← Back to Publishora

Privacy Policy

Last updated: 2026-05-13

In plain language

Publishora is a content marketing platform operated by Havnwright Ltd. We store the content you create, the social accounts you connect, and the schedule of posts you set. We use third-party services (Supabase, Anthropic, social platforms you connect) to make this work. We do not sell your data. You can delete your account and everything in it at any time.

1. Who we are

Publishora is operated by Havnwright Ltd, a company registered in the United Kingdom. References to "we", "us", or "our" in this policy mean Havnwright Ltd. References to "you" or "your" mean any person who uses the Publishora service (whether as a registered user or a visitor to publishora.com).

For privacy questions, write to privacy@publishora.com. If you are in the UK or EU and we have not resolved your concern, you may also lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

2. What we collect

We collect the following categories of personal data:

  • Account data: email address, password (stored as a one-way hash), and any name or avatar you choose to add to your profile.
  • Content data: the campaigns, content items, scheduled posts, asset library entries, voice profiles, and other information you create or upload while using the service.
  • Connected-account data: when you connect a social platform account (for example LinkedIn, Instagram, Facebook, TikTok), we store the platform name, the account identifier, public profile information returned by the platform, and OAuth access and refresh tokens. The tokens let us post on your behalf at the times you schedule. We do not store the password for your social account; the connection uses each platform's standard OAuth flow.
  • Operational data: timestamps of your sessions, the posts we have submitted on your behalf, the responses returned by social platforms, error logs, and analytics about how content performed (if the connected platform provides that data).
  • Technical data: IP address, browser type, device type, and pages visited, captured by our hosting provider's standard request logs.

3. Why we collect it (legal basis)

Under UK GDPR we rely on the following legal bases:

  • Performance of a contract (UK GDPR Article 6(1) (b)): to provide the Publishora service you have signed up for — storing your content, scheduling posts, and submitting them to the platforms you have connected.
  • Legitimate interests (UK GDPR Article 6(1) (f)): to keep the service secure, prevent abuse, debug errors, and improve features. We balance these against your right to privacy.
  • Consent (UK GDPR Article 6(1)(a)): when you connect a third-party platform (LinkedIn, Meta, TikTok, etc.), you give explicit consent for us to act on your behalf within the scopes shown to you at the consent screen. You can revoke consent at any time by disconnecting the account in Publishora or in the platform's own settings.
  • Legal obligation (UK GDPR Article 6(1)(c)): where we must keep records for tax, fraud-prevention, or regulatory purposes.

4. Who we share it with

We use the following third-party processors to deliver Publishora. Each one processes personal data only on our instructions and under a data-processing agreement:

  • Supabase (Supabase Inc., United States and EU): authentication, database hosting, file storage, and real-time updates. Supabase stores data in regions we select at project setup. See supabase.com/privacy.
  • Vercel (Vercel Inc., United States): hosting and serverless function execution. See vercel.com/legal/privacy-policy.
  • Anthropic (Anthropic PBC, United States): we send the text you submit for AI-assisted content drafting to Anthropic's Claude API. Anthropic does not train models on data received via the API. See anthropic.com/legal/privacy.
  • Connected social platforms (LinkedIn Corporation, Meta Platforms Inc., ByteDance Ltd. and others): when you connect an account and we publish a post on your behalf, the content you compose is transmitted to that platform's API and becomes subject to their terms and privacy policy. We only transmit what you have explicitly scheduled.
  • Google Analytics 4 and Google Search Console (Google LLC): used by Publishora's analytics features to ingest performance data about content you have published. We read this on your behalf only when you have connected the service.

We do not sell or rent your personal data. We do not share it with third parties for advertising purposes.

5. International transfers

Our processors operate in the United States and the European Union. Where personal data is transferred outside the UK, the transfer is covered by either the UK Addendum to the EU Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable, or another safeguard recognised under UK GDPR Article 46.

6. How long we keep it

  • Account data: kept for as long as your account is active, plus 30 days after deletion to allow for recovery if you change your mind.
  • Content data: kept for as long as your account is active. Deleted when you delete the account.
  • Connected-account OAuth tokens: kept until you disconnect the account or revoke the token. Then deleted within 7 days.
  • Error logs and operational data: kept for up to 90 days for debugging and security review, then deleted.
  • Records required by law (for example, tax or fraud records): kept for as long as the law requires, then deleted.

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate personal data
  • Erase your personal data ("right to be forgotten") — you can delete your Publishora account at any time from your account settings, which triggers deletion of all your content within 30 days
  • Restrict processing while a dispute about accuracy or processing is resolved
  • Receive a copy of your personal data in a portable format
  • Object to processing based on our legitimate interests
  • Withdraw consent (where consent is the legal basis)
  • Lodge a complaint with the ICO if you believe we have not handled your data correctly

To exercise any of these rights, email privacy@publishora.com. We will respond within one month.

8. Security

We protect your data with industry-standard measures: HTTPS-only transit, encryption at rest in our database, scoped access keys for our processors, multi-factor authentication on administrator accounts, row-level security policies that prevent users from reading each other's data, and regular review of access logs. No system is perfectly secure; if we discover a breach that affects your personal data we will notify you and the ICO within 72 hours as required by UK GDPR.

9. Cookies and similar technologies

Publishora uses cookies and similar storage only as needed for the service to work: authentication session tokens, your chosen UI preferences, and a small amount of operational telemetry. We do not use cookies for advertising or cross-site tracking.

10. Children

Publishora is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we make a material change we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email before the change takes effect. Continued use of Publishora after a change indicates acceptance of the updated policy.

12. Contact

Havnwright Ltd
Privacy: privacy@publishora.com
General: contact@publishora.com