Skip to main content
Pappus

Privacy Policy

Last updated 2026-05-18.

This Privacy Policy describes how Pappus, Inc. ("Pappus") collects, uses, shares, and retains personal data when you use our service. If you want to delete your data, see the Privacy controls in the app for the GDPR Article 17 deletion form.

1. Data we collect

  • Account data: name, email, organisation name, hashed password, billing address, and the plan you selected.
  • Content data: brand kit, claims library, uploaded reference assets, drafts, approvals, audit history.
  • Usage data: pages visited, features used, approval cadence, error reports, and (if you opted in via the cookie banner) product analytics events.
  • Integration data: OAuth tokens for the marketing channels you connect (LinkedIn, Instagram, Meta, X, HubSpot, Beehiiv, Substack, Resend, Stripe, etc.).

2. How we use it

We use personal data to operate the Service, run our agents on your behalf, generate drafts for your approval, surface analytics back to you, and meet our legal obligations. We do not sell personal data. We do not use your content to train foundation models.

3. Subprocessors we share data with

Subprocessor list last updated: 2026-05-18.

To run the Service we share narrowly scoped data with the following processors. Each line names the purpose, the data category disclosed, and the processor's primary processing region. Conditional processors are only engaged when the matching channel is enabled in your workspace.

Always-on processors:

  • Anthropic — large-language-model inference for drafting and reviewing content. Anthropic's API processes content at inference time and does not retain it for training under their zero-retention enterprise terms. Data category: draft content, prompts, brand kit. Region: United States.
  • Voyage AI — embedding generation for the originality + Voice-of-Customer clustering pipeline. Data category: short text excerpts (post bodies, VoC quotes). Region: United States.
  • Stripe — payment processing, billing portal, invoicing. Stripe is the PCI-DSS-certified card processor; we never store your card data ourselves. Data category: name, billing address, payment method (held by Stripe). Region: United States / EU.
  • Nango — OAuth token brokerage for connected marketing channels. Data category: OAuth tokens + refresh tokens for connected accounts. Region: EU (Frankfurt).
  • Supabase — managed Postgres + Auth (session token issuance, JWT signing, application database). Data category: account data, content data, audit log. Region: configurable; default United States.
  • AWS S3 / Cloudflare R2 — object storage for uploaded brand assets, generated images, C2PA-stamped artifacts, lead-magnet PDFs. Data category: binary asset files. Region: United States; encryption at rest.
  • Resend — transactional email delivery (account notifications, alerts, deletion-receipt confirmations) and outbound email send when the email channel is engaged. Data category: contact email, message body. Region: United States / EU.
  • Sentry — error reporting. Conditional — only when you opt in via the cookie banner. Data category: stack traces, route paths, correlation id; PII fields are scrubbed before send. Region: United States / EU.
  • PostHog — product analytics. Conditional — only when you opt in via the cookie banner. Data category: page views, feature usage events; PII fields are scrubbed before send. Region: EU (Frankfurt).

Channel-conditional processors (only engaged when the matching connection is enabled in your workspace):

  • LinkedIn API — publishing UGC posts + brand-health comment polling. Conditional — only when you connect LinkedIn. Data category: post body, hero image URL, comment text fetched for sentiment classification. Region: United States / Ireland.
  • Meta Graph API — publishing to Instagram Business + Facebook Pages. Conditional — only when you connect Instagram or Facebook. Data category: caption, image URL, page id. Region: United States / Ireland.
  • X (Twitter) API — publishing tweets.Conditional — only when you connect X. Data category: tweet body. Region: United States.
  • HubSpot — blog publishing via the HubSpot CMS. Conditional — only when you connect HubSpot.Data category: blog post title + body HTML + meta description. Region: United States / EU.
  • Webflow — blog publishing via the Webflow CMS. Conditional — only when you connect Webflow.Data category: blog post title + body HTML + meta description. Region: United States.
  • Ghost — blog publishing via Ghost.Conditional — only when you connect Ghost. Data category: blog post title + body HTML. Region: where your Ghost instance is hosted.
  • Beehiiv — newsletter publishing.Conditional — only when you connect Beehiiv. Data category: newsletter subject + preview + body HTML. Region: United States.
  • Substack — newsletter export (clipboard paste, no live API). Conditional — only when you choose the Substack newsletter channel. Data category: newsletter subject + body HTML rendered for paste. Region: United States.

Each subprocessor is bound by a Data Processing Agreement. See the Cookie Policy for the cookies they set. To request the current list at any time, contact support@pappus.com.

4. Retention

We retain content data for as long as your account is active. On account deletion we retain a copy in cold storage for 90 days so you can change your mind, then we wipe it from all systems including our subprocessors. Audit-log records (approval signatures, security events) are retained for seven years under our archival schedule.

5. Your rights (GDPR / UK GDPR / CCPA)

You can request access, correction, export, restriction, or erasure of your personal data. Submit the request from /app/privacy while signed in. Our deletion SLA under GDPR Article 17 is 30 days from a verified request, including propagation to our subprocessors per the documented vendor-preservation-order fallback. We do not require a fee and we do not unreasonably narrow the scope.

6. Cookies and similar technologies

See the Cookie Policy for a full inventory. Non-essential cookies (analytics, error reporting) are off by default; you turn them on through the cookie banner.

7. International transfers

We operate from the United States. Where data is transferred out of the EU/UK, we rely on Standard Contractual Clauses and supplementary measures (encryption in transit and at rest, narrow scope, audit logging).

8. Security

Multi-tenant data isolation is enforced at the database layer with Postgres row-level security on every table carrying tenant data. Approvals are HMAC-signed. Cross-tenant access is a P1 incident. We publish post- mortems for security-impacting incidents.

9. Children

The Service is not intended for users under 18. We do not knowingly collect data from children.

10. Changes to this Policy

Material changes will be notified by email at least 14 days before they take effect.

11. Contact

Privacy questions or DSR follow-ups: support@pappus.com.