Last updated: March 3, 2026

Privacy Policy

ApprovePost ("we", "us", "our") operates the approvepost.app website and the ApprovePost SaaS platform. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding that data.

Operator Details

  • Legal entity: ApprovePost
  • Registered address: Kyiv, Ukraine
  • Country of registration: Ukraine
  • Support email: [email protected]

1. Data We Collect

1.1 Account Data

When you create an account, we collect:

  • Email address - used for authentication, notifications, and account recovery.
  • Name - displayed in the interface and on review pages.
  • Password - stored as a securely hashed value (never in plain text).
  • Google account ID - only if you choose to sign in with Google.
  • Telegram Chat ID - only if you choose to connect Telegram notifications (optional).

1.2 Content Data

Data you create within the platform:

  • Content packages (titles, post text, images).
  • Client names you associate with packages.
  • Comments and approval decisions made by your clients.

1.3 Reviewer Data

When a client reviews content via a shared link, we collect:

  • The name they choose to display with their comments.
  • Their approval or change-request decisions.
  • Comment text.

Reviewers are not required to create an account or provide an email address.

1.4 Technical Data

We automatically collect limited technical data:

  • IP address (for security, rate limiting, and audit logging).
  • Browser type and version.
  • Pages visited and timestamps.

We do not use third-party advertising trackers or analytics platforms that profile users across websites.

1.5 Usage Metrics

We collect platform usage data (such as number of active packages) to enforce plan limits and track onboarding completion. This data is not shared with third parties.

1.6 Contact Form Data

When you contact us through the website, we collect your name, email address, subject, and message content solely to respond to your inquiry.

2. How We Use Your Data

  • Provide the service - create and manage content packages, share review links, process approvals.
  • Authentication and security - verify your identity, prevent abuse, enforce rate limits.
  • Notifications - send email or Telegram notifications about review activity (only if enabled).
  • Billing - facilitate subscription purchases via our payment processor, Paddle.
  • Support - respond to your questions and troubleshoot issues.
  • Service improvement - understand usage patterns to improve the product (aggregated, non-personal data).

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes. We do not use AI or automated profiling systems to process your personal data.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following lawful bases:

  • Contract performance - to provide the ApprovePost features you have subscribed to.
  • Legitimate interests - security monitoring, IP logging, and session auditing, where not overridden by your rights.
  • Legal obligation - retaining certain records as required by applicable law.
  • Consent - optional Telegram notifications, which you may withdraw at any time by disconnecting your Telegram account.

4. Third-Party Services

We work with the following third-party providers. Each is subject to a data processing agreement or equivalent safeguard.

Service Purpose Data Shared
Google OAuth Optional social sign-in Email, name, Google Profile ID. Subject to Google Privacy Policy.
Brevo (formerly Sendinblue) Transactional email delivery Email address, name, message content.
Telegram Bot API Optional real-time notifications Telegram Chat ID, notification summaries. Subject to Telegram Privacy Policy.
AWS S3 / MinIO Cloud file and media storage Uploaded media files and logos. Subject to AWS Privacy Policy.
Paddle Payment processing (Merchant of Record) Name, email, billing and payment data. Subject to Paddle Privacy Policy.
TinyMCE In-browser rich text editing None - processed locally in your browser only.
Note on payments: All purchases made through ApprovePost are processed by Paddle acting as Merchant of Record. When you complete a purchase, you transact directly with Paddle. Your payment and billing data is collected and processed by Paddle under their own Privacy Policy and Buyer Terms. We do not store or have access to your full payment card details.

5. Data Storage and Security

Your data is stored on secure servers with encryption at rest and in transit (TLS). We use industry-standard security measures including:

  • Hashed passwords (bcrypt / argon2).
  • CSRF protection on all forms.
  • JWT token rotation with refresh-token management.
  • Rate limiting on authentication and sensitive endpoints.
  • Unique, randomly generated tokens for review links.
  • Encrypted cloud storage (AWS S3) for uploaded files.

Despite these measures, no transmission over the internet is 100% secure. Please notify us immediately at [email protected] if you suspect any unauthorised access to your account.

6. Data Retention

  • Active accounts - data is retained as long as your account is active.
  • Deleted accounts - when you delete your account, it enters a 30-day soft-delete period. After 30 days, your personal data and content are permanently and irreversibly removed.
  • Contact form submissions - retained for up to 12 months for reference, then deleted.
  • Security audit logs - retained for as long as necessary to fulfil security and legal obligations.

7. Cookies

We use only essential cookies required for the platform to function. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. For full details, see our Cookies Policy.

8. Your Rights

8.1 GDPR Rights (EEA / UK Users)

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. You may also withdraw consent at any time for optional features (e.g. Telegram notifications).

8.2 CCPA Rights (California Residents)

You have the right to know what personal information is collected, to request its deletion, and to opt out of its sale. We do not sell personal information.

8.3 How to Exercise Your Rights

  • Account deletion - available directly in your account settings. Data is permanently deleted within 30 days.
  • Data export - email [email protected] with the subject "Data Export Request". We will respond within 30 days (GDPR) or 45 days (CCPA).
  • All other requests - contact us at [email protected].

We may need to verify your identity before fulfilling a request. If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

9. International Data Transfers

Our infrastructure may involve transferring data outside your country of residence (for example, via AWS S3 or Brevo). Where such transfers involve personal data from the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised under applicable law.

10. Children's Privacy

ApprovePost is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "last updated" date. For material changes, we will provide notice via email or in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or your personal data, contact us: