Skip to main content
Logo
Legal

Privacy Policy

Learn how we protect your personal information

Last updated: February 22, 2026

Back to Home

Introduction

Welcome to Postboard ('we,' 'our,' or 'us'). This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our platform at postboard.io (the 'Platform'). By using Postboard, you consent to the data practices described in this policy.

Information We Collect

We collect information that you provide directly to us, information we obtain automatically when you use the Platform, and information from third parties:

Information You Provide

The following information is collected when you use our platform:

  • Account registration details (name, email address, phone number)
  • Profile information (professional background, skills, certifications, profile photos)
  • Service listings and descriptions
  • Project descriptions and service details submitted for AI-powered proposal generation
  • Payment and banking information (processed by Stripe)
  • Communications with other users via platform messaging
  • Reviews and ratings
  • Support inquiries and feedback
  • Training data opt-in preferences

Automatically Collected Information

We automatically collect certain information when you use our platform:

  • IP addresses (used for security logging, fraud prevention, and approximate geolocation)
  • Device information and identifiers (browser type, operating system)
  • Usage data and browsing activity
  • Approximate location information derived from IP address
  • Log data and server access logs
  • Cookies and similar technologies (see Cookie Policy section below)
  • Transaction and payment metadata

How We Use Your Information

We use collected information for the following purposes:

  • Provide, maintain, and improve our services
  • Process payments and transactions via Stripe Connect
  • Match service providers with service seekers
  • Power AI features — including proposal generation, pricing intelligence, and service recommendations — by sending project descriptions and service details to our AI provider (Anthropic Claude)
  • Send transactional emails (account verification, payment receipts, notifications) via Resend
  • Monitor application errors and performance via Sentry
  • Collect anonymous analytics on platform usage via Vercel Analytics (with your consent)
  • Prevent fraud and ensure platform security
  • Comply with legal obligations
  • Personalize user experience
  • Communicate about services and updates

AI Data Processing

Postboard uses artificial intelligence to enhance your experience. Here is how your data is used in connection with AI features:

What Data Is Sent to AI

When you use AI-powered features (such as proposal generation, pricing suggestions, or service recommendations), the following data may be sent to Anthropic (Claude):

  • Project descriptions and requirements you provide
  • Service details and categories
  • Pricing parameters and budget information
  • Professional background context from your profile (skills, experience)

Training Data Collection

We may use anonymized and aggregated platform data to improve our AI features. Participation is entirely opt-in:

  • You can opt in or out of training data collection at any time in your account settings
  • Opting out does not affect your access to AI features
  • Training data is anonymized before use — individual users cannot be identified
  • Anthropic does not use your data to train their general models (per our data processing agreement)

Sub-Processors and Third-Party Services

We share your information with the following sub-processors to operate the Platform. Each processes data only as necessary for their stated purpose:

Our Sub-Processors

  • Stripe (San Francisco, CA) — Payment processing, subscription billing, and Stripe Connect payouts. Processes payment card details, banking information, and transaction data.
  • Anthropic (San Francisco, CA) — AI features including proposal generation and pricing intelligence. Processes project descriptions, service details, and professional context.
  • Supabase (San Francisco, CA) — Database hosting, user authentication, and real-time features. Stores account data, profiles, project data, and messages.
  • Sentry (San Francisco, CA) — Error monitoring and application performance tracking. Processes error logs, stack traces, and device/browser metadata (with your consent).
  • Vercel (San Francisco, CA) — Application hosting, CDN, and anonymous web analytics. Processes page views, performance metrics, and IP addresses (analytics require your consent).
  • Resend (San Francisco, CA) — Transactional email delivery. Processes email addresses, names, and email content for account verification, payment receipts, and notifications.

Cookie Policy

We use cookies to operate and improve the Platform. You can manage your cookie preferences at any time using the 'Cookie Settings' link in the footer.

Essential Cookies (Always Active)

These cookies are required for the Platform to function and cannot be disabled:

  • sb-*-auth-token — Supabase authentication session. Duration: session / 1 year for 'remember me'.
  • pb_consent — Stores your cookie consent preferences. Duration: 12 months.
  • pb_dnt — Stores your 'Do Not Sell' preference. Duration: 12 months.

Analytics Cookies (Require Consent)

These cookies help us understand how visitors use the Platform:

  • Vercel Analytics — Collects anonymous page views, performance metrics, and referrer data. No personally identifiable information is stored. Duration: session.

Error Tracking (Requires Consent)

These help us identify and fix bugs:

  • Sentry — Captures JavaScript errors, stack traces, and browser metadata to help us fix issues. Duration: session.

Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

  • Account data — Retained while your account is active. Deleted within 30 days of account deletion request.
  • Profile and service listings — Retained while your account is active.
  • Messages and communications — Retained for 3 years after last activity, then anonymized.
  • Payment records and invoices — Retained for 7 years for tax and legal compliance.
  • Server logs and IP addresses — Retained for 90 days for security purposes.
  • Analytics data — Aggregated and anonymized; raw data retained for 12 months.
  • AI interaction logs — Retained for 90 days, then deleted or anonymized.
  • Error tracking data (Sentry) — Retained for 90 days.

Information Sharing

We may share your information with:

  • Other platform users as necessary for service delivery (e.g., your profile is visible to potential clients)
  • Sub-processors listed above, solely for operating the Platform
  • Legal authorities when required by law, subpoena, or court order
  • Professional advisors (legal, accounting) under confidentiality agreements
  • Third parties in connection with a merger, acquisition, or sale of assets (with prior notice to users)

Data Security

We implement appropriate technical and organizational security measures to protect your information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security assessments and dependency audits
  • Role-based access controls and authentication
  • Secure data storage via Supabase with row-level security policies
  • Incident response procedures
  • Employee and contractor confidentiality agreements

International Data Transfers

Postboard is operated from the United States. All of our sub-processors are based in the United States. If you access the Platform from outside the United States (including the EU/EEA or UK), your data will be transferred to and processed in the United States.

Transfer Safeguards

For transfers of personal data from the EU/EEA and UK, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements (DPAs) with all sub-processors
  • Additional technical and organizational safeguards as appropriate
  • The EU-US Data Privacy Framework where applicable

Your Rights Under GDPR (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR), Articles 13-14:

Your Rights

You may exercise the following rights by contacting privacy@postboard.io:

  • Right of Access (Art. 15) — Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16) — Request correction of inaccurate personal data.
  • Right to Erasure (Art. 17) — Request deletion of your personal data ('right to be forgotten').
  • Right to Restriction (Art. 18) — Request that we restrict processing of your data.
  • Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21) — Object to processing based on legitimate interests, including profiling.
  • Right to Withdraw Consent — Withdraw consent at any time without affecting prior processing.
  • Right to Lodge a Complaint — You have the right to lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK, CNIL in France, BfDI in Germany).

Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contract — Processing necessary to provide the Platform services you signed up for.
  • Consent — Analytics cookies, error tracking, and marketing communications (withdrawable at any time).
  • Legitimate Interests — Security logging, fraud prevention, and product improvement.
  • Legal Obligation — Tax record retention, responding to legal requests.

California Privacy Rights (CCPA)

Under the California Consumer Privacy Act (CCPA), California residents have specific rights regarding their personal information:

Your Rights

As a California resident, you have the following rights:

  • Right to Know — Request categories and specific pieces of personal information collected, used, and shared.
  • Right to Delete — Request deletion of personal information we collected.
  • Right to Opt-Out — Opt out of the 'sale' or 'sharing' of personal information. Visit our Do Not Sell or Share page to exercise this right.
  • Right to Non-Discrimination — Equal service and pricing even if you exercise your privacy rights.
  • Right to Correct — Request correction of inaccurate personal information.

How to Exercise Your Rights

You can exercise your CCPA rights by:

  • Visiting postboard.io/do-not-sell to opt out of sale/sharing
  • Emailing privacy@postboard.io with your request
  • Enabling Global Privacy Control (GPC) in your browser — we honor GPC signals automatically
  • We will respond to verifiable consumer requests within 45 days

Categories of Personal Information We Collect

We collect the following categories of personal information:

  • Identifiers (name, email, phone, IP address)
  • Professional information (skills, certifications, work history)
  • Commercial information (services purchased or provided, transaction history)
  • Internet activity (platform usage, page views, interactions)
  • Geolocation data (approximate, derived from IP address)
  • Audio/visual information (profile photos)
  • Inferences drawn from above data

Children's Privacy

Postboard is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. If you are under 18, do not use the Platform or provide any information. If we learn we have collected information from someone under 18, we will delete it promptly. If you believe we have information from a minor, please contact us at privacy@postboard.io.

Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of material changes by email or through a prominent notice on the Platform at least 30 days before the changes take effect. Your continued use after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.

Data Protection Contact

For any privacy-related questions, requests, or complaints, contact us at:

  • Email: privacy@postboard.io
  • General support: support@postboard.io
  • Mailing address: Postboard, Portland, Oregon, United States
  • We aim to respond to all privacy requests within 30 days (45 days for CCPA requests).

Questions about our privacy policy? Contact us

Also see our Terms of Service · Do Not Sell or Share