Privacy Policy | Postel
Logo

Privacy Policy

Privacy Information pursuant to Art. 13, 14 GDPR

Effective: November 2025

We, JRS Content Solutions UG (haftungsbeschränkt) ("we"), inform you about the processing of personal data when visiting and using postel.app and our services (the "Website", the "Service").

A. Controller

JRS Content Solutions UG (haftungsbeschränkt)
c/o Robin Sadeghpour Faraj, Bernauer Str. 65, 13507 Berlin, Germany
Email: contact@postel.app
(Further information in the Imprint.)
Data Protection Officer: not appointed.

B. Purposes, Data Types, Legal Bases

We process data only to the extent necessary:

1. Website Provision & Security (Hosting/Logs)
Data: IP address, date/time, URL/referrer, user agent, status codes, error logs
Legal bases: Art. 6(1)(f) GDPR (operation/security); § 25(2) No. 2 TTDSG (technically necessary)

2. Consent Management (Cookie/Storage Consents)
Data: consent status, timestamp, if applicable anonymous ID
Legal bases: Art. 6(1)(c) GDPR (proof), Art. 6(1)(f) GDPR; § 25 TTDSG

3. Product Analytics / Web Analytics (only with consent)
Data: pseudonymous IDs, events, page views, device/browser, if applicable IP (truncated)
Tool: PostHog
Legal bases: Art. 6(1)(a) GDPR; § 25(1) TTDSG (opt-in)
Note: PostHog is not loaded until consent is given.

4. Registration & Login (Account Management)
Data: email, name (optional), login status, technical tokens
Tools: Google OAuth, X (Twitter) OAuth
Legal bases: Art. 6(1)(b) GDPR (contract/initiation); § 25(2) No. 2 TTDSG (necessary)

5. Service Use / Data Storage
Data: profile data, content/meta and usage data in Postel (depending on feature), technical telemetry
Tool/Infra: Supabase (DB/Storage; preferred EU region)
Legal bases: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR (operation/error analysis)

6. Payment Processing & Billing
Data: billing/payment data (e.g., name, email, address, transaction data), status
Tool: Stripe (Stripe Payments Europe + affiliated Stripe companies)
Legal bases: Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR (retention under German Commercial Code/Tax Code)

7. Customer Communication / Product Emails / Newsletter
Data: email, name (optional), DOI protocol, opens/clicks (tracking pixel/link ID)
Tool: customer.io
Legal bases: Art. 6(1)(a) GDPR (newsletter/product emails with consent); Art. 6(1)(b) GDPR (transactional emails)

8. Prompt/Event Telemetry (Quality & Error Analysis)
Data: pseudonymous/technical usage and performance data; if applicable minimized prompt/response metadata
Tool: Langfuse
Legal bases: Art. 6(1)(f) GDPR (quality assurance/debugging); in case of personal reference data minimization/redaction

9. Support & Inquiries
Data: content of your inquiry, contact data, timestamp
Legal bases: Art. 6(1)(b) GDPR (response/contract), Art. 6(1)(f) GDPR (service quality)

10. Social / Community
Discord (Link/Community): When accessing, Discord's privacy policy applies; processing there is independent.
Legal bases: Art. 6(1)(f) GDPR (interaction/community); tracking only according to their terms

No automated decision-making within the meaning of Art. 22 GDPR and no profiling beyond what is necessary.

C. Recipients / Data Processors

We engage service providers pursuant to Art. 28 GDPR (data processing) and enter into DPAs:

  • Hosting/Frontend: Vercel Inc. – Rendering/Edge/Logs (EU/USA locations)
  • Database/Storage: Supabase – Data storage (preferred EU region)
  • Payments/Billing: Stripe – Payment, invoices
  • Email/CRM: customer.io – Newsletter, product emails, DOI, segmentation
  • Analytics: PostHog – Product/web analytics (only after consent)
  • Prompt/Telemetry: Langfuse – Quality/error analysis of technical events
  • Auth: Google OAuth, X (Twitter) OAuth – Authentication/identity verification
  • Static Website/Assets: Vercel (see above)

A current provider list with links to Privacy/DPA/SCC is available at https://postel.app/privacy/vendors.

D. Third-Country Transfers (Art. 44 et seq. GDPR)

For providers outside the EEA (in particular USA), we use EU Standard Contractual Clauses (SCCs) and prefer EU locations. Additionally, we implement technical/organizational measures (e.g., encryption, access controls, data minimization). Copies of essential guarantees are provided upon request.

E. Storage Period

  • Server logs: 7–30 days (security/error analysis)
  • Consent protocols: up to 24 months (proof)
  • Contract/payment data: 6–10 years (German Commercial Code/Tax Code)
  • Newsletter/CRM data: until withdrawal/unsubscription; DOI proof up to 3 years
  • Account/usage data: until deletion of account or purpose ceases + legal obligations
  • Langfuse/telemetry data: short, purpose-bound cycles (debug/quality), then deletion/anonymization

F. Cookies & Similar Technologies (TTDSG)

  • Necessary (operation, security, login): permissible without consent (§ 25(2) No. 2 TTDSG).
  • Comfort/Analytics/Marketing: only with consent (§ 25(1) TTDSG, Art. 6(1)(a) GDPR).

You can withdraw consents at any time in the cookie banner/preference center.

G. Newsletter & Product Emails

Double opt-in, logging of consents; success measurement (opens/clicks) only based on your consent. Unsubscribe at any time via link in footer or by email to contact@postel.app.

H. Social Media / External Links

Our website contains links to profiles/third-party sites (e.g., Discord, LinkedIn, X). When accessing, the privacy policies of the respective providers apply. We do not embed social plugins without consent.

I. Minors

Our offering is not directed at children. Minimum age for accounts/consents is determined by Art. 8 GDPR in conjunction with national law (Germany: 16 years).

J. Your Rights (Art. 15–22 GDPR)

You have – subject to the legal requirements – the right to information, rectification, erasure, restriction, data portability, objection, and withdrawal of consents given (for the future).

Contact: contact@postel.app
Right to lodge a complaint: e.g., Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59–61, 10555 Berlin, mailbox@datenschutz-berlin.de

K. Data Security

We implement appropriate technical and organizational measures (TLS, encryption of data at rest where possible, role/rights management, hardening/monitoring, backups, least-privilege, need-to-know).

L. Changes

We update this information as needed. The current version is always available at https://postel.app/privacy.

M. Obligation to Provide Data (Art. 13(2)(e) GDPR)

For registration, contract performance, and payments, certain information is required (e.g., email, if applicable name, billing and payment data). Without this data, no account can be set up, no contract can be concluded, or no service can be provided.

N. Third-Party Data Sources (Art. 14 GDPR – OAuth)

When you register via Google or X (Twitter), the respective provider – after your consent in the dialog there – transmits to us profile data (at least email; if applicable name/profile picture). We use this data exclusively to create your account or enable login (Art. 6(1)(b) GDPR). Further information is available in the consent dialog and in the privacy policies of the respective providers.