Privacy Policy
Last updated: June 1, 2026
This page is provided for transparency and is written in plain language. It is not legal advice and is not a substitute for a policy reviewed by qualified counsel. The definitive, binding terms for customers are set out in a signed agreement and Data Processing Addendum (DPA).
Overview
Postcept provides Proof-of-Completion for AI agents: we verify high-risk actions against your systems of record and issue signed receipts. We act as a data controller for the information we collect about visitors and account holders, and as a data processor for the customer data we process on your behalf when delivering the service.
Who we are
The data controller is Postcept, Inc. If you are a customer in the EEA or UK, the relevant controller/processor roles and our processing of your end users’ data are governed by our DPA. You can reach us about privacy at privacy@postcept.com.
Information we collect
- Account & contact data, work email, name, company, role, password (stored only as a salted hash), and the contents of messages or forms you submit.
- Verification data, to verify an action, Postcept reads the minimum necessary records from the systems of record you connect (for example, a Stripe refund object or a Zendesk ticket status), plus the operation IDs, postcondition results, and signed receipts that verification produces. Access is scoped and read-only by default.
- Usage & device data, log data such as IP address, browser type, pages visited, and timestamps, collected to operate and secure the service.
- Cookies, strictly-necessary cookies (for example, your theme preference and, once available, your session). See Cookies.
How we use information
- Provide, maintain, and improve verification, receipts, and reporting.
- Authenticate you and secure your account and the service.
- Respond to your requests and send service and, where permitted, product communications.
- Detect, prevent, and investigate fraud, abuse, and security incidents.
- Comply with legal obligations and enforce our terms.
We do not sell personal information, and we do not use your verification data to train shared or third-party AI models.
Legal bases (EEA/UK)
Where the GDPR or UK GDPR applies, we rely on these legal bases:
- Contract, to provide the service you requested.
- Legitimate interests, to secure, improve, and market the service, balanced against your rights.
- Legal obligation, to comply with applicable law.
- Consent, for optional communications or non-essential cookies, where required; you may withdraw it at any time.
Subprocessors
We use a small set of vetted subprocessors for cloud hosting, database, email, and analytics. Each is bound by data-protection terms consistent with this policy and our DPA. A current list is available to customers on request, and we provide notice of material changes so you can object where your agreement allows.
International transfers
We may process information in countries other than your own, including the United States. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and equivalent UK and Swiss mechanisms.
Data retention
We retain personal data only as long as needed to provide the service, meet legal, accounting, or reporting obligations, and resolve disputes, then we delete or anonymize it. Signed receipts and the verification ledger may be retained for the period you configure for audit purposes.
Security
We encrypt data in transit (TLS 1.2+) and at rest, apply least-privilege access controls, keep system-of-record credentials scoped and revocable, and sign receipts so tampering is detectable. See Security for more. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
Your rights
Depending on where you live, you may have the right to:
- access, correct, or delete your personal data;
- port your data to another provider;
- object to or restrict certain processing;
- withdraw consent; and
- lodge a complaint with your supervisory authority.
To exercise any of these, email privacy@postcept.com. We will verify your request and respond within the time required by applicable law.
U.S. state privacy rights
If you are a California resident (or in a state with comparable law), you may have the right to know, access, correct, and delete personal information, and to opt out of its “sale” or “sharing.” We do not sell or share personal information as those terms are defined. You may exercise your rights using the contact above, and you will not be discriminated against for doing so.
Children
Postcept is a business product not directed to children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
Changes to this policy
We may update this policy as the product and our practices evolve. We will revise the “last updated” date and, for material changes, provide a more prominent notice.
Contact
Questions or requests? Email privacy@postcept.com or reach us via contact.