DistributionOS
HomeFree toolsDocs
Dashboard

Privacy Policy

Last updated: July 10, 2026

1. Data Controller

DistributionOS is operated by Lawrence. For privacy inquiries, contact us at privacy@distributionos.com.

2. Data We Collect

Account Data

Email address, display name, and authentication provider (Google, GitHub, or email/password).

App Configuration

App names, domains, Brain Doc content (product descriptions, audience definitions, brand voice settings), scheduling preferences, and competitor URLs you provide.

Connected Account Tokens

OAuth access tokens for Instagram, GitHub, and Google Search Console. These are encrypted with AES-256-GCM before storage and are never accessible in plaintext outside of server-side processing.

Content and Performance Data

Generated social posts, blog articles, email campaigns, engagement metrics, SEO performance data, and attribution data collected from connected platforms.

Free Tool and AI Generation Data

The private version of each free tool runs in your browser, and its answers are not sent to DistributionOS. If you choose Generate with AI, the answers are sent through our Vercel-hosted API to the configured model provider, currently OpenAI or Anthropic, to create the result. We do not attach those answers or results to a DistributionOS account. A generated result may be cached in server memory for up to six hours to avoid duplicate model calls. We disable OpenAI response storage for these calls. The model provider's standard abuse-monitoring or API retention may keep inputs and outputs for up to 30 days, subject to its commercial terms and limited exceptions. Commercial API inputs and outputs are not used for model training by default by either provider.

Newsletter Data

If you opt in to the marketing-experiments newsletter, we store your email address, consent timestamp and source, and the free tool where you subscribed. We do not store your free-tool answers with the newsletter record.

Anonymous Campaign Link Tracker Data

The UTM Builder can create an optional public DistributionOS redirect and private results page without an account. We use the required operational email only to verify activation, recover the private report, and send one final report; this is separate from newsletter consent. The email is encrypted at rest. Private results and activation tokens are stored as one-way hashes, and the activation token expires after 24 hours if unused.

After activation, the redirect records eligible human clicks for exactly 30 days, up to 10,000 clicks. We do not store raw IP addresses, full referrer URLs, or raw user-agent strings. An approximate unique-click identifier uses a link-specific rotating salt and a one-way keyed hash. We retain only the referrer hostname, broad device category, bot classification, and click time. Known crawlers and suspicious automation are excluded from human totals, but bot filtering and approximate uniques are not perfect.

Billing Data

Payment processing is handled entirely by Polar. We do not store credit card numbers or payment credentials. We store subscription status, plan tier, and billing period dates.

Usage Data

On public marketing pages, we collect first-party analytics such as page visits, sessions, traffic source, content and campaign identifiers, and successful signup or newsletter events. We do not send newsletter email addresses or free-tool answers in analytics events. Optional Google Analytics data is collected only with consent. See our Cookie Policy for details.

3. Legal Basis for Processing (GDPR Article 6)

  • Contract performance: Processing necessary to provide the Service (content generation, publishing, analytics).
  • Legitimate interest: Product improvement, security monitoring, and fraud prevention.
  • Consent: Analytics cookies and marketing email preferences.

4. Third-Party Processors

We share data with the following processors, each under appropriate data processing agreements:

ProcessorPurpose
SupabaseAuthentication, database, file storage, and scheduled worker state
VercelWeb application hosting and API routes
Google Cloud / Firebase HostingOptional customer-site deployment adapter when you connect a Firebase-hosted app
Anthropic (Claude)Optional AI content generation. Commercial API inputs and outputs are not used for model training by default and may be retained for up to 30 days under Anthropic's standard terms.
OpenAIOptional AI content generation. Free-tool calls disable response storage; API content is not used for training by default and standard abuse-monitoring logs may be retained for up to 30 days.
ResendEmail delivery (platform notifications and user email campaigns)
PolarSubscription billing and payment processing
DataForSEOKeyword research and SEO data
ApifyCompetitor intelligence web scraping
GitHubBlog article publishing via GitHub API
Instagram / MetaSocial media posting via Graph API
Google AnalyticsUsage analytics (only with consent)
Google Search ConsoleSEO performance data

5. Data Retention

Account and app data is retained for the duration of your active subscription plus 30 days after cancellation. Newsletter email, consent, and source data is retained until you unsubscribe or request deletion. We may retain a minimal suppression record so a previous unsubscribe, complaint, or delivery failure is not accidentally overridden. Free-tool AI inputs and outputs are not saved to a DistributionOS account; temporary processing and provider retention are described above. Minimal accounting and security records may be retained when required for legal compliance or abuse prevention.

Anonymous campaign click rows and approximate-unique hashes are retained only during the 30-day recording window. The frozen private report and operational email remain for a seven-day grace period so the final report can be delivered and opened. After the grace period, the operational email, token hashes, click data, unique hashes, and report are removed. A minimal public-code and destination record remains so a campaign link already shared continues redirecting without further recording. The private results page also provides an explicit deletion action that stops the redirect and removes associated private data earlier.

6. Your Rights (GDPR)

If you are in the European Union, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data.
  • Portability: Receive your data in a machine-readable format.
  • Restriction: Request restriction of processing.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Withdraw consent for analytics cookies or marketing emails at any time.

To exercise these rights, email privacy@distributionos.com. We will respond within 30 days.

7. Your Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information is collected and how it is used.
  • Request deletion of your personal information.
  • Opt out of the sale of personal information. We do not sell personal data.

8. International Data Transfers

Your data may be processed in the United States and other countries where our processors operate. We rely on Standard Contractual Clauses (SCCs) and processor Data Processing Agreements to ensure adequate protection of transferred data.

9. Cookies

We use essential cookies for authentication and optional analytics cookies with your consent. See our Cookie Policy for details.

10. Data Breach Notification

In the event of a data breach, we will notify affected users within 72 hours as required by GDPR Article 33, and will notify the relevant supervisory authority.

11. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification.

13. Contact

For privacy inquiries or to exercise your data rights, contact privacy@distributionos.com.

Terms of ServicePrivacy PolicyCookie Policy