Privacy policy
Information on data processing at PostMaestro.ai
PostMaestro.ai takes the protection of your personal data very seriously. This privacy policy informs you about the type, scope and purpose of the processing of personal data on our landing page, in our application and in our newsletter service.
Table of Contents
01 Person responsible
The controller within the meaning of the General Data Protection Regulation (GDPR) is
Nexaluna AI Solutions UG (limited liability)
Trading under: Nexaluna AI Solutions
Renkenweg 23
83209 Prien
Germany
Email:info@nexaluna.ai
Phone: +49 155 63429119
Website:www.nexaluna.ai
02 Data Protection Officer
If you have any questions about data protection, please contact us at info@nexaluna.ai
03 Scope of application
This privacy policy applies to
Landing page (postmaestro.ai): Information website about our services
Web application: Complete platform for registered users
Newsletter service: e-mail marketing and notifications
Data processing differs depending on the area. This is explained in detail below.
04 Data processing on the landing page
The following data is processed on our landing page (postmaestro.ai):
4.1 Technical data (log files)
- The following information is automatically collected when you visit our website:
- - IP address (anonymised after 7 days)
- - Date and time of access
- - Pages and files accessed
- - Amount of data transferred
- - Browser type and version
- - Operating system
- - Referrer URL (previously visited page)
Purpose: This data is collected exclusively for technical purposes (security, error analysis, system stability) and is not used to create user profiles.
Legal basis: Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in system security)
Storage period: Storage period: 7 days, then automatic anonymisation
4.2 Hosting and content delivery
- Our website is hosted on Amazon Web Services (AWS) and delivered via Amazon CloudFront (Content Delivery Network).
- Server location: EU (Frankfurt/Ireland)
- AWS processes technical data on our behalf and in accordance with our instructions.
- Further information: https://aws.amazon.com/de/privacy/
Legal basis: Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest), Art. 28 GDPR (order processing)
4.3 Cookies and local storage
- Our landing page uses cookies and local storage:
- - Session cookie: To save your language setting
- - Theme preference: To save your dark/light mode preference
- - Local Storage: Storage of language and country (no exact location)
- These cookies do not contain any personal data and are used exclusively for functionality.
Planned: Note: A cookie banner for optional marketing and analytics cookies is implemented. You can give or withdraw your consent at any time.
Legal basis: Legal basis: Art. 6 para. 1 lit. f GDPR (technically necessary)
4.4 Pre-release notifications
- If you register for notifications via the pre-release modal, we will save your data:
- - E-mail address
- - Timestamp of the application
- - Opt-in status
- Purpose: Information about the public launch of PostMaestro.ai
- After the launch notification has been sent, the data will be deleted unless you subscribe to the newsletter.
Legal basis: Legal basis: Art. 6 para. 1 lit. a GDPR (consent)
Storage period: Storage period: Until launch notification is sent, maximum 12 months
05 Data processing in the application
More extensive data is processed in the full PostMaestro.ai application (after registration):
5.1 Registration and account data
- We collect data during registration:
- - E-mail address (mandatory)
- - User name (mandatory)
- - Password (encrypted with bcrypt, at least 8 characters)
- - Account type (Personal or Company)
- - Time of registration
- - Two-factor authentication (2FA) - optional but recommended
- Purpose: Provision and management of your account, authentication, security
- The 2FA data is only stored locally on your device (QR code scan). We only save the activation status.
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (fulfilment of contract)
Storage period: Storage period: Until account deletion
5.2 Brand profiles and brand data
- When creating a brand profile, we save:
- - Brand name and description
- - Website URL (for Brand Analyser)
- - Uploaded brand guidelines and documents
- - Analysed brand data (colours, fonts, tone of voice)
- - Logo and visual assets
- - Target group definitions
- - Industry and category
- Purpose: Creation of market-compliant content, brand identity management
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (fulfilment of contract)
Storage period: Storage period: Until deletion of the brand profile or account deletion
5.3 Content data (posts, media, campaigns)
- When using content creation, we store:
- - Created and planned social media posts (text, captions, hashtags)
- - Uploaded and generated images, videos, graphics
- - Campaign data and templates
- - Idea validations (swipe data in the Idea Generator)
- - Search documents
- - Content status (Draft, Review, Planned, Published)
- - Publication dates and platforms
- Purpose: content management, planning, automation, archiving
Important: Important: Your contributions may be used by PostMaestro for marketing purposes (see GTC section 7.2). You can object to this at any time.
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (fulfilment of contract)
Storage period: Storage period: Until manual deletion or account deletion. Published posts remain on social media platforms.
5.4 Usage data and analytics
- We store data to improve the platform:
- - Login times and session duration
- - Features and functions used
- - Token consumption and billing data
- - Error reports and performance data
- - Feedback and support requests
- Purpose: Platform improvement, error analysis, support, billing
Legal basis: Legal basis: Art. 6 para. 1 lit. b, f GDPR (fulfilment of contract, legitimate interest)
Storage period: Storage period: Until account deletion (usage data), billing data in accordance with the statutory retention obligation (10 years)
5.5 Social media platform links
- If you connect social media accounts (Instagram, Facebook, LinkedIn, X, YouTube, etc.), we save:
- - OAuth tokens and access authorisations
- - Platform account IDs
- - Connection status
- This data will only be used to publish posts on your accounts.
- You can disconnect the connections at any time in the settings.
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (fulfilment of contract)
Storage period: Storage duration: Until disconnection or account deletion
5.6 Team and company account data
- For company accounts with multiple users, we also store data:
- - Team members and their roles
- - Authorisations and access control
- - Approval workflows and comments
- - Activity logs (audit log)
- Purpose: Team collaboration, access control, compliance
Legal basis: Legal basis: Art. 6 para. 1 lit. b, f GDPR (fulfilment of contract, legitimate interest)
Storage period: Storage period: Until deletion of the company account
07 AI-supported data processing and AI providers
PostMaestro.ai uses various AI providers to generate content. Your input and generated content are transmitted to these providers:
7.1 OpenAI (text generation)
- Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA
- Use: Generation of texts, captions, descriptions, ideas with GPT-5.1 models
- Transmitted data: Your input texts, prompts, brand data (for context generation)
- Data protection: OpenAI does not store your requests for training purposes (API use with zero data retention policy)
- Location: USA (EU-US Data Privacy Framework)
- Further information: https://openai.com/policies/privacy-policy
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfilment), Art. 49 para. 1 lit. b GDPR (third country transfer)
7.2 Google Gemini (image generation)
- Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
- Use: Generation of images with Google Gemini 2.5 Flash
- Transmitted data: Your image prompts, brand data, style sheets
- Data protection: Google processes data in accordance with the Google Cloud Privacy Policy
- Location: USA/EU (depending on server region)
- Further information: https://policies.google.com/privacy
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (fulfilment of contract)
7.4 Mistral AI (OCR and text recognition)
- Provider: Mistral AI, 15 Rue des Halles, 75001 Paris, France
- Use: OCR (Optical Character Recognition) for reading text from images and documents
- Transmitted data: Uploaded images, scans, screenshots for text recognition
- Data protection: Mistral AI is EU-based and GDPR-compliant
- Location: EU (France)
- Further information: https://mistral.ai/terms/
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (fulfilment of contract)
7.3 Perplexity AI (research, web search and text generation)
- Provider: Perplexity AI, Inc., USA
- Use: Internet research with real-time web search, fact checking, content research and text generation
- Models: Various perplexity models for context-based text generation and research
- Transmitted data: search queries, topics, context, text prompts
- Data protection: Perplexity processes requests to provide search results and content generation
- Location: USA
- Further information: https://www.perplexity.ai/privacy
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfilment), Art. 49 para. 1 lit. b GDPR (third country transfer)
7.5 Fal.ai (Image Generation Models)
- Provider: Fal.ai
- Application: Advanced image generation with various AI models (FLUX, Stable Diffusion, etc.)
- Transmitted data: Image prompts, style parameters, reference images
- Data protection: Fal.ai processes data for image generation
- Further information: https://fal.ai/privacy
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (fulfilment of contract)
7.6 Creatomate (video and thumbnail creation)
- Provider: Creatomate BV, Netherlands
- Usage: Automatic creation of video thumbnails, social media graphics, slideshows
- Transmitted data: Your images, texts, design templates
- Data protection: Creatomate is EU-based and GDPR-compliant
- Location: EU (Netherlands)
- Further information: https://creatomate.com/privacy-policy
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (fulfilment of contract)
7.10 Important note on AI processing
Your data will only be transmitted to the relevant providers when the respective AI features are actively used.
The AI providers process your data exclusively for the provision of the requested services (content generation).
We have concluded agreements with all AI providers that ensure GDPR-compliant processing.
Personal data (names, email addresses, etc.) are not transmitted to AI providers, only content-relevant data.
08 Payment processing (Stripe)
We use Stripe (Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA) for payment processing.
The following data is transmitted to Stripe for payments:
- Name and e-mail address
- Payment data (credit card number, expiry date, CVV)
- Billing address (if specified)
- Amount and transaction data
We do not store any complete payment data (credit card numbers, CVV) ourselves. These are stored exclusively by Stripe.
We only receive from Stripe:
- Transaction ID
- Payment status (successful/failed)
- Last 4 digits of the payment method (for your overview)
- Stripe Customer ID (for recurring payments)
Legal basis: Legal basis: Art. 6 para. 1 lit. b GDPR (fulfilment of contract)
Third country: Stripe is EU-US Data Privacy Framework certified and offers EU servers.
Storage period: Storage period: transaction data 10 years (statutory retention obligation), payment methods until cancellation by you
09 Data storage and database
9.1 Strapi backend system
- All your account data, content and settings are stored in our backend system:
- - Backend framework: Strapi CMS (Open Source)
- - Database: PostgreSQL
- - Hosting: AWS (EU region)
- - Encryption: SSL/TLS for data transmission, bcrypt for passwords
- Only authorised employees and systems have access.
9.2 AWS Hosting (EU)
- Our servers are hosted on Amazon Web Services (AWS) in the EU:
- - Server location: Frankfurt and/or Ireland (eu-central-1, eu-west-1)
- - S3 buckets: For static assets and media files
- - CloudFront: Content delivery network for fast delivery
- - RDS PostgreSQL: For database hosting
- AWS processes data on behalf of Art. 28 GDPR.
- Further information: https://aws.amazon.com/de/privacy/
Legal basis: Legal basis: Art. 6 para. 1 lit. b, f GDPR (fulfilment of contract, legitimate interest)
Storage period: Storage period: See respective data types (account data until deletion, billing data 10 years, etc.)
10 Data security
We use comprehensive technical and organisational measures to protect your data:
- - SSL/TLS encryption for all data transmissions (HTTPS)
- - Bcrypt encryption for passwords (with Salt)
- - Two-factor authentication (2FA) optionally available
- - Regular security audits and penetration tests
- - Access control and authentication for all systems
- - Automatic backups (encrypted)
- - Firewall and intrusion detection systems
- - Regular software updates and security patches
- - Role-based access control (RBAC) for team accounts
- - Audit logs for security-relevant actions
Despite all security measures, absolute security cannot be guaranteed for data transmission via the Internet. Please also protect your access data yourself.
11 Your rights as a data subject
You have the following rights regarding your personal data:
11.1 Right to information (Art. 15 GDPR)
You can request information about the personal data stored by us at any time.
11.2 Right to rectification (Art. 16 GDPR)
You can request the correction of incorrect data or the completion of incomplete data.
11.3 Right to erasure (Art. 17 GDPR)
You can request the deletion of your personal data, provided that there are no statutory retention obligations.
11.4 Right to restriction (Art. 18 GDPR)
You can request the restriction of the processing of your data.
11.5 Right to data portability (Art. 20 GDPR)
You can receive your data in a structured, commonly used and machine-readable format and have it transmitted to another provider.
11.6 Right to object (Art. 21 GDPR)
You can object to the processing of your data if this is based on legitimate interest (Art. 6 para. 1 lit. f GDPR).
11.7 Withdrawal of consent (Art. 7 para. 3 GDPR)
If the processing is based on your consent, you can revoke it at any time. This does not affect the lawfulness of the processing carried out until the revocation.
11.8 Right to lodge a complaint (Art. 77 GDPR)
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.
Exercising your rights
To exercise your rights, please contact us at info@nexaluna.ai. We will process your request within 30 days.
12 Overview: All third-party providers used (subprocessors)
The following table provides an overview of all third-party providers that process personal data on our behalf:
| Provider | Purpose | Location | Legal Basis |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, server infrastructure, database (PostgreSQL) | EU (Frankfurt/Ireland) | Art. 28 GDPR (AVV) |
| Stripe | Payment processing | USA/EU | Art. 28 GDPR, EU-US DPF |
| SendGrid (Twilio) | E-mail dispatch (newsletter) | USA | Art. 28 GDPR, EU-US DPF |
| OpenAI | Text generation (GPT-5.1) | USA | Art. 49 para. 1 lit. b GDPR |
| Perplexity AI | Research, web search, text generation | USA | Art. 49 para. 1 lit. b GDPR |
| Google Gemini | Image generation (Gemini 2.5 Flash) | USA/EU | Art. 28 GDPR |
| Mistral AI | OCR (text recognition from images) | EU (France) | Art. 28 GDPR |
| Fal.ai | Image generation (FLUX, Stable Diffusion) | USA | Art. 49 para. 1 lit. b GDPR |
| Creatomate | Video thumbnails, visual editing | EU (Netherlands) | Art. 28 GDPR |
| Tesseract.js | OCR for images/scans (Open Source) | Local processing / EU | Art. 6 para. 1 lit. b GDPR |
| Google APIs | YouTube, Gmail integration (planned) | USA/EU | Art. 28 GDPR |
We have concluded data processing agreements (DPAs) with all third-party providers in accordance with Art. 28 GDPR or the processing is carried out on the basis of other legal bases.
13 International data transfers
Some of our service providers (OpenAI, Perplexity, Fal.ai) are based in the USA or other third countries outside the EU/EEA.
For data transfers to third countries, we ensure an appropriate level of data protection through the following measures:
- EU-US Data Privacy Framework certification (Stripe, SendGrid, OpenAI)
- Standard contractual clauses of the EU Commission (Art. 46 GDPR)
- Technical and organisational measures (encryption, access control)
If necessary, data transfers are made on the basis of Art. 49 para. 1 lit. b GDPR (fulfilment of contract).
You consent to these data transfers by using the corresponding features.
14 Data storage and deletion periods
We only store your data for as long as is necessary for the respective purposes:
- - Account data: Until account deletion
- - Content data: Until manual deletion or account deletion
- - Newsletter data: Until cancellation or 24 months of inactivity
- - Accounting data: 10 years (statutory retention obligation pursuant to Section 147 AO)
- - Support requests: 3 years after completion
- - Log files: Are not saved
- - Pre-release notifications: Until launch or maximum 12 months
Account deletion
You can delete your account at any time in the settings.
After account deletion, all personal data will be deleted within 30 days.
Exception: Billing data is stored for 10 years in accordance with the statutory retention obligation.
Published social media posts remain on the respective platforms and must be deleted there separately.
16 Children and young people
PostMaestro.ai is not intended for persons under the age of 16.
Persons under the age of 16 may not use the platform.
If we become aware that a person under the age of 16 has created an account, we will delete it immediately.
If you suspect that a minor has created an account without parental consent, please contact us at info@nexaluna.ai.
17 Changes to this privacy policy
We reserve the right to amend this privacy policy if necessary in order to adapt it to changed legal situations or changes to our services.
We will inform you of any significant changes by e-mail or via a clear notice on the website.
We recommend that you check this privacy policy regularly.
You can always find the latest version at postmaestro.ai/privacy.
18 Contact and questions about data protection
If you have any questions about data protection, exercising your rights or complaints, please contact:
E-mail: info@nexaluna.ai
Phone: +49 155 63429119
Post: Nexaluna AI Solutions UG (haftungsbeschränkt) (Nexaluna AI Solutions), Renkenweg 23, 83209 Prien, Germany
We will process your enquiry within 30 days.
Competent supervisory authority
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach
Phone: +49 (0)981 180093-0
E-mail: poststelle@lda.bayern.de
Website: https://www.lda.bayern.de/