Privacy Policy
Last updated: 27 April 2026 (rev. 2)
This policy describes how Podium Venture Studio Limited (“SourcePost”, “we”, “us”) collects, uses, and protects personal data when you use sourcepost.ai and related services.
1. Introduction
SourcePost is a product of Podium Venture Studio Limited (trading as “Podium VS”), a company registered in England and Wales (Company No. 14423877). We are the data controller for the personal data described in this policy.
This policy explains what data we collect, why we collect it, how we use it, and the rights you have over it. If you have questions about anything here, email us at privacy@sourcepost.ai.
2. Information we collect
Account information
When you create a SourcePost account we collect your email address and name. If you sign in with Google we also receive a profile image URL. Passwords, when used, are stored as salted hashes by our authentication provider (Supabase Auth). We never see or store raw passwords.
Workspace information
When you set up a workspace you provide a company name, a website URL, a one-line company description, and an industry tag. You may upload or paste brand voice samples — examples of writing we use to match your voice.
Content you create
Any blog posts, social posts, outlines, sources, and uploaded files you create in SourcePost are stored in your workspace. You own this content.
Social account connection data
When you connect a social account (LinkedIn, X, Instagram, Facebook, TikTok, YouTube, Threads, Pinterest, Reddit, Bluesky, or Google Business Profile) the connection is brokered by our publishing sub-processor TONVI TECH SL (trading as Upload-Post; see section 4). Upload-Post holds the OAuth tokens; SourcePost stores only the connection status (which platforms are linked, whether reauthorisation is needed) and a workspace-scoped identifier used to address the Upload-Post profile. We do not see or store your password for any platform.
Usage data
We log feature usage (posts generated, sources verified, social posts scheduled) for billing, product improvement, and abuse prevention. We also log session timestamps.
Technical data
Standard web server data: IP address, user-agent string, request path, and timestamps. This is used for operational purposes (debugging, security) and is retained briefly.
3. How we use your information
- To provide the service: research topics, generate drafts, verify sources, schedule posts, and publish to connected social accounts.
- To call AI providers: content you create or ask us to generate is sent to third-party AI providers — Anthropic (Claude) for writing and Perplexity for research. These providers process the content to return results and do not train their models on it under our API agreements.
- To publish on your behalf: when you connect a social account and choose to publish, we send the approved content to Upload-Post, which then publishes to the destination platform (LinkedIn, X, Instagram, Facebook, TikTok, YouTube, Threads, Pinterest, Reddit, Bluesky, or Google Business Profile) using the OAuth permissions you granted on the Upload-Post connect page.
- For billing: to create and manage your subscription through Stripe.
- For product improvement: aggregated, anonymised usage patterns help us understand which features matter. We do not use individual content for this.
- For legal compliance: when we are required by law to retain or disclose data.
4. Third-party service providers (sub-processors)
We use a small number of trusted service providers to run SourcePost. Each receives only the data required for its specific function.
| Name | Purpose | Data types | Location |
|---|---|---|---|
| Supabase | Authentication, primary database, file storage | Account data, workspace data, content | EU (Ireland) / US |
| Anthropic (Claude) | AI content generation and writing | Content prompts, source material, brand voice samples | US |
| Perplexity | AI research and citation discovery | Topic queries, research prompts | US |
| Vercel | Application hosting and edge delivery | Request logs, IP addresses, standard web traffic data | US (global edge) |
| Stripe | Payment processing and subscription billing | Billing contact details, payment tokens (no card numbers) | US / UK |
| TONVI TECH SL (trading as 'Upload-Post') | Manages OAuth connections to social platforms and publishes content on your behalf to LinkedIn, X, Instagram, Facebook, TikTok, YouTube, Threads, Pinterest, Reddit, Bluesky, and Google Business Profile | Workspace identifier, social account connection state, post content (text, images, videos) at time of publishing. Upload-Post (not SourcePost) holds the OAuth tokens for connected platforms. Privacy policy: https://www.upload-post.com/data-and-privacy-policy | Spain (EU); Málaga, registered with Registro Mercantil de Málaga (C.I.F. B-19780394) |
Payment information is handled directly by Stripe; SourcePost does not store card details on our servers.
5. Data retention
- Account and workspace data are retained while your account is active.
- Content you create is retained while your account is active.
- Content you delete is purged from active systems within 30 days.
- If you close your account or request deletion, we remove your data within 30 days, subject to short retention periods required for legal or accounting purposes.
6. Your rights
Under UK GDPR you have the right to:
- Access a copy of your personal data
- Correct inaccurate data (rectification)
- Delete your data (erasure)
- Receive your data in a portable format
- Restrict or object to certain processing
To exercise any of these rights, email privacy@sourcepost.ai or use our data deletion page. We respond within 30 days.
7. Data security
We take reasonable technical and organisational measures to protect your data:
- Data is encrypted in transit (TLS) and at rest.
- OAuth tokens for connected social accounts are held by our publishing sub-processor Upload-Post; SourcePost itself does not store these tokens.
- Access to production systems is restricted to authorised staff.
- We rely on vetted sub-processors (listed in section 4) with their own security certifications.
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you and any required regulators promptly.
8. International data transfers
Several of our sub-processors (Anthropic, Perplexity, Vercel, and parts of Supabase infrastructure) operate in the United States. When your data is transferred outside the UK or EEA we rely on the standard contractual clauses approved by the UK Information Commissioner's Office and the European Commission, or on adequacy decisions where applicable.
10. Children's privacy
SourcePost is not intended for users under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this policy as the service evolves. If we make material changes, we will notify you by email or via a prominent notice in the app at least 14 days before the change takes effect. The “Last updated” date at the top of this page always reflects the current version.
12. Contact us
For privacy and data protection questions, contact privacy@sourcepost.ai. These inquiries are routed to someone with authority to action them.
For general support questions, product feedback, or anything else, email hello@sourcepost.ai.
Postal address: Podium Venture Studio Limited, registered in England and Wales (Company No. 14423877), with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
This document is provided as a good-faith effort to explain our practices. It does not constitute legal advice. Podium Venture Studio Limited recommends consulting qualified legal counsel to ensure these policies meet your specific jurisdictional requirements.