What we collect, what we don't.

When you create an account: name, email, business name, billing details (handled by Stripe — we never see card numbers).

When you use SitePost: your uploaded photos, captions, brand voice configuration, connected social account tokens, post performance data we fetch from Meta and LinkedIn on your behalf.

Server logs include IP address, browser, basic page-visit data — used for security and debugging only, retained 90 days.

We don’t track you across the web. We don’t sell email lists. We don’t run third-party analytics scripts on your dashboard. We don’t fingerprint your device.

Your data is stored in UK and EU regions only. Photos and media are encrypted at rest in S3-compatible object storage. The database is encrypted at rest in PostgreSQL. Backups are encrypted and rotated daily; we keep 30 days.

Inside your account: only people you explicitly invite, scoped by role.

Inside SitePost: a small UK-based team, with access logged. Engineers access production data only when investigating a specific issue you’ve raised.

Sub-processors: Stripe (payments), OpenAI (caption generation — on request, never training), Meta and LinkedIn (publishing on your behalf), Resend (transactional email), Cloudflare (CDN).

You can export everything from inside the dashboard at any time. You can request deletion via the data-deletion page; we will process within 30 days and confirm by email.

You have the right to object, restrict processing, or lodge a complaint with the ICO.

Email [email protected]. Our DPO is Richard Crofts. We answer in plain English.