Privacy Policy
Last updated: March 2026
Table of Contents
- Introduction and Data Controller
- Categories of Personal Data Collected
- Lawful Basis for Processing (UK GDPR)
- Data Processing Activities
- AI and Third-Party Processing (OpenAI)
- Sharing Your Data with Third Parties
- International Data Transfers
- Data Retention Schedule
- Security Measures
- Your UK GDPR Rights
- Cookies and Tracking Technologies
- Children's Privacy
- Contact and Complaint Information
1. Introduction and Data Controller
1.1 Overview
RudiPost is committed to protecting your privacy and ensuring transparency about how we collect, use, and process your Personal Data. This Privacy Policy explains our practices in detail.
This Privacy Policy applies to all users of RudiPost, including account holders, potential users on our waitlist, and anyone whose data we may process in connection with the Service.
1.2 Data Controller
RudiPost is operated by The WILD Axis Group, a company registered in England & Wales. We are the Data Controller responsible for your Personal Data under the UK General Data Protection Regulation (UK GDPR).
The WILD Axis Group
Location: Leicester, United Kingdom
Email: hello@rudipost.com
Alternative Contact: hello@rudipost.com
1.3 Definitions
Personal Data means any information relating to an identified or identifiable natural person. This includes names, email addresses, authentication tokens, technical identifiers, and usage patterns.
2. Categories of Personal Data Collected
2.1 Account Registration Data
| Data Category | Description | Required/Optional |
|---|---|---|
| Email Address | Your primary contact email for account registration and notifications | Required |
| Full Name | Your name or the name of the account holder | Required |
| Password Hash | Securely encrypted password (never stored in plain text) | Required |
| Business Name | The name of your business or organization | Required |
| Business Location | Location of your business (city, country) | Required |
| Business Type | Category of your business (e.g., logistics, distribution) | Required |
| Phone Number | Optional contact number for account verification | Optional |
2.2 OAuth and Social Media Authentication Data
| Data Category | Description |
|---|---|
| OAuth Tokens | Authentication credentials from TikTok, Instagram, LinkedIn, Facebook, etc., allowing us to post content and retrieve analytics |
| Social Media Account ID | Your unique identifier on connected Social Media Platforms |
| Social Media Username | Your public username on Social Media Platforms |
| Account Metadata | Information about your social media accounts (e.g., follower count, account creation date, public profile data) |
2.3 Content and Generation Data
| Data Category | Description |
|---|---|
| Prompts | Text instructions you provide to AI models for generating images and captions |
| Generated Images | Images created by OpenAI's image generation models based on your prompts |
| Generated Text | Captions and text created by OpenAI's language models based on your instructions |
| Posted Content | Records of content posted to your social media accounts via RudiPost |
| Content Preferences | Your saved settings, templates, and preferences for content generation |
2.4 Technical and Usage Data
| Data Category | Description |
|---|---|
| IP Address | Your Internet Protocol address for security and abuse prevention |
| Device Information | Operating system, browser type, device model, and device identifier |
| Usage Logs | Records of actions performed in RudiPost (feature usage, login times, content generation) |
| Cookies and Tracking Data | Session identifiers, preference data, and tracking pixels (see Cookies section) |
| Error and Crash Logs | Technical debugging information when errors occur |
2.5 Analytics Data
| Data Category | Description |
|---|---|
| Post Performance Metrics | Likes, shares, comments, views, engagement rates on posted content |
| Feature Usage Analytics | Which features you use, how frequently, and for how long |
| Conversion and Event Data | Specific actions like successful post generation, successful posting, or account upgrades |
2.6 Communication Data
- Emails sent to and from you regarding your account
- Customer support messages and tickets
- Newsletters and marketing communications (if subscribed)
- Feedback and survey responses
2.7 Data Not Collected
RudiPost does not intentionally collect:
- Biometric data (fingerprints, facial recognition, etc.)
- Financial information beyond what's necessary for billing (and only for paid services)
- Special category data (racial origin, religious beliefs, health data, etc.) unless explicitly provided in content
- Data from individuals under 18 years old
3. Lawful Basis for Processing (UK GDPR Article 6)
Under UK GDPR Article 6, we only process Personal Data on the basis of a lawful ground. The table below outlines our processing activities and their corresponding lawful basis:
| Processing Activity | Lawful Basis | Explanation |
|---|---|---|
| Account registration and management | Contract (GDPR 6(1)(b)) | Necessary to establish and maintain your account as a user of RudiPost |
| OAuth authentication and token storage | Contract (GDPR 6(1)(b)) | Required to connect your social media accounts and deliver the core service of posting content |
| Content generation and posting | Contract (GDPR 6(1)(b)) | Core service functionality you have requested |
| Usage analytics and feature optimization | Legitimate Interest (GDPR 6(1)(f)) | To improve our service, identify issues, and optimize user experience. Your interests are balanced by privacy-protective measures |
| Security, fraud detection, and abuse prevention | Legitimate Interest (GDPR 6(1)(f)) and Legal Obligation (GDPR 6(1)(c)) | To protect our systems, users, and comply with laws regarding illegal activity |
| Marketing and promotional emails (if you consent) | Consent (GDPR 6(1)(a)) | Only when you have explicitly opted in to receive marketing communications |
| Technical support and customer service | Contract (GDPR 6(1)(b)) and Legitimate Interest (GDPR 6(1)(f)) | To respond to your inquiries and resolve issues |
| Legal and regulatory compliance | Legal Obligation (GDPR 6(1)(c)) | To comply with UK law, tax requirements, and regulatory obligations |
| Data aggregation and anonymization | Legitimate Interest (GDPR 6(1)(f)) | For statistical analysis, trend identification, and business development. Data is not identifiable |
| Enforcement of terms and legal claims | Legitimate Interest (GDPR 6(1)(f)) and Legal Obligation (GDPR 6(1)(c)) | To enforce our Terms and defend against legal claims |
4. Data Processing Activities
4.1 Account Registration and Authentication
When you create a RudiPost account, we collect and process your email, name, business details, and a securely hashed password. We use this data to create your account, authenticate you on login, and communicate important account information.
4.2 OAuth Authorization and Social Media Connection
When you authorize RudiPost to connect to your social media accounts (TikTok, Instagram, LinkedIn, Facebook), we:
- Receive an OAuth token from the Social Media Platform
- Store the token securely on encrypted servers
- Use the token to authenticate requests to post content and retrieve analytics
- Do not share the token with any other service
- Delete the token when you revoke authorization
4.3 Content Generation via AI
Your prompts and preferences are sent to OpenAI's servers for processing. See section 5 (AI and Third-Party Processing) for full details on how OpenAI handles this data.
4.4 Content Posting and Distribution
Generated content is posted to your connected Social Media Accounts using OAuth tokens. We store a record of posted content for analytics and account management purposes.
4.5 Analytics and Performance Tracking
We retrieve performance data (views, likes, shares, comments) from Social Media Platforms to provide you with analytics. This data is stored on our servers for historical reporting and trend analysis.
4.6 Usage Analytics for Service Improvement
We collect technical and usage data (IP addresses, device information, feature usage) to understand how users interact with RudiPost. This helps us identify issues, optimize performance, and develop new features. This data is processed in aggregated form whenever possible.
4.7 Security and Fraud Detection
We process IP addresses, device information, and login patterns to detect and prevent unauthorized access, fraud, and abuse. This may include automated decision-making for anomaly detection.
4.8 Communications
We process your email address to send:
- Account notifications (password resets, security alerts, posting confirmations)
- Service updates and changes to terms
- Technical support responses to your inquiries
- Marketing communications (only with your consent, if applicable)
5. AI and Third-Party Processing (OpenAI)
5.1 OpenAI Data Processing
RudiPost uses OpenAI's API to generate images (DALL-E) and text (GPT models). When you use content generation features, your prompts and parameters are sent to OpenAI's servers.
5.2 OpenAI's Data Handling
Important: Your use of OpenAI's services is subject to OpenAI's Privacy Policy and Terms of Service.
- Data Retention: OpenAI retains prompts and content for 30 days by default for security and abuse prevention
- Data Usage: If you are on a Business plan with OpenAI, your data may not be used to train models. For free/standard tier users, OpenAI may use data to improve their services
- Training: RudiPost does not use your data to train our own AI models without explicit consent
- Data Processing Agreement: RudiPost has contracted with OpenAI as required under GDPR Article 28
5.3 Data Processor Agreement
We have established a Data Processing Agreement (DPA) with OpenAI as a data processor under GDPR Article 28. This agreement ensures that OpenAI processes your data only according to our instructions and applies appropriate security measures.
5.4 International Data Transfers
OpenAI's servers are located in the United States. Your prompts and generated content may be transferred outside the UK. We rely on OpenAI's standard contractual clauses (approved mechanisms under GDPR) for these transfers. See section 7 for full details on international transfers.
6. Sharing Your Data with Third Parties
RudiPost shares your Personal Data only with carefully selected third parties who are necessary for service delivery. Below is a comprehensive table of all third parties who may access your data:
| Third Party | Purpose | Data Shared | Location | Legal Basis |
|---|---|---|---|---|
| OpenAI | AI image and text generation | Prompts, preferences, generated content | United States | Contract (service delivery) |
| TikTok | Post content, retrieve analytics, authenticate via OAuth | OAuth token, posted content, account metadata | United States / China | Contract (OAuth authorization) |
| Meta (Instagram, Facebook) | Post content, retrieve analytics, authenticate via OAuth | OAuth token, posted content, account metadata | United States | Contract (OAuth authorization) |
| Post content, retrieve analytics, authenticate via OAuth | OAuth token, posted content, account metadata | United States | Contract (OAuth authorization) | |
| Cloud Hosting Provider (AWS/Google Cloud) | Data storage, infrastructure, security | All account and service data | United States / EU | Contract (service delivery) |
| Email Service Provider (SendGrid/Mailgun) | Transactional email delivery | Email address, name, basic account info | United States | Contract (service delivery) |
| Payment Processor (Stripe, unless specified) | Process payments for paid tiers | Name, email, limited billing data | United States | Contract (billing) |
| Analytics Provider (Plausible / Mixpanel) | Service analytics and user behavior analysis | Anonymized usage data, device info, IP address (anonymized) | EU / United States | Legitimate Interest |
| Legal and Compliance Services | Legal advice, compliance, dispute resolution | Data relevant to specific legal matters only | UK / EU / US as needed | Legal Obligation / Legitimate Interest |
| Law Enforcement / Government Agencies | Respond to legal process, court orders, data protection authorities | As required by law | UK / EU as required | Legal Obligation |
6.1 No Unauthorized Sharing
We do not sell, rent, or share your Personal Data for marketing purposes to third parties. We do not share your data with advertisers or data brokers.
6.2 Disclosure by Law
We may disclose your Personal Data if required by law, including court orders, subpoenas, or regulatory requests. We will provide notice of such requests unless legally prohibited from doing so.
6.3 Business Transactions
If RudiPost is involved in a merger, acquisition, bankruptcy, or sale of assets, your Personal Data may be transferred as part of that transaction. We will notify you of any material change in our data practices.
6.4 Consent and Opt-Out
For third-party sharing beyond what is necessary for service delivery, we obtain your explicit consent. You can withdraw this consent at any time by contacting us at hello@rudipost.com.
7. International Data Transfers
7.1 Transfer Mechanisms
RudiPost is based in the UK and stores data primarily in the UK or EU data centers. However, some of our service providers (OpenAI, TikTok, AWS, Google Cloud) are based in the United States or other jurisdictions outside the UK/EEA.
7.2 Legal Safeguards for US Transfers
For transfers to the United States, we rely on the following mechanisms approved under UK GDPR:
- Standard Contractual Clauses (SCCs): We use SCCs approved by the UK government for data transfers to services like OpenAI and cloud providers
- Adequacy Decisions: Some transfers are made under adequacy decisions issued by the UK government
- Explicit Consent: For certain transfers (e.g., social media platforms), you have explicitly consented via OAuth
7.3 Supplementary Measures
We implement supplementary technical and organizational measures including:
- Encryption of data in transit (TLS/SSL)
- Encryption of sensitive data at rest
- Data minimization (sharing only necessary data)
- Contractual commitments to confidentiality and security
7.4 Your Rights
You have the right to obtain information about the safeguards we have put in place for international transfers. Contact us at hello@rudipost.com to request details.
8. Data Retention Schedule
We retain your Personal Data for the duration necessary to fulfill the purposes outlined in this Privacy Policy. Below is our retention schedule by data category:
| Data Category | Retention Period | Purpose of Retention | Deletion Trigger |
|---|---|---|---|
| Account Registration Data (email, name, business details) | Duration of account + 12 months after deletion request | Account management, contact | User deletion request or account inactivity 2 years |
| Password Hash | Duration of account active use | Authentication | Account deletion or password reset |
| OAuth Tokens | Until revoked by user or Social Media Platform | Service delivery | User revocation request within 48 hours |
| Generated Prompts and Content (locally stored) | Duration of account or until user deletion | Service history, user reference | User deletion request or account deletion |
| Posted Content Records | 12 months for analytics; longer if needed for legal claims | Analytics, account history | 12 months from post or account deletion |
| Analytics and Usage Logs | 12 months | Service optimization, abuse detection | 12 months from collection |
| IP Addresses and Device Information | 90 days for security; anonymized after | Security, fraud detection | 90 days unless security investigation ongoing |
| Communication Records (emails, support tickets) | 3 years for customer service; longer if legal dispute | Customer support, legal defense | 3 years from last communication |
| Marketing Opt-In Records | Duration of marketing consent or 3 years | Marketing compliance, PECR evidence | Consent withdrawal or 3 years |
| Tax and Legal Records | 6 years (UK tax retention requirement) | Tax compliance, legal obligations | 6 years from end of fiscal year |
| Backup and Archive Data | 12 months after primary deletion | Disaster recovery, business continuity | Purged from backups 12 months post-deletion |
8.1 Special Circumstances
We may retain data longer than the periods above if:
- You have an active legal claim or dispute with us
- Required by law or regulatory obligation
- Necessary for fraud prevention or security investigation
- Data is anonymized for statistical or analytical purposes
8.2 Secure Deletion
When we delete your data, we use secure deletion methods that render data unrecoverable. Data in backups is securely overwritten after 12 months.
9. Security Measures
9.1 Technical Security
RudiPost implements industry-standard security measures to protect your Personal Data:
- Encryption in Transit: All data transmitted between your device and RudiPost is encrypted using TLS 1.2 or higher (HTTPS)
- Encryption at Rest: Sensitive data (passwords, OAuth tokens, payment information) is encrypted using AES-256 encryption
- Password Security: Passwords are hashed using bcrypt or PBKDF2 and never stored in plain text
- Secure Authentication: Multi-factor authentication (MFA) is available and recommended for additional security
- Regular Security Audits: We conduct regular security assessments and penetration testing
- Vulnerability Management: We have a process for identifying, reporting, and remediating security vulnerabilities
9.2 Organizational Security
- Access Controls: Only authorized employees with a legitimate business need have access to personal data
- Employee Training: All staff handling personal data receive data protection and security training
- Confidentiality Agreements: All employees and contractors sign confidentiality agreements
- Data Protection by Design: We implement data protection principles in all new systems and features
- Incident Response Plan: We have a documented plan for responding to security breaches
9.3 Third-Party Security
We require all third-party providers to implement equivalent security measures. Contracts include mandatory security obligations and audit rights.
9.4 Security Limitations
While we implement comprehensive security measures, no system is 100% secure. We cannot guarantee absolute security against sophisticated attacks or breaches caused by factors beyond our control (e.g., compromised social media accounts).
10. Your UK GDPR Rights
Under the UK General Data Protection Regulation, you have the following rights regarding your Personal Data. To exercise any of these rights, contact us at hello@rudipost.com or hello@rudipost.com.
10.1 Right of Access (Article 15)
You have the right to request access to all your Personal Data that we hold. We will provide you with a copy of your data in a structured, commonly-used format within 30 days. This is sometimes called a "Subject Access Request" or SAR.
How to exercise: Send a request to hello@rudipost.com with the subject line "Data Access Request" and proof of identity.
10.2 Right to Rectification (Article 16)
You have the right to correct any inaccurate or incomplete Personal Data we hold. You can update some information directly in your account settings, or contact us to request corrections.
How to exercise: Update information in your account, or email hello@rudipost.com with the corrections requested.
10.3 Right to Erasure (Article 17) - "Right to be Forgotten"
You have the right to request deletion of your Personal Data in certain circumstances, including:
- The data is no longer necessary for the purpose we collected it
- You withdraw consent on which processing is based
- You object to processing and there is no overriding legitimate interest
- The data has been unlawfully processed
- You are under 18 (with parental consent)
Exceptions: We may retain data when required by law (e.g., tax records, legal claims) or where we have overriding legitimate interests.
How to exercise: Email hello@rudipost.com with "Erasure Request" and specify which data you want deleted.
10.4 Right to Restrict Processing (Article 18)
You have the right to restrict how we process your Personal Data in certain circumstances. When restricted, we will store the data but not actively process it, except with your consent or for legal purposes.
How to exercise: Contact hello@rudipost.com with "Restrict Processing Request" and explain the reason.
10.5 Right to Data Portability (Article 20)
You have the right to receive a copy of your Personal Data in a portable, machine-readable format (e.g., CSV, JSON) and transmit it to another service. This applies to data you provided or that was generated based on your actions.
Scope: This right applies to personal data processed based on contract or consent. It does not include data about your service use that we have a legitimate interest in processing.
How to exercise: Email hello@rudipost.com with "Data Portability Request".
10.6 Right to Object (Article 21)
You have the right to object to processing of your Personal Data where it is based on legitimate interest or profiling, including:
- Marketing and promotional processing
- Analytics and service optimization
- Automated decision-making
Objection to marketing: You can opt out of marketing emails by clicking "Unsubscribe" in any marketing email or contacting us.
Objection to other processing: Email hello@rudipost.com with "Objection to Processing" and specify which activity you object to.
10.7 Right to Withdraw Consent (Article 7)
Where we process your data based on your consent (e.g., marketing communications), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before consent was withdrawn.
How to exercise: Opt out of marketing emails, or email hello@rudipost.com to withdraw other consents.
10.8 Rights Related to Automated Decision-Making (Article 22)
If we make automated decisions about you (e.g., fraud detection, content moderation), you have the right to:
- Know that automated decision-making is occurring
- Obtain an explanation of the decision
- Express your point of view
- Contest the decision
Note: RudiPost currently uses automated systems for fraud/abuse detection. If you believe a decision is incorrect, contact us immediately at hello@rudipost.com.
10.9 Right to Complain to a Regulator (Article 77)
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we are mishandling your Personal Data.
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Phone: +44 303 123 1113
Email: casework@ico.org.uk
Website: www.ico.org.uk
10.10 Response Times
We will respond to all rights requests within 30 calendar days. This period may be extended by 60 additional days for complex requests or high volume, with notice provided to you.
10.11 No Discrimination
We will not discriminate against you or refuse service for exercising your rights under UK GDPR, except where a service cannot be provided without specific data.
12. Children's Privacy
12.1 Not Intended for Minors
RudiPost is intended for users who are 18 years of age or older. We do not knowingly collect Personal Data from children under 18.
12.2 If We Discover Data from a Minor
If we discover that we have collected Personal Data from a user under 18, we will:
- Immediately suspend or terminate the account
- Delete all associated Personal Data within 30 days
- Notify the user or parent/guardian if possible
12.3 Parental Concerns
If you are a parent or guardian and believe your child has created a RudiPost account or we have their data, please contact us immediately at hello@rudipost.com. We will investigate and take appropriate action.
13. Contact and Complaint Information
13.1 Data Protection Officer Contact
If you have questions about this Privacy Policy or our data handling practices, contact:
Email: hello@rudipost.com
Alternative: hello@rudipost.com
Company: The WILD Axis Group
Location: Leicester, United Kingdom
Response Time: Within 5 business days
13.2 UK Information Commissioner's Office
To lodge a complaint about our data handling practices, contact the UK's data protection regulator:
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Phone: +44 303 123 1113
Email: casework@ico.org.uk
Website: www.ico.org.uk
13.3 Data Breach Notification
If we discover a data breach that poses a risk to your rights and freedoms, we will:
- Notify you within 72 hours of discovery (where possible)
- Provide details of the breach and steps you can take to protect yourself
- Notify the ICO as required by UK GDPR Article 33
Notification will be sent to your registered email address.
13.4 Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will:
- Post the updated policy on our website with a new "Last Updated" date
- For material changes, send email notification to your registered email address
- Obtain your consent for material changes affecting processing of your data
Continued use of RudiPost after changes indicates your acceptance of the updated Privacy Policy.