Legal

Privacy Policy

Last updated: April 20, 2026

PulseMarketing HQ (a DBA of Vintage Rust LLC) runs automated social media posting for small businesses. This policy explains what we collect, why, and how we protect it. Plain language, no fluff.

What we collect

  • Account info. Your name, business name, email, phone number, and business category — from the signup form.
  • Business content. What you tell us about your business, photos you upload, your website URL, and any content you send us later by email.
  • Social access tokens. When you connect your Facebook page through our OAuth flow, Facebook issues us a token that lets us post on that page's behalf. We also read the Instagram Business account linked to the page, if there is one. We never receive or store your Facebook password.
  • Payment info. Your card is tokenized by Square's Web Payments SDK on the signup page. We never see the card number — Square holds it; we only store the Square customer ID and subscription ID needed to manage your subscription.
  • Usage logs. What content we posted on your behalf, engagement numbers Facebook and Instagram report back, and error logs for debugging.

How we use it

  • To generate and post content on your connected social accounts.
  • To measure how that content performs so our AI learns your audience.
  • To bill your subscription and email you receipts, updates, and replies to support requests.
  • To improve the service across all clients — always in aggregate, never by sharing your content or data with other clients or third parties.

We do not sell your data. We do not share it with advertisers. We do not use your content to train public AI models.

How we store it

  • Social access tokens, API keys, and other secrets are stored in an encrypted credential vault (Fernet symmetric encryption, restricted file permissions) on a machine we control. Plaintext tokens never touch disk.
  • Lead records and content logs are stored on the same machine with restricted access.
  • Payment information stays with Square — a PCI-DSS Level 1 certified processor. We never see your full card number.
  • Uploaded photos are kept in a private directory, used only for your brand's content pipeline, and deleted when you delete your account.

Who can see your data

Only PulseMarketing HQ staff (currently Andrew Knowles, the operator). We do not have a sales team, a data team, or external contractors with access to client data. Service providers we rely on — Square (billing), Meta (Facebook/Instagram posting), Google (email delivery) — see only the data they need to perform their function, governed by their own privacy policies.

Revoking access and deleting data

You can revoke our Facebook access at any time in your Facebook Business Settings → Business Integrations. To delete your data entirely, see data deletion instructions.

Changes to this policy

If we change how we handle your data in a material way, we'll email active clients before the change takes effect.

Contact

Questions, concerns, data requests — email [email protected]. A human replies.