Legal

Data Processing Addendum

Last updated July 12, 2026

This addendum describes how PostMyIsh processes personal data on behalf of customers who use the service to reach audiences that include people in regulated regions. It supplements our Terms of Service.

1. Roles

For personal data you upload or generate through PostMyIsh, you (the customer) act as the controller and PostMyIsh acts as the processor, processing that data only on your documented instructions — which include your use of the service and its settings.

2. Details of processing

  • Subject matter & purpose — providing social publishing, scheduling, and analytics.
  • Duration — for as long as your account is active, plus any legally required retention.
  • Types of data — account details, content and its metadata, connected-account identifiers, and usage logs.
  • Data subjects — you, your team members, and individuals referenced in the content you publish.

3. Our obligations

  • Process personal data only on your instructions and for the purposes above.
  • Ensure people authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see below).
  • Assist you, where reasonable, in responding to data-subject requests and meeting your own obligations.

4. Subprocessors

You authorize us to engage the following subprocessors to deliver the service. We remain responsible for their performance:

  • Vercel — hosting and content delivery.
  • Turso — database.
  • Stripe — payment processing.
  • Google & Apple — optional authentication.

If we add or replace a subprocessor, we’ll update this page. If you have a reasonable objection, contact us and we’ll work with you in good faith.

5. Security measures

We maintain safeguards appropriate to the risk, including salted scrypt password hashing, httpOnly and secure session cookies, storage of API keys only as SHA-256 hashes, encryption of traffic in transit over HTTPS, and least-privilege access to production systems.

6. Data subject requests

If we receive a request from one of your data subjects, we’ll refer them to you where appropriate and provide reasonable assistance so you can respond within legal timeframes.

7. Personal data breaches

If we become aware of a personal data breach affecting your data, we’ll notify you without undue delay and share the information you reasonably need to meet your own notification obligations.

8. International transfers

Where processing involves transferring personal data across borders, we rely on appropriate safeguards, such as standard contractual clauses, to protect that data.

9. Return & deletion

On termination, and at your choice, we’ll delete or return the personal data we process on your behalf, except where retention is required by law.

10. Contact

To raise a data-processing matter or request this addendum as a signed document, email hey@postmyish.com.