Privacy Policy

Account information: When you create an ReachPilot account, we collect your name, email address, company name (if provided), and timezone.

OAuth tokens: When you connect social media platforms, we receive and store OAuth access tokens and refresh tokens. These tokens are encrypted at rest using AES-256-GCM and are used solely to publish content, retrieve analytics, and manage your connected accounts on your behalf.

Usage data: We collect information about how you interact with ReachPilot, including features used, content created, posts scheduled, and analytics viewed. This helps us improve the platform.

Payment information: Payment processing is handled by Stripe. We do not store credit card numbers. We receive and store your Stripe customer ID, subscription status, and billing history.

We use your information to provide and improve ReachPilot's marketing automation services, including: generating AI-powered content, publishing to connected social media platforms, collecting and displaying analytics, managing your subscription, and sending transactional emails (account confirmations, password resets, billing receipts).

We may send product updates and feature announcements. You can unsubscribe from marketing emails at any time.

When you connect social media accounts, we access platform APIs using OAuth 2.0 with PKCE. We request minimal permissions — only what is required for publishing, scheduling, and analytics retrieval.

OAuth tokens are encrypted at rest using AES-256-GCM and are never shared with third parties. You can revoke any platform connection at any time from your dashboard, which immediately invalidates stored tokens.

We store aggregate analytics data from connected platforms. We do not store personal data of your audience or followers.

ReachPilot uses a cookie consent banner that appears before any non-essential cookies are loaded (GDPR requirement). You can manage your cookie preferences at any time using the "Cookie Preferences" link in the page footer.

Essential cookies (always on): Session cookies for authentication, CSRF protection tokens, and the cookie consent preference itself (reachpilot-consent). These are required for the platform to function and cannot be disabled.

Analytics cookies (opt-in): We use PostHog for product analytics and feature management. PostHog is only loaded if you consent to analytics cookies. PostHog data is used to understand how users interact with ReachPilot and to improve the product.

Marketing cookies (opt-in): Third-party tracking pixels and marketing tools. Currently ReachPilot does not use marketing cookies, but this category is reserved for future use and requires your explicit consent.

We do not sell your data to advertisers or data brokers. We do not use third-party advertising cookies without your consent.

All platform access tokens are encrypted at rest using AES-256-GCM. All data in transit is protected with TLS 1.3. We use secure HTTPS connections, enforce HSTS headers, and follow industry best practices for data protection.

Our infrastructure runs on Vercel and AWS with automated security scanning, DDoS protection, and geographic redundancy.

We retain data for the following periods:

• Account data: Retained while your account is active.
• Posts and campaigns: Retained while your account is active; deleted 7 days after account deletion request (grace period).
• Analytics snapshots: Retained according to your plan tier (Free: 30 days, Pro: 1 year, Agency: 2 years).
• OAuth tokens: Revoked and deleted immediately upon disconnection or account deletion.
• Invoices and billing records: Anonymized upon account deletion but retained for 7 years per Australian tax law requirements.
• Audit logs: Retained for 90 days, then anonymized. Anonymized logs may be retained for security and compliance purposes.
• Backups: Purged within 90 days of data deletion.

Upon account deletion, we initiate a 7-day grace period. After this period, personal data, content, and OAuth tokens are permanently deleted. You can request immediate deletion at any time by contacting support@reachpilot.com.au.

ReachPilot is built in Australia and serves users globally. User data is primarily stored in US-based data centers via Vercel and AWS. International data transfers are protected using Standard Contractual Clauses (SCCs) where applicable.

For users subject to specific data residency requirements, we support data processing agreements (DPAs). Contact us for details.

Regardless of your location, you have the following rights regarding your personal data:

• Access (Data Export): Request a copy of all personal data we hold about you. You can use the self-service data export in your account settings, which provides a machine-readable JSON file containing your profile, posts, analytics, and connection metadata.
• Correction: Request correction of inaccurate personal data. You can edit your name, email, timezone, and locale in your account settings.
• Deletion: Request deletion of your personal data. You can initiate account deletion from your account settings. Accounts are marked for deletion with a 7-day grace period, after which all personal data is permanently removed. Invoices are anonymized for tax compliance.
• Portability: Request an export of your data in a machine-readable format (JSON). Available via the data export feature.
• Restriction: Request that we limit how we process your data.
• Objection: Object to processing of your personal data where we rely on legitimate interest as the legal basis.
• Do Not Sell (CCPA): ReachPilot does not sell personal data to third parties.
• Disconnection: Revoke platform connections at any time through your dashboard settings, immediately invalidating stored tokens.

If you are in the EEA, our legal bases for processing your data are: contract performance (providing the ReachPilot service), legitimate interest (improving our product), and consent (where applicable, such as marketing emails).

You may exercise your GDPR rights — including the right to erasure, data portability, and objection to processing — by contacting privacy@reachpilot.com.au.

California residents have the right to know what personal information we collect, request deletion of that information, and opt out of the sale of personal information. ReachPilot does not sell personal data.

To exercise your CCPA rights, contact privacy@reachpilot.com.au.