question:

As a data controller. For personal data of account holders and website visitors — such as account credentials, billing information, and usage data — the Operator determines the purposes and means of processing and therefore acts as a data controller.

As a data processor. When an account holder connects a third-party social media account and uses the Service to process content and associated data (including data relating to that account's audience or commenters), Nanopost generally acts as a data processor on behalf of the account holder, who is the controller of that data. In that capacity, we process such data only in accordance with the account holder's instructions and this Privacy Policy. Account holders are responsible for ensuring they have a lawful basis to provide such data to us and to instruct the processing they request.

5. How We Use Information

We use the information we collect for the following purposes:

• To create and administer your account and authenticate your access to the Service.
• To provide, operate, maintain, and improve the Service and its features.
• To connect to your authorized third-party social media accounts and publish content you have explicitly approved.
• To generate AI-powered content tailored to your brand voice, visual identity, and preferences.
• To analyze publicly available content that you choose to monitor for content inspiration and trend detection.
• To learn from your approval and rejection feedback in order to improve the quality and relevance of generated content.
• To process payments, manage subscriptions, and maintain billing records.
• To track operational usage and enforce any usage or budget limits you configure.
• To communicate with you about the Service, including service announcements, security alerts, and support messages.
• To send you marketing communications where permitted, subject to your right to opt out.
• To detect, prevent, and address fraud, abuse, security incidents, and technical issues.
• To comply with legal obligations and enforce our Terms of Service.

6. Legal Bases for Processing

Where data protection law (such as the EU and UK General Data Protection Regulation) applies, we rely on the following legal bases to process personal data:

• Performance of a contract — to provide the Service you have requested and fulfil our obligations to you.
• Legitimate interests — to operate, secure, and improve the Service, prevent fraud and abuse, and conduct direct marketing, provided such interests are not overridden by your rights and freedoms.
• Consent — where you have given consent, for example when connecting a third-party account, joining our waitlist, or accepting non-essential cookies. You may withdraw consent at any time.
• Legal obligation — to comply with applicable laws, regulations, and lawful requests from authorities.

7. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, maintain authenticated sessions, and understand how the Service is used. We distinguish between:

• Strictly necessary cookies — required for core functionality such as authentication and security. These cannot be disabled through our cookie controls.
• Functional cookies — remember your settings and preferences.
• Analytics cookies — help us measure and improve the performance of the Service.

Where required by law, we obtain your consent before placing non-essential cookies. You can manage your cookie preferences through the cookie banner presented on our website and through your browser settings. Disabling certain cookies may affect the functionality of the Service.

8. How We Share Information

We do not sell your personal data. We share information only in the following circumstances:

• Service providers and sub-processors — with trusted third parties who process data on our behalf to provide the Service, as listed in Section 9.
• Social media platforms — with the platforms to which you have authorized us to publish, strictly to perform the actions you have approved.
• Legal and regulatory — where required to comply with applicable law, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Nanopost, our users, or others.
• Business transfers — in connection with a merger, acquisition, financing, reorganization, or sale of assets, in which case personal data may be transferred as part of that transaction, subject to this Privacy Policy.
• With your direction or consent — where you otherwise instruct or authorize us to share your information.

9. Sub-Processors

We engage the following categories of sub-processors to operate the Service. Each is bound by contractual obligations to protect personal data and to process it only as necessary to provide their services to us.

Sub-processor	Purpose	Data involved
Meta Platforms (Instagram Graph API)	Connecting Instagram accounts and publishing approved content	Account identifiers, access tokens, published content
LinkedIn	Connecting LinkedIn profiles and Company Pages and publishing approved content	Account identifiers, access tokens, published content
TikTok	Connecting TikTok accounts and publishing approved content	Account identifiers, access tokens, published content
OpenAI	AI text generation, image analysis, and image generation	Brand and content data submitted for generation
xAI (Grok)	Trend analysis from publicly available content	Topic and trend queries
Apify	Collection of publicly available social media posts	Public post data
Amazon Web Services (S3)	Storage of generated images and uploaded files	Generated and uploaded media
Supabase	Primary database for account, brand, and content data	Most stored personal and content data
Upstash (Redis)	Task queue and caching infrastructure	Transient operational data
Hetzner	Cloud hosting and infrastructure	All data processed by the Service
Telegram	Operational review and notification workflow	Content review notifications
Email delivery provider	Sending transactional and waitlist emails	Email address and message content
Payment processor	Processing subscription payments	Billing details and transaction records

We may update our sub-processors from time to time as the Service evolves. We will update this list to reflect material changes.

10. Third-Party Platforms

10.1 Meta / Instagram

The Service integrates with the Meta (Instagram) Platform. By connecting your Instagram Business or Creator account, you authorize Nanopost to read your Instagram account information, publish photo and carousel posts to your account only after you explicitly approve each post, and, where you enable it, manage comments on posts published through the Service. We do not sell or transfer Instagram data to third parties for advertising, and we use Instagram data only to provide the features you have requested. Our use of information received from the Meta Platform adheres to the Meta Platform Terms and Developer Policies, including any limited-use requirements.

10.2 LinkedIn

Where you connect a LinkedIn personal profile or Company Page, you authorize Nanopost to publish approved content to that profile or page on your behalf. We process LinkedIn account data and access tokens solely to provide this functionality, in accordance with the LinkedIn API Terms of Use and applicable LinkedIn policies.

10.3 TikTok

Where you connect a TikTok account, you authorize Nanopost to publish approved content to that account on your behalf. We process TikTok account data and access tokens solely to provide this functionality, in accordance with the TikTok Developer Terms and applicable TikTok policies. Depending on the review status of our application with TikTok, content may initially be published with restricted visibility as required by TikTok.

10.4 Revoking platform access

You can disconnect any connected account from within the Service at any time. You may also revoke our access directly through the connected-apps settings of the relevant platform. Upon disconnection or revocation, the associated access token is deleted from our systems.

11. AI & Automated Processing

The Service uses artificial intelligence to analyze content and generate captions and images. Brand and content data you provide may be transmitted to our AI sub-processors for the purpose of generating output you have requested. We do not use this data to train our own foundation models. Our AI sub-processors process data in accordance with their own terms and privacy commitments.

The Service is designed with a human-in-the-loop model: AI-generated content is queued for your review, and no content is published to a connected account without an explicit human approval action. The Service does not make decisions that produce legal or similarly significant effects about individuals through solely automated means.

12. International Data Transfers

Nanopost is operated from the Republic of Azerbaijan, and our sub-processors may store and process data in the European Economic Area, the United States, and other jurisdictions. As a result, your personal data may be transferred to, and processed in, countries other than the country in which you reside, which may have different data protection laws.

Where we transfer personal data subject to the GDPR outside the EEA or UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision where available. You may contact us to request further information about the safeguards we apply.

13. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific practices include:

• Account data — retained while your account is active and for a reasonable period afterwards to comply with legal obligations and resolve disputes.
• Access tokens — deleted promptly upon disconnection of the relevant account or revocation of access.
• Generated and published content — retained to provide publishing history; you may delete individual items at any time.
• Billing records — retained for the period required by applicable tax and accounting laws.
• Usage and log data — retained for a limited period for security, troubleshooting, and analytics.
• Waitlist data — retained until you ask to be removed or until the waitlist purpose is fulfilled.

When personal data is no longer required, we will delete or anonymize it.

14. Data Security

We implement administrative, technical, and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit using HTTPS, token-based authentication, access controls, and secure storage of credentials. Access tokens are used only to perform the actions you have explicitly authorized.

No method of transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security, and you provide information to us at your own risk. You are responsible for keeping your account credentials confidential.

15. Your Privacy Rights

Depending on your location, you may have some or all of the following rights regarding your personal data:

• Access — to request a copy of the personal data we hold about you.
• Rectification — to request correction of inaccurate or incomplete data.
• Erasure — to request deletion of your personal data in certain circumstances.
• Restriction — to request that we limit the processing of your data in certain circumstances.
• Portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Objection — to object to processing based on legitimate interests or to direct marketing.
• Withdrawal of consent — to withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us using the details in Section 24. We will respond within the time period required by applicable law. We may need to verify your identity before fulfilling your request. You will not be charged for exercising your rights unless your request is manifestly unfounded or excessive.

16. EEA & UK Rights (GDPR)

If you are located in the European Economic Area or the United Kingdom, the rights described in Section 15 apply to you under the GDPR. In addition, you have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data infringes applicable law. We would, however, appreciate the opportunity to address your concerns before you approach the supervisory authority, so we encourage you to contact us first.

17. California Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides you with specific rights regarding your personal information:

• Right to know — to request disclosure of the categories and specific pieces of personal information we have collected, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we share it.
• Right to delete — to request deletion of personal information we have collected, subject to certain exceptions.
• Right to correct — to request correction of inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell personal information and do not share it for cross-context behavioral advertising.
• Right to non-discrimination — we will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us using the details in Section 24. You may designate an authorized agent to make a request on your behalf, subject to verification.

18. Data Deletion

You can disconnect any connected social media account from within the Service at any time; upon disconnection, the associated access token is immediately deleted from our systems. To request deletion of your account and associated personal data, contact us at privacy@nanopost.xyz. We will process verified deletion requests within thirty (30) days, except where retention is required by law. Some residual data may remain in backups for a limited period before being overwritten.

19. Children's Privacy

The Service is intended for use by businesses and individuals who are at least eighteen (18) years old, or the age of majority in their jurisdiction. The Service is not directed to children, and we do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will take steps to delete such information.

20. Marketing Communications

We may send you marketing communications about the Service where permitted by law or where you have consented. You can opt out of marketing communications at any time by following the unsubscribe instructions included in those communications or by contacting us. Opting out of marketing communications will not affect transactional or service-related messages necessary to operate the Service.

21. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required by applicable law, affected individuals, without undue delay and in accordance with our legal obligations.

22. Third-Party Links

The Service may contain links to third-party websites, products, or services that are not operated by us. This Privacy Policy does not apply to those third parties, and we are not responsible for their content or privacy practices. We encourage you to review the privacy policies of any third-party services you access.

23. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will revise the "Last updated" date at the top of this page and, where appropriate, provide additional notice. Your continued use of the Service after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.

24. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our processing of your personal data, please contact us: