Privacy Policy

Ekhopost is the data fiduciary for personal data processed through the Service. If you have a question about this policy or your data, write to us at hello@ekhopost.com.

Our registered office is in Noida, Uttar Pradesh, India.

We collect only what we need to run Ekhopost for you. That includes:

• Account data — your name, email, optional mobile number, password hash (we never see your password), and the sign‑in provider you used (Google, Apple, email).
• Brand library — your logo, colour palette, voice/tone description, saved product photos, and brand hashtag.
• Content you create — the prompts you write, drafts the AI generates for you, edits you make, captions, images, and the times you schedule posts for.
• Connected social accounts — OAuth access tokens and basic public profile data for LinkedIn, Instagram, Facebook, and X, plus the metadata those platforms return about posts we publish on your behalf.
• Payment data — processed by our gateway, Razorpay. We receive a transaction status and the last four digits of your card; we never see your full card number or CVV.
• Usage & technical data — IP address, browser, device, pages visited, and actions taken inside the app, used to operate the Service and prevent abuse.
• Support correspondence — anything you tell us via email, chat, or a support form.

We collect data in three ways:

• Directly from you — when you sign up, fill in your brand library, write prompts, or contact support.
• From authorised third parties — profile and permission data returned by LinkedIn, Instagram, Facebook, or X when you connect an account, and payment status from Razorpay when you buy a plan.
• Automatically — cookies, server logs, and performance telemetry generated as you use the Service.

Under the DPDP Act, we process personal data either with your consent or because processing is necessary for a lawful purpose (for example, performing our contract with you or meeting a legal obligation). The specific purposes are:

• Operating the Service — authenticating you, saving your brand library, generating posts and images, scheduling, and publishing. Basis: consent and performance of contract.
• Authenticating to social platforms — maintaining the OAuth connection so we can publish on your behalf. Basis: consent.
• Billing and tax — charging your plan, issuing GST invoices, handling refunds. Basis: performance of contract and legal obligation.
• Security and fraud prevention — detecting account takeover, payment fraud, abusive sessions, and rate‑limit abuse. Basis: legitimate uses under the DPDP Act and our legal obligations.
• Service communications — sending transactional emails like receipts, password resets, and trial reminders. Basis: performance of contract.
• Product improvement — using aggregated, de‑identified telemetry to improve reliability and performance. Basis: legitimate uses.
• Marketing — sending updates, tips, and offers. Basis: separate, revocable opt‑in.
• Legal compliance — responding to lawful requests and meeting retention obligations. Basis: legal obligation.

The heart of Ekhopost is AI that reads your prompt and your brand library and returns drafts and images. We want you to know exactly what happens when that runs.

• Prompts you write and the brand assets they reference are sent to our AI sub‑processors so they can generate drafts for you. The output is returned and stored in your Ekhopost workspace.
• We do not allow our AI sub‑processors to train their foundation models on your prompts, brand assets, or generated output. This is reflected in our contracts with them.
• We do not train our own models on your prompts, brand assets, or generated output.
• We may use aggregated, de‑identified telemetry (for example, average generations per user, error rates) to improve the Service. This data does not identify you or your brand.
• If we ever introduce an optional programme that uses your content to improve models, it will be opt‑in only, clearly announced, and you will be able to withdraw at any time.

We do not sell your personal data. We share it only with the partners that make the Service work, and only for the purposes listed in Clause 4:

• AI sub‑processors — to generate drafts and images from your prompts and brand assets.
• Social platforms — LinkedIn, Instagram, Facebook, X — to publish on your behalf when you ask us to.
• Razorpay — to process payments and handle e‑mandate auto‑renewals in line with RBI rules.
• Cloud infrastructure and hosting providers — to run the Service reliably.
• Communications tools — to send transactional and, if you opt in, marketing emails.
• Error tracking and analytics — strictly‑necessary error tracking runs without personal identifiers; analytics is only enabled after you give consent via the cookie banner.
• Regulators and law enforcement — when we are legally required to share information.

We will provide a current list of sub‑processors on request to hello@ekhopost.com.

Some of our sub‑processors may store or process data outside India. Where that happens, we rely on the transfer mechanisms permitted under the DPDP Act and the notifications issued under it, and we maintain contractual safeguards with those partners.

We use a small number of cookies:

• Strictly necessary cookies — required to keep you logged in, complete payments, and protect your session. These are always on.
• Preference cookies — remember settings like your last open brand or theme.
• Analytics cookies — help us understand which features are used and where the app is slow. These only run after you give consent via the cookie banner.

We do not use cross‑site advertising cookies. You can change your choices at any time from the cookie banner or from your browser settings.

We keep personal data only as long as we need to. Typical retention periods are:

• Account data — while your account is active, plus 90 days after closure for billing and fraud‑dispute purposes.
• Brand library and generated content — while your account is active, plus 30 days after closure, after which it is permanently deleted. You can request immediate deletion at any time.
• Billing and tax records — retained for the minimum period required by Indian tax law (currently 8 years).
• Server logs — up to 90 days.
• Support correspondence — up to 2 years.

Where a longer retention period is required by law or necessary for an active legal claim, we will keep the relevant data only for as long as that need lasts.

We take reasonable and appropriate technical and organisational measures to keep your data safe. These include encryption in transit (TLS) and at rest, least‑privilege access controls, audit logging, security monitoring, and vendor due diligence on our sub‑processors.

If a personal data breach affecting you occurs and it is notifiable under the DPDP Act, we will notify you and the Data Protection Board of India within the timelines the law requires.

Under the DPDP Act, you have the following rights over your personal data:

• Right to a summary — a list of the personal data we process about you and the sub‑processors we share it with.
• Right to correction and erasure — correct or complete inaccurate data, or erase data we no longer need.
• Right to withdraw consent — withdraw any consent you gave us; withdrawal applies going forward and does not affect processing that already took place.
• Right to grievance redressal — raise a complaint with our Grievance Officer (see Clause 15).
• Right to nominate — name another person to exercise your rights on your behalf in the event of your death or incapacity.

You can exercise most of these rights directly from account settings. For anything you can’t do in the app, write to hello@ekhopost.com. We respond within 30 days, and usually much sooner.

Ekhopost is not offered to people under 18, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, write to hello@ekhopost.com and we will delete it.

We do not make fully automated decisions about you that have legal or similarly significant effects. Signals used for rate limiting, fraud scoring, and abuse detection are reviewed by a human before any action is taken against your account.

The Service links out to LinkedIn, Instagram, Facebook, X, Razorpay, and other third parties. Their own privacy policies govern how they process your data when you interact with them. We are not responsible for their practices.

In line with the DPDP Act and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, our Grievance Officer is:

• Name: Suhavi Sunderlal
• Email: hello@ekhopost.com
• Response timeline: resolution within 7 days.

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by an in‑product banner at least 7 days before they take effect. Continued use of the Service after that date means you accept the updated policy.