Privacy Policy

01 Who We Are

PHOST ("we," "us," or "our") operates the AI-powered social media content platform at phost.ai. This Privacy Policy explains how we collect, use, store, and share information when you use our Service.

For privacy inquiries, contact us at support@phost.ai.

02 What We Collect

Account Information. When you create an account, we collect your email address, name, and authentication credentials (managed by Clerk). We store a reference to your Clerk user ID in our database.

Brand & Content Data. We store everything you input into PHOST to power the Service, including:

Brand names, descriptions, taglines, and logos
Brand guidelines (uploaded documents)
Tone preferences, voice settings, topic choices
AI-generated posts (including edited versions)
Website URLs you provide for analysis
Edit signals (records of changes you make to generated content)

Usage Data. We collect data about how you use the Service, including:

Actions performed (posts generated, approved, published)
Feature usage patterns
Error logs and diagnostics
IP address, browser type, and device information

Billing Data. Payment information is collected and processed by Stripe. We do not store full credit card numbers. We store your Stripe Customer ID and subscription status.

Communications. If you contact us via email, we retain those communications to respond and improve the Service.

03 How We Use Your Data

Purpose	Legal Basis
Providing and operating the Service (generating content, managing brands)	Performance of contract
Processing payments and managing subscriptions	Performance of contract
Improving content generation quality through edit signals and engagement analytics	Legitimate interest (improving Service quality)
Sending transactional emails (billing receipts, trial expiry notices)	Performance of contract / Legitimate interest
Preventing fraud, abuse, and Terms of Service violations	Legitimate interest (protecting the Service)
Complying with legal obligations (tax records, law enforcement requests)	Legal obligation
Responding to your support inquiries	Legitimate interest / Performance of contract

We do not use your data for advertising profiling or sell it to third parties for any purpose.

04 Third-Party Services

PHOST relies on the following third-party services to operate. Each service processes data under its own privacy policy:

Clerk — Authentication and user management. Your email, name, and password are processed by Clerk. clerk.com/privacy
Stripe — Payment processing and subscription management. Your billing information is processed by Stripe. stripe.com/privacy
Buffer — Social media publishing. When you connect Buffer, your access token and channel data are stored by PHOST and your content is published via Buffer's API. buffer.com/privacy
Anthropic — AI content generation. Your brand inputs and prompts are sent to Anthropic's API to generate posts. Anthropic does not use API inputs to train its models per their API usage policy. anthropic.com/privacy
Railway — Cloud hosting and PostgreSQL database. Your data is stored on Railway's infrastructure. railway.app/privacy

We select third-party providers carefully and require that they implement appropriate data protection measures. We are not responsible for the privacy practices of third-party platforms to which you publish content (LinkedIn, Twitter/X, Threads, Instagram, Facebook, etc.).

05 Data Retention

Active accounts: Your data is retained for as long as your account is active or your subscription is in good standing.
Cancelled/expired accounts: Following cancellation or trial expiry, your brand data, posts, and personal information are retained for 30 days to allow reactivation, then permanently deleted.
Billing records: Financial transaction records are retained for 7 years to comply with tax and accounting obligations.
Backups: Data may remain in encrypted backups for up to 30 additional days following deletion from active systems.
Legal holds: Data subject to legal proceedings or regulatory requirements may be retained longer as required by applicable law.

06 Data Security

We implement industry-standard security measures to protect your data, including:

Encrypted data transmission via TLS/HTTPS
Encrypted database storage at rest
Access controls limiting data access to authorized personnel
Regular security reviews of our infrastructure and code

No method of transmission or storage is 100% secure. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

If you discover a security vulnerability, please report it responsibly to support@phost.ai.

07 Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access

Request a copy of the personal data we hold about you.

Correction

Request that we correct inaccurate or incomplete personal data.

Deletion

Request that we delete your personal data, subject to legal retention requirements.

Portability

Request a machine-readable export of your personal data.

Objection

Object to processing based on legitimate interests.

Withdrawal

Withdraw consent for processing where consent is the legal basis.

To exercise any of these rights, contact us at support@phost.ai. We will respond within 30 days. We may require verification of your identity before processing requests.

08 GDPR — European Economic Area Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent national laws.

The legal bases for our processing are set out in Section 03. Where we rely on legitimate interests, you may object to such processing. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.

International Transfers. Your data may be transferred to and processed in the United States. Where required by law, we rely on Standard Contractual Clauses or other appropriate transfer mechanisms for transfers from the EEA.

09 CCPA — California Users

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale: We do not sell personal information. No opt-out is required.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your California rights, contact support@phost.ai. We will respond within 45 days.

10 Cookies

PHOST uses a minimal cookie footprint:

Session cookies: Used by Clerk for authentication session management. These are strictly necessary for the Service to function.
No advertising cookies. We do not use cookies for advertising, behavioral tracking, or retargeting.
No Google Analytics. We do not use Google Analytics or similar third-party analytics trackers on our platform.

Because we only use strictly necessary session cookies, we do not display a cookie consent banner. If we add non-essential cookies in the future, we will update this policy and obtain appropriate consent.

11 Children's Privacy

PHOST is not directed to children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@phost.ai and we will delete that information promptly.

12 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a prominent notice on the Service before the changes take effect. The "Last Updated" date at the top of this page indicates when this Policy was last revised.

Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the changes.

13 Contact

For any privacy-related questions, requests to exercise your rights, or data-related concerns, contact us:

PHOST Privacy

Email: support@phost.ai
Website: phost.ai

We aim to respond to all privacy inquiries within 30 days.