Skip to main content

Privacy Policy

Information on data processing at PostMaestro.ai

Last updated: November 15, 2024

PostMaestro.ai takes the protection of your personal data very seriously. This Privacy Policy informs you about the nature, scope and purpose of the processing of personal data on our landing page, in our application and in our newsletter service.

Table of Contents

1. 1. Controller3. 3. Scope4. 4. Data Processing on the Landing Page5. 5. Data Processing in the Application6. 6. Newsletter Service7. 7. AI-Powered Data Processing and AI Providers8. 8. Payment Processing (Stripe)10. 10. Data Security11. 11. Your Rights as a Data Subject12. 12. Overview: All Third-Party Providers (Subprocessors)

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Braune und Grebe GbR

Trading as: Nexaluna AI Solutions

Renkenweg 23

83209 Prien

Germany

Email:datenschutz@nexaluna.ai

Phone: +49 151 28858234

Website:www.nexaluna.ai

2. Data Protection Officer

For questions about data protection, please contact us at datenschutz@nexaluna.ai

3. Scope

This Privacy Policy applies to:

Landing Page (postmaestro.ai): Informational website about our services

Web Application: Full platform for registered users

Newsletter Service: Email marketing and notifications

Data processing differs depending on the area. This is explained in detail below.

4. Data Processing on the Landing Page

On our landing page (postmaestro.ai), the following data is processed:

4.1 Technical Data (Log Files)

  • When visiting our website, the following information is automatically recorded:
  • • IP address (anonymized after 7 days)
  • • Date and time of access
  • • Pages and files accessed
  • • Amount of data transferred
  • • Browser type and version
  • • Operating system
  • • Referrer URL (previously visited page)

Purpose: This data is collected exclusively for technical purposes (security, error analysis, system stability) and not used to create user profiles.

Legal basis: Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in system security)

Storage period: Storage period: 7 days, then automatic anonymization

4.2 Hosting and Content Delivery

  • Our website is hosted on Amazon Web Services (AWS) and delivered via Amazon CloudFront (Content Delivery Network).
  • Server location: EU (Frankfurt/Ireland)
  • AWS processes technical data on our behalf and according to our instructions.
  • More information: https://aws.amazon.com/privacy/

Legal basis: Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest), Art. 28 GDPR (data processing agreement)

4.3 Cookies and Local Storage

  • Our landing page currently only uses technically necessary cookies:
  • • Session cookie: To store your language preference
  • • Theme preference: To store your dark/light mode preference
  • These cookies do not contain personal data and serve exclusively for functionality.

Planned: Planned: Cookie banner for optional marketing and analytics cookies. You will be informed before implementation and can give or refuse your consent.

Legal basis: Legal basis: Art. 6 para. 1 lit. f GDPR (technically necessary)

4.4 Pre-Release Notifications

  • If you sign up for notifications via the pre-release modal, we store:
  • • Email address
  • • Registration timestamp
  • • Opt-in status
  • Purpose: Information about the public launch of PostMaestro.ai
  • After sending the launch notification, the data is deleted unless you sign up for the newsletter.

Legal basis: Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Storage period: Storage period: Until launch notification sent, maximum 12 months

5. Data Processing in the Application

In the full PostMaestro.ai application (after registration), more comprehensive data is processed:

5.1 Registration and Account Data

  • During registration, we collect:
  • • Email address (mandatory)
  • • Username (mandatory)
  • • Password (encrypted with bcrypt, minimum 8 characters)
  • • Account type (Personal or Company)
  • • Registration timestamp
  • • Two-factor authentication (2FA) - optional but recommended
  • Purpose: Provision and management of your account, authentication, security
  • 2FA data is only stored locally on your device (QR code scan). We only store the activation status.

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance)

Storage period: Storage period: Until account deletion

5.2 Brand Profiles and Brand Data

  • When creating a brand profile, we store:
  • • Brand name and description
  • • Website URL (for Brand Analyzer)
  • • Uploaded brand guidelines and documents
  • • Analyzed brand data (colors, fonts, tone-of-voice)
  • • Logo and visual assets
  • • Target audience definitions
  • • Industry and category
  • Purpose: Creation of brand-compliant content, brand identity management

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance)

Storage period: Storage period: Until deletion of brand profile or account deletion

5.3 Content Data (Posts, Media, Campaigns)

  • When using content creation, we store:
  • • Created and scheduled social media posts (text, captions, hashtags)
  • • Uploaded and generated images, videos, graphics
  • • Campaign data and templates
  • • Idea validations (swipe data in Idea Generator)
  • • Research documents
  • • Content status (Draft, Review, Scheduled, Published)
  • • Publication times and platforms
  • Purpose: Content management, planning, automation, archiving

⚠️ Important: Important: Your created posts may be used by PostMaestro for marketing purposes (see Terms Section 7.2). You can object at any time.

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance)

Storage period: Storage period: Until manual deletion or account deletion. Published posts remain on social media platforms.

5.4 Usage Data and Analytics

  • To improve the platform, we store:
  • • Login times and session duration
  • • Features and functions used
  • • Token consumption and billing data
  • • Error reports and performance data
  • • Feedback and support requests
  • Purpose: Platform improvement, error analysis, support, billing

Legal basis: Legal basis: Art. 6 para. 1 lit. b, f GDPR (contract performance, legitimate interest)

Storage period: Storage period: Until account deletion (usage data), billing data according to legal retention requirement (10 years)

5.5 Social Media Platform Connections

  • When you connect social media accounts (Instagram, Facebook, LinkedIn, X, YouTube, etc.), we store:
  • • OAuth tokens and access permissions
  • • Platform account IDs
  • • Connection status
  • This data is used exclusively to publish posts on your accounts.
  • You can disconnect connections at any time in the settings.

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance)

Storage period: Storage period: Until disconnection or account deletion

5.6 Team and Company Account Data

  • For Company Accounts with multiple users, we additionally store:
  • • Team members and their roles
  • • Permissions and access control
  • • Approval workflows and comments
  • • Activity logs (Audit Log)
  • Purpose: Team collaboration, access control, compliance

Legal basis: Legal basis: Art. 6 para. 1 lit. b, f GDPR (contract performance, legitimate interest)

Storage period: Storage period: Until deletion of Company Account

6. Newsletter Service

  • If you subscribe to our newsletter, we store:
  • • Email address
  • • Subscription timestamp
  • • IP address at time of subscription (double opt-in proof)
  • • Opt-in confirmation
  • • Language preference
  • Purpose: Sending updates, tips, news and marketing information about PostMaestro.ai
  • The newsletter is sent via Strapi (our backend system) and SendGrid (email delivery service).

6.1 Double Opt-In Process

After newsletter registration, you receive a confirmation email.

Only after clicking the confirmation link will you be added to the newsletter distribution list.

This serves to protect against misuse of your email address.

6.2 SendGrid (Email Delivery)

We use SendGrid (Twilio Inc., USA) for newsletter delivery.

SendGrid processes your email address on our behalf for newsletter delivery.

We have concluded a data processing agreement (DPA) with SendGrid according to Art. 28 GDPR.

SendGrid is EU-US Data Privacy Framework certified.

More information: https://www.twilio.com/legal/privacy

6.3 Newsletter Tracking

Currently: No tracking of open rates or clicks

Planned: Opt-in for newsletter statistics (open rate, click tracking)

You will be informed before activation of tracking and can give or refuse your consent.

6.4 Unsubscribe

You can unsubscribe from the newsletter at any time:

• Via the unsubscribe link in each newsletter email

• By email to newsletter@nexaluna.ai

• In your account settings (if available)

After unsubscribing, your data will be deleted from the newsletter distribution list.

Legal basis: Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Storage period: Storage period: Until unsubscription or after 24 months of inactivity (no opens)

7. AI-Powered Data Processing and AI Providers

PostMaestro.ai uses various AI providers for content generation. Your inputs and generated content are transmitted to these providers:

7.1 OpenAI (Text Generation)

  • Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA
  • Usage: Generation of texts, captions, descriptions, ideas using GPT-5.1 models
  • Transmitted data: Your input texts, prompts, brand data (for context generation)
  • Privacy: OpenAI does not store your requests for training purposes (API usage with Zero Data Retention Policy)
  • Location: USA (EU-US Data Privacy Framework)
  • More information: https://openai.com/policies/privacy-policy

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance), Art. 49 para. 1 lit. b GDPR (third country transfer)

7.2 Google Gemini (Image Generation)

  • Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Usage: Image generation with Google Gemini 2.5 Flash
  • Transmitted data: Your image prompts, brand data, style templates
  • Privacy: Google processes data according to Google Cloud Privacy Policy
  • Location: USA/EU (depending on server region)
  • More information: https://policies.google.com/privacy

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance)

7.4 Mistral AI (OCR and Text Recognition)

  • Provider: Mistral AI, 15 Rue des Halles, 75001 Paris, France
  • Usage: OCR (Optical Character Recognition) for extracting text from images and documents
  • Transmitted data: Uploaded images, scans, screenshots for text recognition
  • Privacy: Mistral AI is EU-based and GDPR compliant
  • Location: EU (France)
  • More information: https://mistral.ai/terms/

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance)

7.3 Perplexity AI (Research, Web Search and Text Generation)

  • Provider: Perplexity AI, Inc., USA
  • Usage: Internet research with real-time web search, fact-checking, content research, and text generation
  • Models: Various Perplexity models for context-based text generation and research
  • Transmitted data: Search queries, topics, context, text prompts
  • Privacy: Perplexity processes requests to provide search results and content generation
  • Location: USA
  • More information: https://www.perplexity.ai/privacy

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance), Art. 49 para. 1 lit. b GDPR (third country transfer)

7.5 Fal.ai (Image Generation Models)

  • Provider: Fal.ai
  • Usage: Advanced image generation with various AI models (FLUX, Stable Diffusion, etc.)
  • Transmitted data: Image prompts, style parameters, reference images
  • Privacy: Fal.ai processes data for image generation
  • More information: https://fal.ai/privacy

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance)

7.6 Creatomate (Video and Thumbnail Creation)

  • Provider: Creatomate BV, Netherlands
  • Usage: Automatic creation of video thumbnails, social media graphics, slideshows
  • Transmitted data: Your images, texts, design templates
  • Privacy: Creatomate is EU-based and GDPR compliant
  • Location: EU (Netherlands)
  • More information: https://creatomate.com/privacy-policy

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance)

7.10 Important Note on AI Processing

Your data is only transmitted to the respective providers when actively using the respective AI features.

AI providers process your data exclusively to provide the requested services (content generation).

We have agreements with all AI providers that ensure GDPR-compliant processing.

Personal data (names, email addresses, etc.) are not transmitted to AI providers, only content-relevant data.

8. Payment Processing (Stripe)

For payment processing, we use Stripe (Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA).

During payments, the following data is transmitted to Stripe:

• Name and email address

• Payment data (credit card number, expiration date, CVV)

• Billing address (if provided)

• Amount and transaction data

We do not store complete payment data (credit card numbers, CVV) ourselves. These are stored exclusively at Stripe.

We only receive from Stripe:

• Transaction ID

• Payment status (successful/failed)

• Last 4 digits of payment method (for your overview)

• Stripe Customer ID (for recurring payments)

Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance)

Third country: Stripe is EU-US Data Privacy Framework certified and offers EU servers.

Storage period: Storage period: Transaction data 10 years (legal retention requirement), payment methods until deletion by you

More information: https://stripe.com/privacy

9. Data Storage and Database

9.1 Strapi Backend System

  • All your account data, content and settings are stored in our backend system:
  • • Backend framework: Strapi CMS (Open Source)
  • • Database: PostgreSQL
  • • Hosting: AWS (EU region)
  • • Encryption: SSL/TLS for data transmission, bcrypt for passwords
  • Access is only available to authorized employees and systems.

9.2 AWS Hosting (EU)

  • Our servers are hosted on Amazon Web Services (AWS) in the EU:
  • • Server location: Frankfurt and/or Ireland (eu-central-1, eu-west-1)
  • • S3 Buckets: For static assets and media files
  • • CloudFront: Content Delivery Network for fast delivery
  • • RDS PostgreSQL: For database hosting
  • AWS processes data on our behalf according to Art. 28 GDPR.
  • More information: https://aws.amazon.com/privacy/

Legal basis: Legal basis: Art. 6 para. 1 lit. b, f GDPR (contract performance, legitimate interest)

Storage period: Storage period: See respective data types (account data until deletion, billing data 10 years, etc.)

10. Data Security

We implement comprehensive technical and organizational measures to protect your data:

  • • SSL/TLS encryption for all data transmissions (HTTPS)
  • • Bcrypt encryption for passwords (with salt)
  • • Two-factor authentication (2FA) optionally available
  • • Regular security audits and penetration tests
  • • Access control and authentication for all systems
  • • Automatic backups (encrypted)
  • • Firewall and intrusion detection systems
  • • Regular software updates and security patches
  • • Role-based access control (RBAC) for team accounts
  • • Audit logs for security-relevant actions

Despite all security measures, absolute security cannot be guaranteed for data transmission over the Internet. Please also protect your access credentials yourself.

11. Your Rights as a Data Subject

You have the following rights regarding your personal data:

11.1 Right of Access (Art. 15 GDPR)

You can request information about the personal data we store at any time.

11.2 Right to Rectification (Art. 16 GDPR)

You can request the correction of incorrect or completion of incomplete data.

11.3 Right to Erasure (Art. 17 GDPR)

You can request the deletion of your personal data, provided there are no legal retention obligations.

11.4 Right to Restriction (Art. 18 GDPR)

You can request the restriction of processing of your data.

11.5 Right to Data Portability (Art. 20 GDPR)

You can receive your data in a structured, common and machine-readable format and have it transmitted to another provider.

11.6 Right to Object (Art. 21 GDPR)

You can object to the processing of your data insofar as it is based on legitimate interest (Art. 6 para. 1 lit. f GDPR).

11.7 Withdrawal of Consent (Art. 7 para. 3 GDPR)

Insofar as processing is based on your consent, you can withdraw it at any time. The lawfulness of the processing carried out until the withdrawal remains unaffected.

11.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

Exercising Your Rights

To exercise your rights, please contact us at datenschutz@nexaluna.ai. We will process your request within 30 days.

12. Overview: All Third-Party Providers (Subprocessors)

The following table provides an overview of all third parties that process personal data on our behalf:

Provider Purpose Location Legal Basis
Amazon Web Services (AWS) Hosting, server infrastructure, database (PostgreSQL) EU (Frankfurt/Ireland) Art. 28 GDPR (DPA)
Stripe Payment processing USA/EU Art. 28 GDPR, EU-US DPF
SendGrid (Twilio) Email delivery (newsletter) USA Art. 28 GDPR, EU-US DPF
OpenAI Text generation (GPT-5.1) USA Art. 49 para. 1 lit. b GDPR
Perplexity AI Research, web search, text generation USA Art. 49 para. 1 lit. b GDPR
Google Gemini Image generation (Gemini 2.5 Flash) USA/EU Art. 28 GDPR
Mistral AI OCR (text recognition from images) EU (France) Art. 28 GDPR
Fal.ai Image generation (FLUX, Stable Diffusion) USA Art. 49 para. 1 lit. b GDPR
Creatomate Video thumbnails, visual editing EU (Netherlands) Art. 28 GDPR
Tesseract.js OCR for images/scans (open source) Local processing / EU Art. 6 para. 1 lit. b GDPR
Google APIs YouTube, Gmail integration (planned) USA/EU Art. 28 GDPR

We have concluded data processing agreements (DPA) according to Art. 28 GDPR with all third parties or processing is based on other legal grounds.

13. International Data Transfers

Some of our service providers (OpenAI, Perplexity, Fal.ai) are based in the USA or other third countries outside the EU/EEA.

For data transfers to third countries, we ensure an adequate level of data protection through the following measures:

• EU-US Data Privacy Framework certification (Stripe, SendGrid, OpenAI)

• Standard contractual clauses of the EU Commission (Art. 46 GDPR)

• Technical and organizational measures (encryption, access control)

Where required, data transfers are based on Art. 49 para. 1 lit. b GDPR (contract performance).

You consent to these data transfers by using the respective features.

14. Data Storage and Deletion Periods

We only store your data for as long as necessary for the respective purposes:

  • • Account data: Until account deletion
  • • Content data: Until manual deletion or account deletion
  • • Newsletter data: Until unsubscription or 24 months of inactivity
  • • Billing data: 10 years (legal retention requirement according to § 147 AO)
  • • Support requests: 3 years after completion
  • • Log files: 7 days (then anonymization)
  • • Pre-release notifications: Until launch or maximum 12 months

Account Deletion

You can delete your account at any time in the settings.

After account deletion, all personal data will be deleted within 30 days.

Exception: Billing data is retained for 10 years according to legal retention requirement.

Published social media posts remain on the respective platforms and must be deleted there separately.

15. Cookies and Tracking

15.1 Current Status

  • Currently, we only use technically necessary cookies:
  • • Session cookie (language setting)
  • • Theme preference (dark/light mode)
  • • Login session (after login in the app)
  • These cookies are required for the functionality of the website and do not contain personal data except your session ID.

15.2 Planned Extensions

We are planning to implement a cookie banner for optional cookies:

• Analytics cookies (e.g. Google Analytics): To analyze user behavior

• Marketing cookies: To display personalized advertising

• Social media cookies: For social media features

You will be asked for your consent before activation of these cookies and can revoke it at any time.

Without your consent, no optional cookies will be set.

15.3 Cookie Management

You can manage and delete cookies in your browser settings.

Please note that deactivating technically necessary cookies may limit the functionality of the website.

After implementation of the cookie banner, you can adjust your cookie settings at any time via a link in the footer.

16. Children and Minors

PostMaestro.ai is not directed at persons under 16 years of age.

Persons under 16 years of age may not use the platform.

Should we become aware that a person under 16 years of age has created an account, we will delete it immediately.

If you suspect that a minor has created an account without parental consent, please contact us at datenschutz@nexaluna.ai.

17. Changes to this Privacy Policy

We reserve the right to adapt this Privacy Policy as necessary to reflect changes in legal situations or changes to our services.

We will inform you of significant changes by email or through a clear notice on the website.

We recommend that you review this Privacy Policy regularly.

The current version can always be found at postmaestro.ai/privacy.

18. Contact and Privacy Questions

If you have questions about privacy, exercising your rights or complaints, please contact:

Email: datenschutz@nexaluna.ai

Phone: +49 151 28858234

Mail: Braune und Grebe GbR (Nexaluna AI Solutions), Renkenweg 23, 83209 Prien, Germany

We will process your request within 30 days.

Competent Supervisory Authority

Bavarian State Office for Data Protection Supervision (BayLDA)

Promenade 18, 91522 Ansbach, Germany

Phone: +49 (0)981 180093-0

Email: poststelle@lda.bayern.de

Website: https://www.lda.bayern.de/

Terms Imprint