Privacy Policy

Pulpi ("we", "our", or "us") operates the Pulpi social media management platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

2.1 Account Information

• Email address and display name (via Firebase Authentication)
• Organization and brand profile information you provide
• Billing information processed through Stripe (we do not store card numbers)

2.2 Social Media Account Data

• OAuth tokens and refresh tokens for connected social media platforms
• Social media profile information (usernames, profile URLs, follower counts)
• Content you create, schedule, or publish through the Service
• Engagement metrics and analytics from connected platforms

2.3 Usage Data

• Log data (IP address, browser type, pages visited, timestamps)
• Feature usage patterns and interaction data
• Error reports and performance metrics

• Publishing: To schedule and publish content to your connected social media accounts on your behalf.
• Engagement: To perform automated engagement actions (likes, comments, follows) as configured by you.
• Analytics: To provide performance insights and recommendations for your social media strategy.
• Service improvement: To monitor, maintain, and improve the reliability and performance of the Service.
• Communication: To send you service-related notifications, alerts, and updates.

We integrate with the following third-party services:

• Google Firebase: Authentication, database (Firestore), and hosting infrastructure.
• Social media platforms: Instagram, Facebook, X (Twitter), LinkedIn, TikTok, and YouTube — via their official APIs under OAuth 2.0.
• Stripe: Payment processing. Your payment information is handled directly by Stripe in accordance with their Privacy Policy.
• Vercel: Dashboard hosting and edge network.

Each third-party service has its own privacy policy governing the use of your information. We encourage you to review their policies.

We implement industry-standard security measures to protect your data:

• All OAuth tokens and sensitive credentials are encrypted at rest using AES-256-GCM encryption.
• All data in transit is encrypted via TLS 1.2+.
• Access to production systems is restricted and monitored.
• Firebase security rules enforce strict access controls on all database collections.
• API endpoints are protected by authentication and rate limiting.

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

• Account data: Retained for the duration of your account and deleted within 30 days of account deletion.
• OAuth tokens: Stored only while your social media accounts are connected. Revoked and deleted upon disconnection.
• Published content records: Retained for up to 12 months for analytics purposes, then automatically purged.
• Engagement logs: Retained for 90 days for diagnostic and compliance purposes.
• Server logs: Retained for 30 days.

If you are a resident of the European Economic Area (EEA), you have the following data protection rights:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete data.
• Right to erasure: You may request deletion of your personal data, subject to legal retention obligations.
• Right to data portability: You may request an export of your data in a structured, machine-readable format.
• Right to object: You may object to the processing of your personal data for certain purposes.
• Right to restrict processing: You may request that we limit the processing of your personal data.

To exercise any of the rights described above, you may:

• Export your data: Use the data export feature available at /api/account/export
• Delete your account: Use the account deletion feature available at /api/account/delete
• Contact us directly: Email privacy@pulpi.ai

We will respond to your request within 30 days, as required by applicable law.

The Service uses essential cookies for authentication and session management via Firebase Authentication. These cookies are strictly necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, tracking cookies, or any non-essential cookies. No third-party analytics or advertising scripts are loaded.

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

Your data may be processed in the European Union and the United States (via Firebase and Vercel infrastructure). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: