Privacy Policy

The data controller for personal data processed through SherpaPost is Clarity and Confidence Academy Ltd, EIK 205736702, VAT BG205736702, 25, Kniaz Dondukov Korsakov Street, 5000 Veliko Turnovo, Bulgaria. Contact for privacy matters: privacy@sherpapost.app.

Account data — email address, authentication identifiers, and (if you sign in with Google) your name and profile picture as provided by Google.
Profile data — display name, username, and avatar you set in the dashboard.
Content — text, images and video you upload to create drafts and previews.
Usage data — request logs, error logs, AI-enhance usage counters, and approximate device/browser information needed to operate and secure the service.
Billing data — handled by Stripe; we receive subscription status and limited metadata, not full card details.

We process your data under the following legal bases:
• Contract — to provide the service you signed up for (account, drafts, previews, billing).
• Legitimate interests — to keep SherpaPost secure, prevent abuse, debug issues, and improve the product.
• Consent — for optional analytics or marketing cookies, where applicable. You can withdraw consent at any time.
• Legal obligation — to comply with tax, accounting, and other laws.

When you use AI enhance, your post text is sent to the Lovable AI Gateway, which routes the request to a third-party AI provider (currently Google or OpenAI models). We do not use your prompts or content to train models. Providers may briefly process the request to generate a response. Don’t submit content you’re not comfortable sending to an AI provider.

We share personal data only with processors that help us run SherpaPost, under data processing agreements:
• Supabase (database, authentication, file storage) — EU region where possible.
• Cloudflare (hosting, CDN, edge runtime).
• Stripe (payments and billing).
• Lovable AI Gateway and underlying providers (Google, OpenAI) for AI enhance.
We do not sell your personal data.

Some processors are based outside the EU/EEA. Where personal data is transferred internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and provider-specific Data Processing Addenda.

• Account and profile data: kept while your account is active.
• Drafts and uploaded media: kept until you delete them or close your account.
• Billing records: kept for the period required by tax law (typically up to 10 years in Bulgaria).
• Logs: kept for a short retention window for security and debugging (typically up to 90 days).
When you delete your account, we delete or anonymize your personal data within a reasonable period, except where law requires us to retain it.

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw any consent you have given. You can exercise most of these rights from your account, or by contacting privacy@sherpapost.app. You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) or the supervisory authority in your EU country.

We use industry-standard measures including TLS encryption in transit, encryption at rest, role-based access controls, and database-level row-level security to protect your data. No system is perfectly secure; please use a strong, unique password.

SherpaPost is not directed at children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

We may update this policy from time to time. We will post the updated version here and adjust the “last updated” date. Material changes will be communicated in-app or by email where appropriate.