Privacy Policy

Effective date: March 2026

This privacy policy explains how Kleo (kleoapp.io) collects, uses, stores, and protects your information. We believe in being straightforward about data practices, so this document is written in plain language.

What We Collect

When you use Kleo, we collect the following types of information:

• Account information: your email address, name, and password. Passwords are securely hashed using bcrypt and are never stored in plain text.
• Social media OAuth tokens: when you connect a social media account (LinkedIn, X/Twitter, Threads, Bluesky), we store the OAuth access tokens and refresh tokens required to post on your behalf. These tokens only grant posting permissions and do not give us access to your private messages or contacts.
• Post content: the text and media content of posts you create, schedule, or generate using Kleo. This includes drafts, scheduled posts, and published posts.
• Brand information: any brand voice descriptions, style preferences, or topic lists you configure to guide AI content generation.
• Uploaded images: images you upload to include in your social media posts.
• Browsing analytics: basic usage data such as pages visited, features used, and session duration. This helps us understand how people use Kleo so we can improve the product.

How We Use Your Information

We use the information we collect for the following purposes:

• Scheduling and publishing posts: your post content and OAuth tokens are used to publish posts to your connected social media accounts at the times you specify.
• AI content generation: when you use Kleo's AI features, your brand information, style preferences, and topic context are sent to Anthropic's Claude API to generate post content. Only the information necessary for generation is sent.
• Platform posting via OAuth: we use your OAuth tokens to interact with social media platform APIs (LinkedIn, X/Twitter, Threads, Bluesky) strictly for the purpose of publishing your posts.
• Push notifications: if you enable notifications, we use them to alert you about scheduled posts, publishing results, and important account updates.
• Payment processing: billing information is handled entirely by Stripe. We do not store your credit card details.

Third-Party Services

Kleo relies on the following third-party services to operate:

• Anthropic (Claude AI): powers our AI content generation features. When you generate a post, relevant context (brand voice, topic, style preferences) is sent to Anthropic's API. Anthropic's data usage policy applies to this processing. Anthropic does not use API inputs to train their models.
• Stripe: handles all payment processing. Your billing information is managed directly by Stripe and is subject to Stripe's privacy policy.
• Social media platform APIs: we connect to LinkedIn, X/Twitter, Meta (Threads), and Bluesky APIs solely for the purpose of publishing your posts. We do not read your feeds, followers, or private messages through these connections.
• Railway: our application and database are hosted on Railway's infrastructure.

We Do Not Sell Your Data

Kleo does not sell, rent, or trade your personal information to third parties. We do not share your data with advertisers. Your content and account information are used exclusively to provide the Kleo service.

Cookies

Kleo uses a minimal number of cookies, all of which are functional. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

• poster_token: an authentication session cookie that keeps you logged in. This cookie is essential for the app to function and is set when you log in.
• poster_pkce: a temporary cookie used during the OAuth PKCE flow when connecting social media accounts. It is removed after the connection is complete.

That is it. No Google Analytics, no Facebook Pixel, no tracking scripts.

Data Storage

Your data is stored in a PostgreSQL database hosted on Railway. Images you upload are stored directly in the database. All data is transmitted over encrypted connections (HTTPS/TLS).

OAuth tokens are stored in the database and are used only by our server-side posting engine to publish your scheduled content. They are never exposed to client-side code or shared with other users.

Data Retention and Deletion

We retain your data for as long as your account is active. If you want to delete your account and all associated data, you can request this by contacting us at the email below. Upon receiving a deletion request, we will:

• Delete your account and profile information
• Delete all your posts, drafts, and scheduled content
• Revoke and delete all stored OAuth tokens
• Delete all uploaded images
• Remove your brand and style configuration

Account deletion is permanent and cannot be undone. We aim to process deletion requests within 30 days.

Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and data
• Disconnect any social media account at any time, which immediately revokes our access

Changes to This Policy

We may update this privacy policy from time to time. If we make significant changes, we will notify users via email or through the Kleo app. Continued use of Kleo after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this privacy policy or want to exercise your data rights, contact us at:

nick@nicholasharris.me