Skip to main content

Privacy Policy

Last updated: March 24, 2026

1. Information We Collect

When you use AutoPublish, we collect:

  • Account information: Your email address and encrypted password, collected when you create an account.
  • WordPress credentials: Your WordPress site URL, username, and Application Password. These are stored encrypted and used solely to publish content to your sites.
  • Content data: Topics, keywords, and settings you enter into the platform. Published articles and their performance metadata.
  • Usage data: Pages visited, features used, and general activity logs for the purpose of improving the product.
  • Payment data: Billing is handled by Stripe. We do not store your payment card information.

2. How We Use Your Information

We use your information to:

  • Provide and operate the AutoPublish service
  • Publish content to your WordPress sites on your behalf
  • Send transactional emails (publish confirmations, error notifications) when enabled
  • Improve and debug the platform
  • Respond to support requests
  • Comply with legal obligations

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Third-Party Services

AutoPublish uses the following third-party services to operate:

  • Supabase: Database and authentication infrastructure. Data is stored in Supabase's hosted PostgreSQL service.
  • OpenAI: Content generation (GPT-4.1 / GPT-5 series) and image generation (GPT-image-1). Article topics and keywords are sent to OpenAI's API. We do not send personally identifiable information to OpenAI.
  • Pexels: Stock image sourcing. Keyword queries are sent to the Pexels API to fetch relevant images.
  • Tavily: Search engine research. Keywords may be sent to Tavily for competitor analysis.
  • Stripe: Payment processing. All billing data is handled by Stripe and subject to their privacy policy.
  • Railway: Backend processing infrastructure.
  • PostHog: Product analytics. We collect anonymised usage events (page views, feature interactions) to understand how the product is used. No personally identifiable information is attached to these events. Data is processed by PostHog, Inc. under their privacy policy.
  • Tawk.to: Live chat support. When you use the chat widget, your messages and IP address are processed by Tawk.to in accordance with their privacy policy. You may disable the widget using your browser's JavaScript controls.

4. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

Published articles remain on your WordPress sites — we do not delete content from your WordPress installation when you cancel your account.

5. Security

We implement industry-standard security practices including:

  • Encryption of data in transit (HTTPS/TLS)
  • Encrypted storage of WordPress Application Passwords
  • Row-level security on all database tables
  • Authentication via Supabase with bcrypt password hashing

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

6. Cookies and Local Storage

We use only strictly necessary session cookies (provided by Supabase) to maintain your login state. These are essential for the service to function. We do not use advertising, analytics, or tracking cookies.

We also use localStorage in your browser to store non-personal UI preferences (e.g., dismissing the announcement banner). This data never leaves your device.

For full details on the specific cookies we set, see our Cookie Policy.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a machine-readable format
  • Object to processing of your data

To exercise any of these rights, email us at [email protected].

7a. Lawful Basis for Processing (GDPR)

For users in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following lawful bases (Article 6, GDPR):

  • Contract performance (Art. 6(1)(b)): Processing your email address and account credentials to create and maintain your account, and processing your WordPress credentials to publish content on your behalf.
  • Legitimate interests (Art. 6(1)(f)): Processing usage data to improve and debug the platform, and using essential session cookies to enable login functionality.
  • Legal obligation (Art. 6(1)(c)): Retaining records where required by applicable law, and notifying authorities of data breaches.

You have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, contact the supervisory authority in your member state.

8. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You may request a list of the personal information we collect, use, disclose, and sell about you.
  • Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
  • Right to Opt-Out: AutoPublish does not sell your personal information to third parties. You have the right to opt out of any such sale if that changes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your California privacy rights, email us at [email protected] with the subject line "California Privacy Request". We will respond within 45 days as required by law.

8a. Other US State Privacy Laws

If you reside in Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, or Virginia, similar rights apply under your state's privacy law (CPA, CTDPA, DPDPA, ICDPA, MCDPA, NDPA, NHPA, NJDPA, OCDPA, TDPSA, UCPA, VCDPA respectively). We honor the substance of these rights — access, correction, deletion, portability, opt-out of targeted advertising/sale/profiling — for all customers regardless of residence. Full list: Regulations We Honor.

We honor Global Privacy Control (GPC) signals as a valid universal opt-out. Browsers sending the GPC header are automatically opted out of non-essential analytics and any data sharing for advertising purposes.

8b. Quebec Law 25

For Quebec residents, the Act to modernize legislative provisions as regards the protection of personal information (Law 25) grants additional rights including portability, the right to de-indexing, and the right to object to automated decision-making. Complaints may be filed with the Commission d'accès à l'information du Québec (CAI).

8c. Other Jurisdictions We Serve

We honor the substantive rights granted under:

  • 🇧🇷 LGPD (Brazil) — Lei Geral de Proteção de Dados. Supervisory authority: ANPD.
  • 🇨🇭 FADP (Switzerland) — revised Federal Act on Data Protection. Supervisory authority: FDPIC.
  • 🇯🇵 APPI (Japan) — Act on the Protection of Personal Information. Supervisory authority: PPC.
  • 🇹🇭 PDPA (Thailand) — Personal Data Protection Act B.E. 2562. Supervisory authority: PDPC.
  • 🇿🇦 POPIA (South Africa) — Protection of Personal Information Act. Supervisory authority: Information Regulator.
  • 🇦🇺 APA (Australia) — Privacy Act 1988 (as amended). Supervisory authority: OAIC.
  • 🇳🇿 NZPA (New Zealand) — Privacy Act 2020. Supervisory authority: OPC.

A full directory of supervisory authorities, effective dates, and per-regulation rights is on the Regulations We Honor page. Exercise any right via the Data Subject Request page. View our full third-party data processors at Subprocessors.

9. International Data Transfers

AutoPublish operates from Canada. Canada has been granted an adequacy decision by the European Commission under GDPR (Commission Decision 2002/2/EC), meaning personal data can flow from the EEA to Canada without additional safeguards.

Some of our infrastructure providers (Supabase, Railway, OpenAI) are based in the United States. For transfers of personal data from the EEA or UK to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the lawful transfer mechanism. You may request a copy of applicable SCCs by contacting us at [email protected].

By using the Service, you acknowledge that your data will be processed in these jurisdictions.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and applicable regulatory authorities within 72 hours of becoming aware of the breach, to the extent required by applicable law. Notification will be sent to the email address associated with your account. We will include: a description of the nature of the breach, the categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach.

11. Data Minimization

We collect only the personal data necessary to provide the Service. We do not collect:

  • Sensitive personal data (health, financial account numbers, government ID)
  • Data about minors
  • Biometric data
  • Precise geolocation data

WordPress Application Passwords you provide are encrypted at rest using AES-256 and are only decrypted transiently during the publishing process. We do not log or retain decrypted credentials beyond the publishing operation.

12. Children

AutoPublish is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by email or by displaying a notice in the dashboard. Your continued use of AutoPublish after changes are posted constitutes your acceptance of the updated policy.

14. Contact

For privacy-related questions or requests, contact us at:

[email protected]