Privacy Policy

1. Who we are

velociPost is a product of GroRevOps, LLC ("GroRevOps," "we," "us," or "our"), operating under the trade name velociPost. We operate the website velocipost.com and the velociPost platform. Our primary contact email is privacy@velocipost.com.

2. Information we collect

Account information. When you sign up, we collect your name, email address, and password (stored hashed — we never store plaintext passwords).

Business information. During onboarding, you provide information about your business — industry, tone of voice, topics, and content preferences. This information is used solely to generate content on your behalf.

Social media account access. When you connect a social media platform (Facebook, Instagram, LinkedIn, TikTok, YouTube), we receive and store OAuth access tokens that allow us to post on your behalf. We store these tokens encrypted using Supabase Vault (pgsodium encryption). We access your social media accounts only to perform actions you have authorized — publishing posts, reading engagement data, and managing replies.

Content data. We store the posts we generate and publish on your behalf, including text, images, and scheduling metadata.

Engagement data. For Plans B and C, we collect comments and engagement data from your connected social media accounts to power the engagement inbox and AI reply features.

Usage data. We collect standard usage and analytics data (pages visited, features used, session duration) to improve the product. This is collected via Vercel Analytics and similar tools.

Payment information. Billing is handled by Stripe. We do not store credit card numbers. We receive and store only non-sensitive billing metadata (plan type, billing status).

Communications. If you contact us via email, we retain that correspondence.

3. How we use your information

• To create and manage your velociPost account
• To generate, schedule, and publish social media content on your behalf
• To operate the engagement inbox and draft AI-assisted replies
• To provide performance insights and analytics
• To send transactional emails (post approvals, billing receipts, system alerts)
• To improve the product through aggregate, anonymized usage analysis
• To comply with legal obligations

We do not sell your personal data. We do not use your content or business information to train AI models for purposes other than generating content for your own account.

4. Third-party platform access

velociPost accesses your social media accounts using official APIs provided by Meta (Facebook and Instagram), LinkedIn, Google (YouTube), and TikTok. The specific permissions we request are:

• Facebook / Instagram: Read and manage pages, publish content, read engagement and insights
• LinkedIn: Publish posts on your behalf (personal profile and/or organization page)
• YouTube: Upload and manage videos on your behalf (Velocity plan only)
• TikTok: Publish video content on your behalf

We request only the permissions necessary to provide the service. You can revoke access at any time via the Settings page in your velociPost dashboard, or directly through the platform's own settings (e.g., Facebook's App Settings).

5. Data sharing and disclosure

We share your data only in the following limited circumstances:

• Service providers: We use Supabase (database and storage), Vercel (hosting), Stripe (billing), Anthropic (AI content generation), Resend (transactional email), and Inngest (background job processing). Each provider is bound by a data processing agreement.
• Legal requirements: We may disclose information if required by law, court order, or to protect the rights and safety of GroRevOps, LLC or its users.
• Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you via email before any such transfer occurs.

We do not share your social media content, business data, or personal information with advertisers or data brokers.

6. Data retention

We retain your account data for as long as your account is active. If you cancel your account, we delete your personal data within 30 days, except where we are required to retain it for legal or billing purposes (typically 7 years for financial records).

Social media OAuth tokens are deleted immediately upon disconnecting a platform or deleting your account.

7. Your rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you
• Correction: Request that we correct inaccurate data
• Deletion: Request that we delete your personal data ("right to be forgotten")
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to certain uses of your data
• Withdrawal of consent: Disconnect any social media platform at any time

To exercise any of these rights, email us at privacy@velocipost.com or use the data deletion request page at velocipost.com/data-deletion.

We will respond to all requests within 30 days.

8. Meta platform data deletion

If you connected Facebook or Instagram and wish to have your data deleted, you can submit a request at velocipost.com/data-deletion. We will delete all data associated with your Meta-connected account within 30 days and send you a confirmation.

This process covers all data we received via the Meta Graph API, including page access tokens, profile information, and engagement data.

9. Security

We take security seriously. OAuth tokens are stored encrypted using Supabase Vault (pgsodium). Passwords are hashed using bcrypt. All data is transmitted over TLS. We conduct regular security reviews and do not store plaintext credentials of any kind.

Despite these measures, no system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@velocipost.com.

10. Cookies and tracking

We use essential cookies to maintain your login session. We may use analytics cookies (Vercel Analytics) to understand how the product is used. We do not use advertising or tracking cookies. You can disable cookies in your browser settings, though this may affect functionality.

11. Children's privacy

velociPost is not intended for anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us at privacy@velocipost.com and we will delete it promptly.

12. International data transfers

GroRevOps, LLC is based in the United States. Our infrastructure (Supabase, Vercel) is hosted in the United States. If you are located in the European Economic Area, UK, or elsewhere, your data will be transferred to and processed in the United States. We rely on standard contractual clauses and other appropriate safeguards for such transfers.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (at the address associated with your account) at least 14 days before the changes take effect. The current version will always be available at velocipost.com/privacy.