Privacy Policy

Version 1.2 · Last updated 27 May 2026

Pagepost is currently in a free testing phase. The Service is provided as-is, with no guarantees of availability or data retention, and our data-handling practices may evolve as the Service matures. Material changes to this policy are handled per §9. Your rights under GDPR (§6) apply regardless of the testing status.

Pagepost ("we", "us") is operated as a personal project by Alexandros Tzoumas, an individual based in Greece ("the Controller"). This policy explains what personal data we collect when you use Pagepost, why we collect it, and what rights you have over it. We are committed to the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. What we collect

Account data (Slack OAuth)

When you sign in or install the Pagepost Slack app, Slack shares the following with us:

Your Slack user ID and workspace (team) ID.
Your display name and email address (if you authorize it).
Your profile picture URL, if available.
For workspace admins who install the app: an encrypted bot token used to interact with your Slack workspace on your behalf.

Content you upload

The HTML and Markdown files you upload, the original filename, any custom title you set, and the file size and content hash. File contents are encrypted at rest using AES-256-GCM.

Viewer telemetry

When someone opens one of your links, we record: the timestamp, a hashed IP address (we never store the raw IP), the browser user-agent string, and the Slack user ID if the viewer is signed in.

Audit log

We record actions taken on your links (renames, permission changes, expiry changes, revocations, deletions) with a timestamp and your user ID, so you can review the history of changes to a link.

Analytics & product usage

We use two analytics tools, both governed by the cookie banner:

Google Analytics runs in Google's Advanced Consent Mode v2. The Google script loads on every page, but starts in a fully denied state — no analytics or advertising cookies are set, and only minimal cookieless signals (page load, country) are sent to Google so they can model aggregate trends. If you accept the banner, cookies and full per-user analytics are enabled. If you reject, only the cookieless signals are sent. We never enable advertising features.
Microsoft Clarity is fully consent-gated: the script does not load and no requests are made to Microsoft until you explicitly accept. After acceptance, Clarity records anonymised session replays of non-sensitive pages.

You can refuse or change your choice at any time via the Cookie settings link in the site footer. The service works fully without analytics.

2. Why we use it (legal basis)

Provide the service (Art. 6(1)(b) GDPR — contract): account data, uploaded content, link metadata and audit log are required for Pagepost to work.
Security and abuse prevention (Art. 6(1)(f) — legitimate interest): hashed IPs and user-agents help us detect abuse, troubleshoot, and protect the service.
Analytics (Art. 6(1)(a) — consent): only after you accept via the cookie banner.

3. Who we share data with

We use the following sub-processors:

Vercel Inc. (US) — hosting and serverless execution. Bound by EU Standard Contractual Clauses and certified under the EU-US Data Privacy Framework.
Vercel Blob (US) — encrypted file storage.
Turso (libSQL database hosting) — link metadata, accounts, and audit log.
Slack Technologies LLC — for the OAuth login flow and bot interactions you initiate.
Google LLC — Google Analytics (only if you consent).
Microsoft Corporation — Microsoft Clarity (only if you consent).

We do not sell your data and we do not use it for advertising.

4. International transfers

Several sub-processors are based in the United States. We rely on the EU-US Data Privacy Framework and Standard Contractual Clauses as the legal basis for those transfers.

5. How long we keep it

Files and link metadata: until you delete the link or your account.
Viewer telemetry: cascade-deleted when the link is deleted.
Audit log: cascade-deleted when the link is deleted.
Account data: until you ask us to delete your account.
Analytics: governed by Google's and Microsoft's retention defaults (we do not extend them).

6. Your rights

Under GDPR you have the right to:

Access the data we hold about you.
Receive a copy of your data in a structured, machine-readable format (data portability, Art. 20).
Rectify inaccurate data.
Erase your data ("right to be forgotten", Art. 17).
Restrict or object to certain processing.
Withdraw consent for analytics at any time.
Lodge a complaint with the Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα, www.dpa.gr).

From your account page you can:

Download a copy of your data as a JSON file (Your data section).
Permanently delete your account and all data (Danger zone section).

For any other request, or if you have questions, email legal@pagepost.app. We will respond within 30 days.

7. Cookies and similar technologies

We use the following cookies and storage:

Session cookies (strictly necessary): an HMAC-signed authentication cookie set after you sign in with Slack. Without it you cannot stay logged in. No consent required.
Consent storage (strictly necessary): a localStorage entry that remembers your cookie-banner choice so we don't ask you on every page load.
Google Analytics cookies (optional): dropped only after you accept the cookie banner. Before acceptance, the Google script is loaded but operates in cookieless mode.
Microsoft Clarity cookies (optional): the Clarity script does not load at all until you accept; cookies and session recording start at that point.

You can change or withdraw your analytics consent at any time by clicking Cookie settings in the site footer — the banner will reappear and you can choose again.

8. Security

File contents are encrypted at rest with AES-256-GCM. Slack bot tokens are encrypted at rest with the same algorithm. All traffic is served over HTTPS. We store hashed IP addresses, never raw IPs.

9. Changes to this policy

We may update this policy. The "Last updated" date at the top reflects the current version. For material changes, we will notify signed-in users on next sign-in.

10. Contact

Controller: Alexandros Tzoumas (natural person), Greece. Contact: legal@pagepost.app.

11. Other Pagepost tools

This policy also covers free tools we publish on subdomains of pagepost.app. At the time of writing that includes Mythos (mythos.pagepost.app), a brand-voice skill builder.

No account, no server-side storage. The inputs you provide to Mythos (archetype, personality layers, company description) are processed entirely in your browser and used only to generate the SKILL.md file you download. We do not receive, store, or transmit those inputs to any server or third party.
Analytics. Mythos loads the same Google Analytics and Microsoft Clarity tools described in §1, on the same legal basis and with the same controls. Because Mythos is a separate deployment, it has its own cookie banner and its own consent storage — accepting or rejecting on pagepost.app does not carry over to mythos.pagepost.app, and vice versa.