PostGrad
v1.1.0Last updated: 2026-04-08

PostGrad Privacy Policy

Version 1.3.0 -- Effective 2026-05-20

This Privacy Policy describes how PostGrad LLC ("PostGrad", "we", "us", or "our") collects, uses, shares, and protects personal information when you use postgrad.io, the Knowledge API, the MCP server, and related services (collectively, the "Service"). By using the Service, you agree to the practices described here.

1. Data We Collect

We collect the following categories of personal information:

  • Account information: name, email address, hashed password, organization name, billing address, and payment card details (processed by our payment processor -- we do not store full card numbers).
  • Content you provide: meeting transcripts, knowledge entries, comments, and any other content you upload or submit.
  • API and usage data: API keys (hashed), request timestamps, IP addresses, user-agent strings, endpoint paths, response codes, and usage volumes.
  • Forensic context for legal acceptance: IP address, country derived from IP, user agent, scroll completion status, time on page, typed signature, printed name, optional title and organization -- collected once at the moment you accept legal agreements.
  • Device and cookie data: session cookies, CSRF tokens, and minimal analytics cookies necessary to operate the Service.

We do not knowingly collect biometric data, precise geolocation, or special-category personal data (as defined in GDPR Article 9).

2. How We Use Your Data

We use personal information to:

  • Provide, operate, maintain, and improve the Service.
  • Authenticate users, issue API keys, and prevent fraud and abuse.
  • Process payments and send billing communications.
  • Generate evidentiary records of legal agreement acceptance.
  • Send transactional notifications, security alerts, and service announcements.
  • Comply with legal obligations and respond to lawful requests.
  • Conduct internal analytics and aggregated reporting. We do not use personal information for targeted advertising, and we do not build advertising profiles based on your activity.

3. Legal Basis (GDPR)

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under the General Data Protection Regulation:

  • Performance of a contract (Article 6(1)(b)) -- to deliver the Service you signed up for.
  • Legal obligation (Article 6(1)(c)) -- to retain audit records, respond to lawful process, and meet tax and accounting requirements.
  • Legitimate interests (Article 6(1)(f)) -- to secure the Service, prevent fraud, and improve product quality, balanced against your rights. You may object to processing based on legitimate interests by contacting us at [email protected].
  • Consent (Article 6(1)(a)) -- for any optional cookies or marketing communications, where required. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Sharing & Sub-Processors

We share personal information only with vetted sub-processors who help us operate the Service. Our current sub-processor list is maintained at /sub-processors and includes: cloud hosting (Vercel), database and storage (Supabase), email delivery (Resend), payments (Stripe), and authentication (Supabase Auth). Each sub-processor is bound by a written data-processing agreement that requires confidentiality and security measures consistent with this Policy.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not share personal information with advertisers. We do not disclose personal information to third parties for their own marketing purposes.

We may disclose personal information if required by law, subpoena, court order, or other legal process, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of PostGrad, our users, or the public.

5. Cookies and Tracking Technologies

We use strictly necessary cookies for authentication, session management, and security. We do not use third-party advertising cookies or cross-site tracking technologies.

Do Not Track: Some browsers transmit a "Do Not Track" (DNT) signal. Because there is no industry-accepted standard for how to respond to DNT signals, we do not currently alter our data collection or use practices in response to DNT signals. We do not, however, engage in the tracking activities that DNT is designed to prevent (such as cross-site behavioral advertising).

You may disable cookies in your browser settings, but parts of the Service may not function correctly without them.

6. Data Retention

We retain personal information as follows:

  • Account data: for as long as your account is active plus thirty (30) days after account closure to allow for reactivation.
  • Billing and tax records: seven (7) years from the date of the transaction, as required by IRS record-keeping obligations.
  • Legal acceptance audit records (including snapshot HTML, signature metadata, and forensic context): for the duration of any applicable statute of limitations, stored in an immutable, insert-only format.
  • API and usage logs: ninety (90) days for operational purposes, unless extended for an active security investigation.
  • Content you provide (Submissions): governed by the Licensor Agreement and the Data Processing Addendum; deleted or returned within thirty (30) days of account termination, except where a legal hold applies.
  • Database backups: rotated on a thirty (30) day cycle.

When retention periods expire, personal information is deleted or irreversibly anonymized.

7. Your Rights

Subject to applicable law, you have the following rights regarding your personal information:

  • Access -- request a copy of the personal information we hold about you.
  • Correction -- request correction of inaccurate or incomplete information.
  • Deletion -- request erasure, subject to legal-retention exceptions described in Section 6.
  • Portability -- request a machine-readable export of your data.
  • Objection and restriction -- object to or restrict certain processing activities.
  • Withdraw consent -- where processing is based on consent, at any time.
  • Lodge a complaint -- with your local supervisory authority.

For users covered by the GDPR, we will respond to verified requests within thirty (30) days (extendable by an additional sixty (60) days for complex requests, with notice to you). For users covered by the CCPA/CPRA, we will respond to verified requests within forty-five (45) days (extendable by an additional forty-five (45) days with notice to you).

To exercise your rights, email [email protected] or use the self-serve tools at /dashboard/settings/privacy. We will verify your identity before fulfilling any request. We will not discriminate against you for exercising any of your privacy rights.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of personal information we have collected from you, subject to statutory exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell your personal information and we do not share your personal information for cross-context behavioral advertising. Because we do not engage in these activities, there is no need to opt out, but you may contact us at [email protected] if you have questions.
  • Right to non-discrimination: We will not deny you goods or services, charge you different prices, or provide a different level or quality of service because you exercised your CCPA/CPRA rights.

In the preceding twelve (12) months, we have collected the categories of personal information described in Section 1. We have not sold or shared (as defined by the CCPA/CPRA) any personal information. We have disclosed personal information to the categories of sub-processors described in Section 4 for the business purposes described in Section 2.

9. International Transfers

Personal information may be transferred to and processed in the United States and other countries that may not have the same data-protection laws as your country. Where required, we rely on Standard Contractual Clauses approved by the European Commission and equivalent safeguards. Details are provided in our Data Processing Addendum.

10. Children

The Service is not intended for individuals under the age of sixteen (16), and we do not knowingly collect personal information from individuals under sixteen (16). If you believe that a person under sixteen (16) has provided personal information to us, please contact us at [email protected] and we will promptly delete it. If we discover that we have collected personal information from a person under sixteen (16), we will delete that information without undue delay.

11. Security

We use technical and organizational safeguards including encryption in transit (TLS 1.2+), encryption at rest (AES-256), hashed passwords and API keys, role-based access controls, audit logging, and immutable storage for legal acceptance records. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law and our Data Processing Addendum.

12. SMS Communications and Mobile Information

When you submit a form on our website (including the /contact page or the signup flow) and opt in to receive text messages, PostGrad LLC may use your phone number to send non-marketing customer care and service-related SMS/text messages.

These messages may include replies to customer inquiries, customer care follow-ups, account notifications, sign-in confirmations, password-reset codes, suspicious-activity alerts, verification codes, billing receipts, payment-failure notices, quota-cap warnings, and follow-up communications related to your inquiry or requested service.

Opt-in. SMS messages are sent only after you affirmatively opt in by checking the SMS-consent box on the form. The checkbox is unchecked by default and is not required to submit the form or create an account. Consent is not a condition of using PostGrad. The act of checking the box, together with the timestamp of consent, your IP address, and your user agent, is retained as the evidentiary record of your opt-in.

Message frequency may vary. Most users receive fewer than five (5) SMS messages per month; high-volume users (e.g., licensors managing many feeds) may receive more.

Message and data rates may apply depending on your mobile carrier and plan. PostGrad does not charge for SMS messages, but your carrier may.

Opt-out. You may opt out of SMS messages at any time by replying STOP to any PostGrad SMS message. After you reply STOP, you may receive one confirmation message and no further SMS from PostGrad unless you opt in again. You may also opt out by emailing [email protected] with the subject "SMS opt-out" and the phone number to remove.

Help. You may reply HELP for help or assistance, or contact [email protected].

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes.

Information sharing to subcontractors in support services, such as customer service, is permitted when necessary to provide services on our behalf.

All other use case categories exclude text messaging originator opt-in data and consent. Text messaging originator opt-in data and consent will not be shared with any third parties, except for aggregators and providers of the text messaging services required to deliver SMS communications.

Supported carriers and disclaimer. Mobile carriers are not liable for delayed or undelivered messages. SMS delivery depends on your carrier, your device, and signal availability.

13. Changes to this Policy

We may revise this Policy from time to time. The revised Policy will be identified by an updated version number at the top of this page.

  • Non-material changes (such as formatting, clarifications, or updated contact information) take effect on the date posted.
  • Material changes (such as new categories of data collection, new purposes of processing, or new categories of third-party recipients) will be communicated by email at least thirty (30) days before they take effect and will require your re-acceptance through the Service before you may continue using it.

14. Contact & Data Protection

Privacy questions, rights requests, and complaints may be sent to [email protected]. General legal inquiries may be sent to [email protected].

PostGrad does not currently maintain a physical presence in the European Union. An Article 27 representative for the purposes of GDPR will be appointed if and when PostGrad begins processing the personal data of data subjects in the EU/EEA. The status of this appointment is maintained at /sub-processors.

---END OF POLICY---

Data Subject Request response SLAs

PostGrad commits to the following statutory response windows for verified data subject requests (access, portability, correction, deletion):

Authenticated users can self-serve access, export, and deletion at /dashboard/settings/privacy. Unauthenticated requests may be sent to [email protected].