1. Introduction

This Privacy Policy explains how Arqia Inc. ("PostAuth", "we", "us", or "our") collects, uses, shares, and protects personal information when you use PostAuth, including our website, applications, integrations, APIs, demos, trials, and related services (collectively, the "Service").

This Policy applies to information we process for our own business purposes, such as website visitors, account users, prospects, and customers. When a customer uses PostAuth to sync, store, classify, message, or otherwise process data about its own users or contacts ("Customer Data"), we generally process that Customer Data as a processor or service provider on behalf of that customer. In that case, the customer's own privacy policy and instructions govern how the Customer Data is collected and used.

If you are an end user of one of our customers and have questions about your data, please contact that customer first.

2. Information We Collect

The information we collect depends on how you interact with PostAuth and which features are used.

Account and contact information

We may collect your name, email address, organization, role, team size, product stage, authentication provider, demo requests, onboarding responses, feedback, support requests, and any information you submit through forms, onboarding, demos, or direct communications.

Customer Data and synced product data

If you or your organization uses the Service, we may process Customer Data that you provide or authorize us to receive from Connected Services. This may include:

• SaaS user profiles, identifiers, emails, names, avatars, organization or company information, and account metadata.
• Authentication provider data, such as signups, sign-ins, profile updates, webhooks, user lifecycle events, and provider IDs from systems such as Clerk, Supabase, Better Auth, Firebase, Auth.js, or similar tools.
• Activity signals, lifecycle stage, engagement status, notes, tags, interaction history, outreach history, and custom fields.
• Imported records, manually entered notes, files, or other information you choose to add to the Service.

Email and messaging data

If email or messaging features are used, we may process mailbox identifiers, connected account metadata, OAuth grants or access tokens, message content, drafts, recipients, subject lines, headers, attachments, delivery status, bounce or complaint events, replies, unsubscribe status, opens, clicks, and other message interaction metadata.

Usage, device, analytics, and attribution data

We may collect information about how you access and use the Service, including IP address or hashed IP address, user agent, browser, device, operating system, pages viewed, buttons clicked, referrers, UTM parameters, ad identifiers such as gclid or fbclid, approximate location, feature usage, error logs, session activity, and similar analytics events.

We use cookies, local storage, session storage, pixels, and similar technologies to support attribution, analytics, user preferences, security, and product improvement. Our website and app may use services such as PostHog, Google Analytics, Google Tag Manager, and Crisp.

Payment and billing information

If paid features are offered, we or our payment processor or merchant of record may collect billing contact information, plan details, tax information, transaction history, and payment status. We do not intend to store full payment card numbers on our own systems.

Information from third parties

We may receive information from service providers, business partners, analytics providers, advertising platforms, payment providers, support tools, and Connected Services you authorize.

3. How We Use Information

We use information to:

• Provide, operate, secure, maintain, and improve the Service.
• Create accounts, manage authentication, and administer workspaces.
• Sync users from connected authentication providers and other integrations.
• Classify users into lifecycle stages and show activity, notes, history, and next actions.
• Send, prepare, track, or manage lifecycle messages where you authorize those features.
• Run demos, trials, onboarding, product research, and customer communications.
• Respond to questions, provide support, and troubleshoot issues.
• Analyze website, campaign, and product performance.
• Personalize the Service and improve product quality.
• Send transactional, security, administrative, legal, and account-related notices.
• Send marketing communications, product updates, educational content, and offers, where permitted.
• Detect, prevent, and investigate fraud, abuse, security incidents, spam, deliverability issues, and violations of our Terms.
• Comply with law, enforce our agreements, resolve disputes, and protect rights, property, and safety.

4. Legal Bases for Processing

If you are located in the EEA, United Kingdom, Switzerland, or another region that requires a legal basis for processing, we may process personal information based on:

• Performance of a contract, including providing the Service and related support.
• Legitimate interests, including securing, improving, and marketing the Service, preventing abuse, and understanding usage.
• Consent, including for certain marketing, cookies, optional feedback, or connected integrations where consent is required.
• Legal obligations, including tax, accounting, security, compliance, and lawful requests.

Where we process Customer Data as a processor or service provider, our customer's legal basis and instructions usually control that processing.

5. How We Share Information

We do not sell personal information in the traditional sense of exchanging it for money. We may share information as described below:

• Service providers and subprocessors. We may share information with vendors that help us provide hosting, databases, infrastructure, analytics, email, support, customer messaging, payments, security, monitoring, and other business operations. These may include services such as Supabase, PostHog, Google Analytics, Google Tag Manager, Crisp, Resend, and payment providers.
• Connected Services at your direction. When you connect or configure an integration, we may send or receive information through that provider as needed for the Service.
• Legal and safety. We may disclose information if we believe it is required by law, legal process, or a reasonable request from authorities, or if needed to protect PostAuth, customers, users, or others.
• Business transfers. We may disclose or transfer information in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets.
• Affiliates and advisors. We may share information with affiliates, professional advisors, auditors, insurers, and legal counsel.
• Aggregated or deidentified data. We may share information that does not reasonably identify you, your organization, or any individual.
• With your consent. We may share information when you authorize or request it.

6. Cookies, Analytics, and Tracking

We use cookies and similar technologies to operate the Service, remember preferences, measure traffic, understand campaign performance, attribute signups, detect abuse, improve the product, and support chat or help experiences.

You can control cookies through your browser settings. Blocking cookies or storage may affect some features. Marketing emails may include pixels or links that help us understand whether messages were opened or clicked.

7. Marketing Communications

We may use email addresses collected through account registration, onboarding, forms, demos, support, newsletters, or other interactions to send product news, educational content, offers, and other marketing communications.

You can opt out of marketing emails at any time by using the unsubscribe link in the email or contacting team@postauth.app. We may still send transactional, service, security, legal, unsubscribe, or account-related messages.

8. Customer Data, Processor Role, and Data Processing Addendum

For Customer Data that customers submit to or sync with PostAuth, the customer is generally the controller or business and PostAuth is generally the processor or service provider. We process Customer Data to provide the Service, follow customer instructions, support and secure the Service, comply with law, and as described in the applicable agreement.

If a data processing addendum ("DPA") is required, it must be separately executed or incorporated by an order form or other written agreement before it applies.

9. Data Retention

We retain personal information for as long as needed to provide the Service, maintain your account, run demos, trials, onboarding, product research, comply with legal obligations, resolve disputes, enforce agreements, preserve security, and support legitimate business needs.

Examples:

• Demo, trial, onboarding, and feedback data may be retained for product research, outreach, customer development, and support unless deletion is requested or another lawful basis applies.
• Connected account tokens, OAuth grants, and mailbox metadata are retained while the integration remains connected or as needed to complete disconnection, security, backup, or legal processes.
• Customer Data is retained according to account settings, customer instructions, backup practices, and any separate written agreement.
• Analytics, logs, and security records may be retained for a limited period needed for measurement, abuse prevention, debugging, and compliance.

When we delete information, it may remain in backups or logs for a limited time before being overwritten or deleted under normal retention cycles.

10. Security

We use reasonable administrative, technical, and organizational measures designed to protect information, including access controls, encryption in transit, encryption at rest where appropriate, and operational safeguards. Sensitive credentials such as OAuth grants should be encrypted or protected in our systems.

No method of transmission or storage is completely secure. We cannot guarantee absolute security.

11. International Transfers

We and our service providers may process information in the United States, South Korea, and other countries where we or our providers operate. These countries may have data protection laws that differ from those in your jurisdiction. Where required, we use appropriate safeguards for international transfers.

12. Your Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information. You may also have rights to withdraw consent, opt out of certain marketing, or appeal a denied request.

To exercise rights relating to information PostAuth controls, contact team@postauth.app. We may need to verify your identity before fulfilling a request.

If your request concerns Customer Data processed on behalf of a PostAuth customer, we may direct you to that customer or handle the request according to the customer's instructions.

13. Children

The Service is intended for business use and is not directed to children. We do not knowingly collect personal information from children under 13, or under a higher age where applicable law requires parental consent. If you believe a child has provided personal information to us, contact team@postauth.app.

14. Third-Party Services

The Service may link to or integrate with third-party websites, products, APIs, and services. Their privacy practices are governed by their own policies, not this Privacy Policy. You should review those policies before connecting or using third-party services.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by posting the updated Policy, changing the effective date, emailing you, or using another reasonable method. Your continued use of the Service after the updated Policy takes effect means you accept the updated Policy.

16. Contact

For privacy questions or requests, contact us at team@postauth.app.