Privacy Policy

Last updated: 28 April 2026

This Privacy Policy explains how GuestPostFlow ("we", "us", "our") collects, uses, and shares information when you use our service ("the Service"). We aim to keep this short and concrete — no dark patterns, no buried surprises.

1. Who we are

GuestPostFlow operates a self-serve portal for managing and delivering guest-post placements. For questions about this policy or to exercise your rights under applicable data-protection law, contact us at hello@guestpostflow.com.

2. Information we collect

Account information. When you sign up, we collect your name, email address, and authentication credentials (passwords are hashed; we never see them in plain text).

Content you submit. Drafts you write in the editor, billing details (company, contact, address, VAT number), and uploaded images are stored so we can render them, generate invoices, and publish content to WordPress sites you connect.

Payment information. Card and bank details are processed directly by Stripe and PayPal — we never touch raw card numbers. We retain transaction metadata (amount, status, last-four digits, payment-provider reference) for accounting, reconciliation, and support.

Operational logs. We collect basic logs (IP address, user agent, request paths, error traces) to operate, debug, and secure the Service. These are rotated and not used for advertising.

3. How we use information

  • To provide, maintain, and improve the Service.
  • To process payments and issue compliant invoices (including EU VAT).
  • To send transactional email — link issued, content received, payment reminders, receipts, password resets. We don't send marketing email without your explicit consent.
  • To detect and prevent fraud, abuse, or breach of our Terms.
  • To comply with legal obligations (tax, accounting, lawful requests).

4. Subprocessors we share data with

We share information with third-party providers strictly as necessary to operate the Service. We don't sell or rent personal information.

  • Convex — application database, serverless functions, file storage.
  • Stripe — card payments and webhook delivery.
  • PayPal — alternative payment method.
  • Resend — transactional email delivery.
  • Cloudflare — hosting, edge delivery, and DDoS protection.
  • WordPress sites you connect — when you publish a post, the content, images, and metadata are sent to the WordPress site you've configured, using the credentials you provide.
  • EU VIES service (operated by the European Commission) — for validating EU VAT numbers when buyers submit them.

We may also share information when required by law, to enforce our Terms, or to protect our or others' rights, property, or safety.

5. Cookies and tracking

We use cookies that are strictly necessary for authentication and session management. We don't use third-party advertising or behavioural-tracking cookies, and the Service does not embed analytics tags that build cross-site profiles.

6. Data retention

We retain account and content data for as long as your account is active. After account closure, we retain transaction records (payments, invoices, billing snapshots) for the period required by tax and accounting law — typically seven years in the EU. Operational logs are retained for up to 90 days. You can request earlier deletion to the extent permitted by law (see "Your rights" below).

7. Your rights

If you're located in the European Economic Area, the United Kingdom, or another region with comparable data-protection law, you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • request deletion of your data, subject to retention obligations;
  • restrict or object to certain processing;
  • receive your data in a portable, machine-readable format;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with your local data-protection authority.

To exercise any of these rights, email hello@guestpostflow.com. We'll respond within the timelines required by applicable law (typically one month).

8. Security

We use industry-standard practices to protect your data, including TLS in transit, encryption at rest for sensitive credentials (such as connected WordPress application passwords, encrypted with AES-GCM), role-based access controls, and audit logs for sensitive operations. No system is perfectly secure; if we ever suffer a breach affecting your data, we'll notify you and the relevant authorities as required by law.

9. International data transfers

Some of our subprocessors operate infrastructure outside the EEA / UK. Where personal data is transferred internationally, we rely on appropriate safeguards — in particular Standard Contractual Clauses (SCCs) — to ensure the data continues to receive a level of protection comparable to that of the EEA / UK.

10. Children's privacy

The Service is not directed at children under 16, and we don't knowingly collect personal data from children. If you believe a child has provided personal data without parental consent, contact us and we'll delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or through the Service. The "Last updated" date at the top of this page reflects the latest revision.

12. Contact

Privacy questions, data-rights requests, or anything else about how we handle your data — email hello@guestpostflow.com.