Privacy Policy

Last updated: April 2026

This Privacy Policy explains how SEOBurf ("we", "us", "our"), a sole trader business based in the United Kingdom, collects, uses, stores and protects your personal data when you use the Postbrander service ("Postbrander", the "Service"). We are the data controller for the personal data you provide to us.

We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Data Protection Act 2018.

1. Who we are

SEOBurf is a sole trader operated by James Burfield. You can contact us at james@seoburf.com.

ICO registration: C1910527.

2. Data we collect

We collect the minimum data needed to run the Service:

  • Account data: name and email address received from LinkedIn when you sign in via LinkedIn OpenID Connect (OIDC).
  • LinkedIn connection data: OAuth access and refresh tokens that allow us to publish posts to your LinkedIn profile on your behalf. These are encrypted at rest using AES-256-GCM and never shared with anyone.
  • Content data: posts you generate, draft, schedule or publish through the Service; voice profiles, example posts and topic preferences you provide.
  • Performance data: impressions, reactions and basic engagement metrics retrieved from the LinkedIn API for posts published through the Service.
  • Billing data: if you subscribe to a paid plan in future, payment information is handled directly by Stripe; we receive only a customer identifier and subscription status.
  • Technical data: essential session cookies, IP address, browser type and basic request logs needed for security and operation of the Service.

3. Legal basis for processing

We rely on the following legal bases under UK and EU GDPR:

  • Contract: processing necessary to provide you the Service you have signed up for (Article 6(1)(b)).
  • Consent: for connecting your LinkedIn account and for publishing posts to LinkedIn on your behalf (Article 6(1)(a)). You can withdraw consent at any time by disconnecting your LinkedIn account or deleting your Postbrander account.
  • Legitimate interests: for security, fraud prevention, debugging and improving the Service (Article 6(1)(f)).
  • Legal obligation: where we must retain certain records to meet UK tax or accounting law.

4. LinkedIn data specifically

When you connect your LinkedIn account, we request the following permissions via OAuth 2.0:

  • openid, profile, email — to identify you and create your Postbrander account.
  • w_member_social — to publish posts to your LinkedIn profile.
  • Read access to engagement metrics on posts we have published on your behalf, so we can show you analytics.

We will only publish content to LinkedIn that you have explicitly created, scheduled or approved within the Service. We do not read your inbox, your network, your private messages or any content other than the posts published through Postbrander.

Your LinkedIn access and refresh tokens are encrypted at rest using AES-256-GCM with keys held only by us, and are never shared with third parties or other users. You can disconnect your LinkedIn account from inside the Service at any time, which immediately revokes our ability to post on your behalf and deletes the stored tokens.

5. How we use your data

  • To provide and operate the Service.
  • To generate posts using AI based on your voice profile and topics, and to publish them on your behalf.
  • To show you analytics about the performance of posts published through Postbrander.
  • To send essential service emails (e.g. security, billing).
  • To prevent abuse, debug issues and improve the Service.
  • To comply with our legal obligations.

We do not sell your personal data. We do not use your content or your data to train any third party's AI models.

6. Third-party processors

We use the following service providers, each of which acts as a data processor on our behalf and is bound by appropriate data protection terms:

  • Supabase — authentication and database hosting (EU region).
  • Vercel — application hosting and serverless functions (EU/US edge network).
  • Anthropic — Claude API used to generate post content from prompts you provide.
  • Voyage AI — embeddings used to power semantic features such as topic matching.
  • Stripe — payment processing (only used if you subscribe to a paid plan).
  • LinkedIn — to publish posts and retrieve analytics for your posts.
  • Giphy — to provide GIF search inside the post composer.

7. International transfers

Some of our processors (notably Vercel, Anthropic, Voyage AI, Stripe, LinkedIn and Giphy) are based in the United States or process data globally. Where personal data is transferred outside the UK or European Economic Area, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards as required by UK and EU law.

8. Data retention

We retain your personal data for as long as your account is active. If you request deletion of your account, we will delete your personal data, content and LinkedIn tokens within 30 days, except where we are required to retain certain records to comply with legal, accounting or tax obligations, or to resolve disputes and enforce our agreements.

Backups containing personal data are rotated and overwritten in the normal course of operations.

9. Your rights

Under UK and EU GDPR you have the following rights:

  • Right of access — to a copy of the personal data we hold about you.
  • Right to rectification — to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten").
  • Right to restrict processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time.
  • Right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or with your local EU supervisory authority.

To exercise any of these rights, email james@seoburf.com. We will respond within one month.

10. Security

We use industry-standard technical and organisational measures to protect your data, including encryption in transit (TLS), encryption of LinkedIn tokens at rest using AES-256-GCM, row-level security in our database scoped to each user, and access controls for staff and infrastructure.

No system is perfectly secure. If we become aware of a personal data breach affecting your data, we will notify you and the ICO as required by law.

11. Cookies

We use a small number of essential cookies to keep you logged in and to remember basic preferences. We do not use advertising cookies. See our Cookie Policy for details.

12. Children

The Service is not intended for anyone under 13 years of age, and you must be at least 18 years old to create an account. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through the Service.

14. Contact

Questions about this Privacy Policy or your data? Email james@seoburf.com.