Privacy Policy

1. Data We Collect

Account data: email address, display name, plan type.

Content data: blog posts (Markdown source and rendered HTML), blog settings, tags, meta descriptions.

Usage data: page view counts (aggregated, not per-visitor), API request counts for rate limiting.

Reader app data: If you use the Postlark Reader app, we additionally collect: bookmarks, reading history (posts read and progress), blog follows, and notification preferences. This data is tied to your account and deleted upon account deletion.

Payment data: handled entirely by Paddle (our Merchant of Record). We store only your Paddle customer ID. We never see or store credit card numbers.

2. How We Use Your Data

• To provide and maintain the Service
• To enforce plan limits and rate limits
• To display your content on your blog
• To generate SEO metadata, OG images, and sitemaps for your content
• To send service-related notifications (account, billing, security)

We do not use your data for advertising, profiling, or training AI models.

3. Third-Party Services

• Cloudflare — Hosting, CDN, DNS, Edge Workers. Privacy Policy
• Supabase — Database and authentication. Privacy Policy
• Paddle — Payment processing (Merchant of Record). Privacy Policy
• Apple — Sign in with Apple authentication. Privacy Policy

We do not sell your personal data to any third party.

3a. Third-Party Content in Blog Posts

When you read blog posts through the Postlark Reader app or on a Postlark-hosted blog, the post content is authored by the blog owner — not by Postlark. Blog owners may embed third-party services in their content, including but not limited to:

• Analytics scripts (e.g., Google Analytics)
• Advertising networks
• Embedded media (YouTube, Twitter, etc.)

These third-party services are governed by their own privacy policies. Postlark does not control, endorse, or assume responsibility for the data collection practices of third-party content embedded in blog posts.

4. Cookies

We use only essential cookies:

• Session cookie — For dashboard authentication (Supabase Auth)
• Theme preference — localStorage only, not a cookie

We do not use analytics cookies, tracking pixels, or third-party marketing cookies.

5. Data Retention

• Account and content data are retained as long as your account is active.
• View count data expires after 90 days automatically.
• Upon account deletion, all data is permanently removed (see Section 6).

6. Your Rights (GDPR & CCPA)

Right to Access: Export all your data via GET /api/v1/account/export or Dashboard → Account → Export.

Right to Deletion: Delete your account and all data via POST /api/v1/account/delete or Dashboard → Account → Delete.

Right to Portability: Download all posts as Markdown via the export API.

Do Not Sell (CCPA): We do not sell personal information.

7. Data Security

• All data in transit is encrypted (HTTPS/TLS)
• API keys are stored as SHA-256 hashes (never in plaintext)
• Database access requires service role authentication
• Cloudflare provides DDoS protection and WAF

8. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect data from children.

9. Changes

We may update this policy. Material changes will be communicated via email at least 30 days in advance.

10. Contact

Data protection inquiries: [email protected]

MintC Inc., Republic of Korea