Privacy policy

PostRoute is operated by TOORX LTD ("we", "us"), a private limited company registered in England and Wales. We act as the data controller for the personal data described in this policy. For data you process THROUGH PostRoute about your audience or workspace members, you are the controller and we are your data processor — see our Data Processing Addendum for those terms.

We collect personal data in five categories. We collect only what we need to deliver, secure, and improve the service.

• Account data — name, email, hashed password, optional time zone, super-admin flag (internal staff only).
• Workspace data — workspace name, plan tier, members, roles, billing state, audit trail of administrative actions.
• Connected channel data — OAuth access/refresh tokens (encrypted at rest), platform usernames, profile metadata returned by the platform during connect, follower-count snapshots.
• Content & engagement — posts you draft, schedule, or publish through PostRoute; inbox messages (DMs, mentions, comments) ingested from connected platforms; media you upload; per-post metrics fetched from platform APIs.
• Technical data — IP address, user agent, correlation IDs, timestamps of authentication events. Stored in security/audit logs separate from product data.
• Payment data — handled by Stripe. We store only the Stripe customer ID, subscription ID, plan tier, status, and billing-period markers; we never see card numbers, CVCs, or full bank details.

We rely on four lawful bases depending on the processing activity:

• Contract — when processing is necessary to deliver the subscription you bought (creating accounts, publishing posts you scheduled, billing your card, providing the dashboard).
• Legitimate interest — for product analytics, security monitoring, fraud prevention, and the audit log; balanced against your reasonable expectations.
• Consent — for optional analytics cookies (the cookie banner), marketing email beyond transactional service messages, and any future feature you explicitly opt into.
• Legal obligation — for tax and accounting record retention, responses to lawful authority requests, and breach notifications.

To run the service: authenticate you, persist your drafts, schedule posts to the platforms you connect, ingest your inbox, surface analytics. None of this is optional — without it there is no PostRoute.

To bill: pass plan + customer identifiers to Stripe; reconcile subscription state via Stripe webhooks; mail you receipts and trial-end reminders.

To secure: rate-limit, detect token reuse, alert internal staff on suspicious patterns (failed login bursts, webhook signature failures), preserve a one-year activity log (security events forever).

To improve: aggregate, anonymized usage patterns inform product roadmap. Individual content is never used to train external AI models. Internal AI features (when launched) only access content within the workspace that triggered them.

To communicate: transactional email (verify, password reset, invoice, channel disconnect, subscription canceled). Marketing email is consent-based with one-click unsubscribe.

We use the following sub-processors. Each is bound by a written DPA equivalent or stricter than ours; international transfers rely on EU Standard Contractual Clauses + UK addendum where applicable.

PostRoute primary data centres are in the EU. Some sub-processors process data in the United States (Resend, Stripe support, GA4) or globally (Cloudflare). For transfers from the UK we rely on the UK International Data Transfer Agreement (or, where applicable, the UK Addendum to the EU Standard Contractual Clauses). For transfers from the EEA we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914). Transfer Impact Assessments are documented internally and available on request from [email protected].

We keep data for as long as the underlying purpose requires, plus statutory retention where it applies. After deletion, residual copies persist in encrypted backups for up to 30 days and are then destroyed.

Under UK GDPR + Data Protection Act 2018 (and EU GDPR Art. 15-22 for EEA residents) you have the rights below. Exercise any of them by emailing [email protected] from the address on your PostRoute account; we respond within 30 days (often within 7 business days).

• Access — receive a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion when the legal basis is consent or when the data is no longer necessary. Statutory retention obligations may delay full erasure of billing records.
• Restriction — pause certain processing while a dispute or correction is in progress.
• Portability — receive your data in a structured, machine-readable format (JSON export available from Settings).
• Object — opt out of processing based on legitimate interests; we will stop unless we can show a compelling override.
• Withdraw consent — at any time, with no effect on processing already performed under consent.
• Lodge a complaint — with the UK Information Commissioner's Office (ICO, ico.org.uk) or your local EEA supervisory authority. We would prefer you talked to us first.

Strictly necessary cookies authenticate your session and remember your active workspace — these cannot be disabled without breaking the service. Optional analytics cookies (Google Analytics 4) are gated behind explicit consent via the cookie banner; declining them keeps the rest of the site fully functional. We do NOT use advertising tracking, retargeting pixels, or cross-site behavioural profiling.

PostRoute is not designed for and not directed to children under 16. We do not knowingly collect data from anyone under that age. If we learn we have inadvertently collected such data we will delete it. Parents or guardians who believe their child has used PostRoute can contact [email protected].

We do not make decisions about you that produce legal or similarly significant effects through purely automated means. Plan-tier feature gates, rate limits, and abuse detection are rule-based and surfaced to you with a clear reason; a human reviews any account suspension before it takes effect.

TLS 1.3 in transit, AES-256-GCM at rest for OAuth tokens, hashed passwords (Argon2id), tenant isolation enforced at the database query layer, audit logging of every administrative action, automated security event capture with 1-year retention. Full detail in our Security policy.

In the unlikely event of a personal data breach affecting your account or content, we notify the UK Information Commissioner's Office (or the relevant EEA supervisory authority for EU residents) within 72 hours and you directly when the breach is likely to result in a high risk to your rights and freedoms — typically within the same window unless law enforcement asks us to delay disclosure to preserve an investigation.

Material changes (new sub-processor categories, new processing purposes, expanded data collection) will be announced at least 30 days in advance via email to your account address. Minor clarifications may take effect immediately. The "Last updated" date at the top reflects the most recent change.

For privacy questions, data subject requests, or breach notifications: [email protected]. For UK supervisory authority contact: ico.org.uk. EEA residents can find their local DPA at edpb.europa.eu/about-edpb/about-edpb/members_en.