Legal
Privacy Policy
Last updated: July 8, 2026 · Effective: July 8, 2026
Smart Post Studio is a desktop application with an optional web app (beta). In the desktop app, your posts, media, brand profile and scheduled content live locally on your own device; media may briefly pass through our infrastructure in transit where a platform's API requires it — never stored beyond 24 hours, never analysed, never transcoded. If you choose cloud scheduling in the web app, media is stored only until the post publishes, then deleted within minutes. We hold the minimum account data necessary to run the service, and this page describes all of it honestly.
1. Who We Are
Smart Post Studio LLC, Atlanta, Georgia, USA ("we", "us", "our") is the controller of your personal data. You can contact us at support@smartpoststudio.com with any privacy-related queries.
2. What Data We Collect
Account data (stored on our servers)
- Email address
- Password (stored as a hashed value using PBKDF2 — we cannot read it)
- Plan type (trial / paid / complimentary), licence key, and account creation date
- AI usage counters (number of generations used, for plan limits and billing — not the content of your generations)
Newsletter & download sign-ups (stored on our servers)
- Email address and name (if provided)
- Creating a Smart Post Studio account also adds your email to our product-update list, as disclosed on the sign-up page — unsubscribe any time, and unsubscribing is always honoured (we never re-add you)
- Platforms of interest and follower range (optional)
- Sign-up date and marketing consent status
- Attribution data: how you found us (UTM parameters, referral source, landing page)
Support chat (stored on our servers)
- Messages you type to Sol, our support chat assistant, are stored so we can improve the product and our FAQ. If you volunteer contact details in chat, those form part of the stored message. Chat transcripts are retained for up to 12 months.
Usage & attribution data (stored on our servers)
- Aggregate daily API request counts
- Pseudonymous interaction records for purchase buttons, downloads, and the website AI demo: a one-way hashed identifier derived from your IP address, coarse location (country), browser user-agent, and campaign attribution. We cannot reverse these hashes to identify you.
- Reports you submit about AI-generated content (the reported text and your comment)
Data stored only on your device (never stored by us)
- Scheduled posts, captions, drafts, and your media library
- Brand profile information
- Social media OAuth tokens (stored in your OS keychain — macOS Keychain or Windows Credential Manager)
Media in transit
Some social platforms' APIs require that media be retrievable from a public URL rather than uploaded directly from your device. When you publish to such a platform, Smart Post Studio streams the file from your computer through our relay to a temporary address, the platform fetches it, and the file is deleted — automatically and always within 24 hours at most, typically within minutes. Relayed files are never analysed, transcoded, used for AI training, or retained. YouTube uploads do not use this relay: they go directly from your computer to YouTube's servers.
Optional cloud scheduling (web app)
The web app at app.smartpoststudio.com (beta) offers cloud scheduling: posts you schedule there publish from our infrastructure at the scheduled time, so your computer does not need to be on. To make that possible, the media and caption for a cloud-scheduled post are stored securely on our infrastructure (Cloudflare) from the moment you schedule until the post publishes, and are deleted automatically within approximately 15 minutes of posting (the same applies when you delete a scheduled post). If a post fails, its media is retained so the post can be retried, until you delete it. Uploads never attached to a post are deleted within 48 hours. Posts scheduled from the desktop app do not upload media — only a small preview thumbnail (256×256) is stored for your queue and calendar view, retained while the post exists. Cloud scheduling is optional — desktop publishing continues to work directly from your device as described above.
3. How We Use Your Data
- Account management: to authenticate you and manage your subscription
- Service delivery: to process social media posts you schedule through the app, and to power AI features you invoke
- Product & marketing emails: account holders, purchasers, and affiliate applicants receive occasional product updates (disclosed at each sign-up, checkout, or application point); newsletter sign-ups on our website are consent-based. Every email includes an unsubscribe link, and unsubscribing stops everything except essential account emails (receipts, security, legal notices)
- Advertising measurement: to measure whether our ads led to sign-ups and purchases (see Sections 5 and 11)
- Security: to detect and prevent fraud or abuse, including rate-limiting
4. Legal Basis (GDPR)
- Contract: processing your account data to deliver the service you signed up for
- Consent: newsletter emails where you opted in on our website
- Contract & legitimate interests: product-update emails to account holders about the service they use, always with one-click unsubscribe
- Legitimate interests: security monitoring, fraud prevention, and measuring our own advertising
5. Data Sharing
We do not sell your data. We share data only with the following processors and partners:
- Cloudflare, Inc. — infrastructure provider (servers, database, storage, CDN). Data may be stored in the US and EU.
- Anthropic, PBC — AI provider. When you use the AI Writing Studio, the Sol support chat, or the website caption demo, the text you submit (topics, messages, drafts) is processed by Anthropic's Claude API to generate the response. Under Anthropic's commercial API terms, this data is not used to train their models. Your media files are never sent to Anthropic.
- Microsoft Corporation — email delivery. Transactional and marketing emails are sent through Microsoft's email services.
- Gumroad, Inc. — payment processor. We receive only your email and licence key from Gumroad on purchase; we never see your payment details.
- Advertising platforms (TikTok, Reddit) — to measure ad performance, our website reports conversion events (such as sign-ups and checkout starts) to TikTok and Reddit. For Reddit, this includes a one-way SHA-256 hash of your email address for matching — never the plain address. See Section 11.
- Social media platforms — only when you connect your accounts and authorise posting. We do not store your social media credentials on our servers.
6. YouTube Integration
Smart Post Studio lets you publish videos directly to your YouTube channel. This section explains what data we access and how it flows.
What we access:
youtube.upload — to publish videos to channels you own
youtube.readonly — to display your channel name inside the app so you can confirm which channel a post will publish to
We request the narrowest scopes that allow the product to function. We do not request scopes for analytics, channel management, comment moderation, or any data we do not need to publish your content.
How the data flows:
- Your YouTube access token is stored in your operating system's secure credential store (macOS Keychain on Mac, Credential Manager on Windows). It is never transmitted to or stored on Smart Post Studio's servers.
- When you publish a video, the file is read from your computer's disk and uploaded directly to YouTube's servers using YouTube's resumable upload API.
- Smart Post Studio's servers are not in the data path for YouTube uploads. We do not receive, process, transmit, or store your video files, video metadata, captions, or thumbnails.
- After upload, YouTube returns the video ID. Smart Post Studio stores this ID locally on your computer so the post appears in your sent history.
To be explicit: We do not store your YouTube access tokens on our servers. We do not store, copy, cache, or transmit your video files to our servers. We do not access your YouTube watch history, subscriptions, viewing data, or any data not produced by your own publishing actions. We do not share your YouTube data with any third party. We do not use your YouTube data to train artificial intelligence or machine learning models. We do not sell, rent, or trade your YouTube data. We do not display third-party advertising in Smart Post Studio.
Token refreshes: Access tokens issued by Google expire periodically. Smart Post Studio's server includes a thin OAuth helper that exchanges your refresh token for a new access token when needed. This is the only YouTube-related operation that touches our server, and only the token strings are exchanged — no video data or content.
When you disconnect: You can disconnect a YouTube channel from Smart Post Studio at any time through the app's Accounts settings, or directly from your Google Account permissions page. Disconnection removes the access token from your local credential store and revokes it with Google.
Compliance: Smart Post Studio's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. By using Smart Post Studio to publish to YouTube, you also agree to be bound by the YouTube Terms of Service.
7. Data Retention
- Account data: retained while your account is active, deleted within 30 days of account deletion
- Newsletter/waitlist data: retained until you unsubscribe or request deletion
- Support chat transcripts: up to 12 months
- Aggregate usage stats: 90 days
- Pseudonymous rate-limit and demo counters: purged within days
- Media in transit: deleted automatically, at most 24 hours (see Section 2)
- Cloud-scheduled media (web app): until publication, deleted within ~15 minutes after posting
- Failed-post media (web app): until you delete the post
- Unattached uploads (web app): 48 hours
- Post preview thumbnails: for the life of the post
8. Your Rights (GDPR & CCPA)
You have the right to:
- Access — request a copy of all data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and all associated data
- Portability — receive your data in a machine-readable format
- Withdraw consent — opt out of marketing emails at any time
- Object — object to processing based on legitimate interests
To exercise any of these rights, email us at support@smartpoststudio.com or use the account deletion option in the app. We will respond within 30 days.
9. Data Deletion
You can delete your account and all associated data at any time from within the app (Settings → Delete Account) or by emailing us. Deletion is permanent and irreversible. Local data on your device (posts, media, brand profile) must be deleted manually.
10. Security
- Passwords are hashed using PBKDF2 with 100,000 iterations and a random salt — we cannot recover your password
- All API communication uses HTTPS/TLS
- OAuth tokens are stored in your operating system's secure keychain, not on our servers
- Analytics identifiers are pseudonymised with one-way hashes; we do not log plain IP addresses in analytics
11. Cookies & Advertising Pixels
Our website uses advertising measurement pixels from TikTok and Reddit. These set identifiers (cookies and/or local storage) in your browser and report events — such as page views, sign-ups, and checkout starts — to those platforms so we can measure whether our advertising works. Server-side, sign-up and purchase events may be reported to Reddit with a one-way hash of your email address for matching. We do not run third-party ads on our website, and we do not share your content with advertisers.
You can limit this tracking with browser privacy controls or ad/tracker blockers; the site works fully without the pixels. Cloudflare may also set a security cookie (__cf_bm) for bot protection. The desktop app itself does not use cookies or advertising trackers.
12. Children
Smart Post Studio is not directed at or intended for use by anyone under 18 years of age. We do not knowingly collect data from minors.
13. Changes to This Policy
We will notify registered users by email of material changes to this policy at least 14 days before they take effect, except where changes correct inaccuracies or expand your rights, which may take effect immediately.
14. Contact & Complaints
Email: support@smartpoststudio.com
If you are in the EU/UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.