Postrider

Privacy Policy

Last updated: May 27, 2026

This Privacy Policy explains what information Postrider ("we", "us") collects, how we use it, and the choices you have. It applies to the Postrider portal and website.

Information we collect

  • Account data — your email address, display name, role, and (for staff) organization membership.
  • Authentication data — a salted Argon2id hash of your password (we never store your password), and, if enabled, an encrypted two-factor secret.
  • Content — the messages and documents you send or receive, stored encrypted at rest. End-to-end encrypted items can only be decrypted by you and your counterparty; we cannot read them.
  • Usage and security logs — an audit trail of access, sends, and downloads, including IP address and browser user-agent, kept for security and compliance.

How we use information

We use your information to operate the Service: to authenticate you, deliver notifications about waiting messages, store and transmit your content securely, enforce rate limits and security controls, and maintain an audit trail. We do not sell your personal information.

Email notifications

We send email only to notify you that content is waiting, for account actions (such as invitations, recovery, and read receipts), and for operational announcements. Confidential message and document content is never included in email.

Encryption

All content is encrypted at rest using AES-256-GCM. Documents are stored on access-controlled storage. For end-to-end items, encryption and decryption happen in your browser and the server holds only ciphertext.

Data retention

Messages and documents persist until deleted by a party or by an optional auto-expiry you set. Organizations may place a legal hold that prevents deletion of their records. Audit logs are retained for security and compliance purposes.

Your rights

You can access and update your profile, and from your account settings you can:

  • Export your data — download a copy of your profile and the messages and documents you are a party to.
  • Delete your account — erase your personal details and keys. Your counterparty keeps their own copy of shared items. Deletion is blocked while your organization is under a legal hold.

Depending on your jurisdiction (e.g. the GDPR or CCPA), you may have additional rights; contact us to exercise them.

Data processors

We use service providers to operate Postrider, which may include cloud hosting, an email delivery provider (e.g. Microsoft 365 / Microsoft Graph), and optional error monitoring. These providers process data on our behalf under appropriate safeguards.

Children

The Service is not directed to children under 13, and we do not knowingly collect their personal information.

Changes

We may update this Policy from time to time. Material changes will be posted here with an updated date.

Contact

Privacy questions or requests? Contact privacy@postrider.us.

This document is a template and is not legal advice. Review with qualified counsel before relying on it.