Postworthy

Privacy Policy

Last updated: May 13, 2026

Summary

Postworthy is operated by Archetype Media Inc. We collect the information needed to generate LinkedIn content on your behalf: your account details, your professional profile and voice, the source material you submit (articles, podcasts, screenshots), and the posts we generate for you. We use Google Gemini for AI generation, Tavily for research, Event Registry for news, Supabase for hosting, Stripe for billing, Resend for email, PostHog for analytics, and Inngest for workflow orchestration. We do not sell your data. If you opt in to direct LinkedIn posting, we store encrypted OAuth tokens. The full policy below has the details.

1. Introduction

Postworthy is operated by Archetype Media Inc. ("we," "us," or "our"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your choices when you use Postworthy.

By using Postworthy, you agree to the practices described in this policy.

2. Information We Collect

Account Information

  • Email address (provided during signup or via Google sign-in)
  • Name (from your Google profile when using Google sign-in)
  • Authentication credentials (passwords are hashed and managed by Supabase Auth; we never store passwords in plaintext)

Billing Information

  • We use Stripe to process payments. Card details and payment credentials are handled by Stripe directly — Postworthy never sees or stores full card numbers
  • We store Stripe customer and subscription identifiers, billing plan, subscription status, trial state, and abandoned-checkout records to operate billing and lifecycle email

Client Profile and Voice Data

  • Professional background, role, audience, expertise areas, content pillars, contrarian perspectives, signature stories, and voice preferences you provide during onboarding or through the in-app questionnaire
  • This profile is used to generate personalized LinkedIn content. You can review, update, or request deletion of your profile at any time

Source Material You Submit

  • URLs — pages you submit through the URL-to-post flow or our iOS Share Shortcut. We fetch and process the page contents to generate a post
  • Podcasts — podcast episode URLs you share. We resolve the audio source, transcribe the audio, and process the transcript to generate a post
  • Screenshots — images you share. We use AI to interpret the image contents and generate a post from what was captured
  • Ideas / brain dumps — freeform text you submit through the idea-to-post or builder flows

Generated Content

  • AI-generated LinkedIn posts, edits you make, version history, framework assignments, and research notes used during generation
  • Pipeline session metadata (which articles were assessed, which were selected, how they were scored)
  • Engagement information you self-report through the dashboard (impressions, reactions, comments)
  • Feedback you provide on individual posts (rating, free-text notes)

LinkedIn Data (only if you opt in to direct posting)

  • If you connect your LinkedIn account and enable direct posting in your account settings, we receive your LinkedIn member identifier (URN), name, and email through LinkedIn's OpenID Connect flow
  • We store an OAuth access token and refresh token, both encrypted at rest, scoped to openid profile email w_member_social. The w_member_social scope lets us publish posts you explicitly choose to share — it does not let us read your feed, your connections, your messages, or your engagement data
  • Tokens are used only to publish content you initiate. If LinkedIn rejects a request with a 401 or 403, we automatically soft-revoke the connection and prompt you to reconnect
  • You can disconnect at any time from your account settings. Disconnection deletes the stored tokens

If you do not connect LinkedIn (the default), Postworthy does not touch your LinkedIn account. Sharing happens by copying the generated post to your clipboard and opening LinkedIn's composer in a new tab — you paste and post manually.

Marketing and Lead Information

  • If you submit your email through a marketing page, blog opt-in, or lead capture form, we record your email, the source, and any context you provide
  • If you start checkout but don't finish, we record the abandoned-checkout state so we can send a reminder email

Analytics and Logs

  • Standard server logs (IP address, browser type, request paths, timestamps)
  • Product and website analytics through PostHog, including page views, feature usage, and identified-user events once you sign in
  • AI usage logs (which prompts were run, token counts, model versions) used for cost monitoring and quality assurance
  • Error logs that may contain stack traces and request context

3. How We Use Your Information

  • Authenticate your identity and manage your account
  • Generate personalized LinkedIn content using AI
  • Fetch industry news, search the web for supporting research, and assemble post-ready material
  • Process source material you submit (URLs, podcasts, screenshots, ideas)
  • Publish posts to LinkedIn on your behalf, but only when you explicitly trigger a share and only if you've opted in to direct posting
  • Operate billing, including trials, renewals, and cancellations through Stripe
  • Send transactional email (account, billing, pipeline notifications) and lifecycle email (onboarding, reminders)
  • Send broadcast marketing email if you've opted in or are an active customer (you can unsubscribe at any time)
  • Measure product usage and improve the platform
  • Investigate abuse, debug failures, and respond to support requests

4. AI Processing and Training

  • We send your profile data, source material, and intermediate prompt context to Google's Gemini API to generate posts and research notes
  • Postworthy uses the paid Gemini API. Under Google's API terms, content sent to the paid Gemini API is not used to train Google's foundation models
  • We do not sell, share, or otherwise route your content to other AI providers
  • We may use aggregated, de-identified usage statistics (e.g., how many posts of a given type were generated) to improve the platform. This excludes the content of your posts and the contents of your profile

5. Sub-Processors

We share data with the following service providers as necessary to operate the platform:

  • Supabase — database, authentication, and file storage
  • Vercel — application hosting and request handling
  • Google Gemini API — AI content generation (receives your profile context and source material to generate posts and research)
  • Tavily — web search for research material (receives search queries derived from your content topics)
  • Event Registry — news article discovery (receives industry-specific search queries built from your profile)
  • Stripe — payment processing and subscription management
  • Resend — transactional email and marketing broadcast delivery
  • PostHog — product and website analytics (server-side and client-side)
  • Inngest — background workflow orchestration (receives pipeline event payloads)
  • LinkedIn — receives content you publish through Postworthy, either via the manual share dialog (default) or via the LinkedIn Posts API if you've opted in to direct posting

We do not sell, rent, or trade your personal information to third parties.

6. Cookies and Analytics

  • Essential cookies are used for authentication and session management. The product cannot function without these
  • Analytics cookies and local storage are used by PostHog to measure product and website usage. These help us understand which features are valuable and which need work
  • We do not use advertising cookies or run third-party advertising trackers

7. Data Storage, Location, and Security

  • Data is stored in Supabase Postgres with row-level security enforced for user-facing reads
  • Data is processed primarily in the United States. Some sub-processors may process data in other regions as part of their normal infrastructure
  • Application traffic is encrypted in transit (HTTPS)
  • LinkedIn OAuth tokens are encrypted at rest in our database
  • Administrative access to backend systems is restricted to authorized Archetype Media personnel and audit-logged
  • No system is perfectly secure. We follow industry-standard practices but cannot guarantee absolute security

8. Data Retention

  • Account data — retained while your account is active and for up to 90 days after deletion, after which we delete or fully anonymize it (subject to legal, billing, or tax retention requirements)
  • Generated posts and pipeline session history — retained for the life of your account so you can reference and reuse past work; deleted along with your account
  • Source material you submit (URLs, podcast transcripts, screenshot interpretations, ideas) — retained for the life of your account; deleted along with your account
  • LinkedIn OAuth tokens — deleted immediately on disconnect or account deletion
  • Billing records — retained as required by applicable tax and accounting law (typically 7 years)
  • AI usage logs and analytics — retained in aggregated form for product and cost analysis
  • Marketing contacts — retained until you unsubscribe or request deletion

9. Your Rights

Regardless of where you live, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or outdated data
  • Request deletion of your account and associated data
  • Receive a portable copy of your data in a structured, machine-readable format
  • Object to or restrict certain types of processing
  • Withdraw consent where processing relies on consent

Depending on where you live, you may have additional rights under the GDPR (EU/UK), the California Consumer Privacy Act (CCPA), or similar laws — including the right to lodge a complaint with a supervisory authority. We honor verified requests from any jurisdiction.

To exercise any of these rights, email editor@postworthy.ink. We aim to respond to verified requests within 30 days.

10. Marketing Communications

  • We send transactional email (billing, account, pipeline completion, password reset) to all users. These cannot be opted out of without closing your account
  • We send broadcast marketing email to active customers and to non-customers who've subscribed to our list
  • Every marketing email includes a one-click unsubscribe link. Unsubscribing removes you from future broadcasts but does not affect transactional email

11. Children's Privacy

Postworthy is not intended for users under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us data, please contact us and we will delete it.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notice at least 30 days before they take effect, except where shorter notice is required by law. Continued use of Postworthy after the effective date constitutes acceptance of the updated policy.

Change log

  • May 13, 2026 — Comprehensive rewrite to reflect LinkedIn OAuth + direct posting, self-serve signup with Stripe billing, PostHog analytics, Inngest, broadcast email, expanded share-capture (URL / podcast / screenshot), formalized GDPR / CCPA rights, itemized data retention, expanded sub-processor list, and AI training disclosure
  • February 24, 2026 — Initial published policy

13. Contact

Archetype Media Inc.
[STREET]
[CITY, STATE ZIP]
editor@postworthy.ink