Data Processing Addendum
When you process personal data of your audience through Postpilot, we act as your processor under Art. 28 GDPR. This page summarises the Auftragsverarbeitungsvertrag (AVV); a signed PDF is available on request.
Last updated · 11 May 2026
Placeholder — legal entity registration in progress. Final text reviewed by counsel before public launch.
Subject and duration
Postpilot processes the personal data you submit (post content, comments, DMs) for the duration of your subscription, solely to deliver the contracted services.
Nature and purpose
Scheduling, publishing, analytics, inbox replies, AI-assisted caption drafting. No further processing.
Sub-processors
OpenAI (zero-retention agreement, EU residency where available), GitHub Copilot Pro (same), Hetzner Online GmbH (hosting). No US-based marketing or analytics processors.
Security
Encryption in transit (TLS 1.3) and at rest (AES-256). Quarterly security review. Personnel signed to confidentiality. Incident response process with 72-hour breach notification.
Audits
On request and with reasonable notice, you may audit Postpilot's compliance with this DPA at your own cost, no more than once per year.
Deletion on termination
On contract end, your personal data is deleted within 30 days unless legal retention obligations require otherwise. Confirmation provided on request.