FabricaPosts

Privacy Policy

Last updated: 2026-05-14

1. Who we are

FabricaPosts ("we", "the app", "the platform") is operated by BLUE MARKETING LAGUNA LTDA - ME, registered in Brazil under CNPJ 61.149.830/0001-70, with address at RUA ANITA GARIBALDI 48, Laguna - SC. This document explains what personal data we process, for what purposes, with whom we share it, and your rights under Brazilian LGPD (Law 13.709/2018) and the EU GDPR (2016/679).

2. Data we collect

2.1 Account

  • Email address (used for Magic Link sign-in)
  • Display name (optional, for profile personalization)
  • Preferred locale (pt-BR or en)

2.2 Content you create

  • Carousels, briefs, slides, and editor revisions
  • Brand identity: niche, tone of voice, color palette, logos, and visual references you choose to upload
  • Usage stats (monthly quota, number of generations)

2.3 Instagram data (via Instagram API)

When you connect your Instagram Business or Creator account, we store:

  • Instagram Business Account ID (numeric)
  • Public username (@handle)
  • Long-lived Instagram API access token, encrypted at rest with AES-256-GCM
  • Token expiration date (typically 60 days)
  • Authorized permissions (scopes): instagram_business_basic and instagram_business_content_publish

We do not collect direct messages, followers list, existing posts, comments, reach metrics, or any third-party data. We access the Instagram API strictly to publish carousels you create inside FabricaPosts and to retrieve the public permalink of the post afterwards.

2.4 Browsing and usage data

We automatically collect, for technical and security purposes:

  • IP address (anonymized in aggregated metrics)
  • Browser type, operating system, and device identifiers
  • Pages accessed, date and time of access
  • Activity logs inside the platform (generations, edits, publications)

These data are used for security (fraud and abuse detection), technical debugging, and aggregated internal metrics. They are not sold or cross-referenced with third-party cookies for behavioral advertising.

3. How we use your data

  • Authenticate you on the platform
  • Generate carousels using AI (Anthropic Claude and Replicate)
  • Publish to Instagram only when you explicitly request it from the editor
  • Email you when your Instagram token is close to expiring (daily cron)
  • Aggregated internal metrics with no personally identifiable info

4. Who we share data with

To deliver the service, some data is processed by third-party providers under contractual confidentiality obligations:

ProviderData sharedPurpose
AnthropicText briefs (no personal data)Carousel script generation
ReplicateVisual briefs and brand identityImage generation
Meta (Instagram API)Final images and captionPublishing on your Instagram profile
Cloudflare R2Generated imagesPublic CDN storage
SupabaseAll application dataPostgreSQL database and authentication
UpstashInternal job IDsProcessing queue (Redis)
ResendEmail + magic link payloadTransactional email delivery

We never sell your data. We never use it to train third-party AI models.

5. Your rights

Under LGPD and GDPR, you may at any time:

  • Request a copy of your data
  • Correct inaccurate information
  • Delete your account and all associated data — see data deletion instructions
  • Revoke the Instagram connection at any time (Settings → Disconnect)
  • Request data portability
  • File a complaint with Brazil's Data Protection Authority (ANPD) or your local supervisory authority

6. Retention

  • Active data: while your account exists and up to 90 days after last sign-in
  • After deletion request: 30 days in encrypted backup, then permanently purged
  • Instagram tokens: deleted immediately when you click "Disconnect" in Settings
  • Audit logs: 12 months
  • Tax and accounting records (invoices, payment receipts): retained for 5 years after issuance, as required by the Brazilian Tax Code and tax legislation applicable to legal entities

7. Security

  • Instagram tokens encrypted at rest with AES-256-GCM
  • TLS 1.3 on all public APIs
  • PostgreSQL Row-Level Security: each user can only read/write their own data, enforced at the database layer
  • Passwords: we never store them. Auth is Magic Link only.

8. Children

We do not knowingly collect data from anyone under 13. The platform is not directed at children. If we discover a minor's account, we delete it immediately.

9. Changes to this policy

We notify material changes by email and via an in-app banner 30 days beforethey take effect. Minor editorial updates are applied immediately and versioned via the "Last updated" field at the top of this document.

10. Permitted and prohibited uses of Instagram API data

In compliance with the Meta Platform Developer Terms, data we receive from the Instagram API is used strictly to:

  • Identify the connected Instagram account and display the handle in the app
  • Publish carousels you create in FabricaPosts when you manually confirm in the editor
  • Retrieve the public permalink of the post after publishing
  • Validate token expiration and alert you by email when it is close to expiring

Data obtained via the Instagram API is NEVER used for:

  • Targeted advertising, retargeting, or behavioral marketing
  • Selling or brokering data (data brokering)
  • Credit analysis or automated decisions that significantly affect the user
  • Training artificial intelligence models — whether our own or third parties'
  • Sharing with political parties, government agencies, employers, or insurance companies

11. Automated processing and Artificial Intelligence

We use the following AI providers to generate carousels:

  • Anthropic Claude (Sonnet 4.5 and Haiku 4.5) — textual carousel script generation and brand asset analysis
  • Replicate (Gemini, Seedream, Flux) — image generation for slides

The providers above process your inputs (briefs, brand data, prompts) solely to generate the requested response and return the result synchronously. Our API contracts with Anthropic and Replicate expressly prohibit the use of customer inputs to train AI models.

Under no circumstance is your Instagram API data or your brand data used to train AI models — neither by us nor by the providers above.

12. International data transfer

FabricaPosts uses infrastructure services hosted outside Brazil, in particular:

  • Supabase (PostgreSQL + Auth) — AWS us-east-1 or São Paulo regions
  • Cloudflare R2 (image storage) — Cloudflare global network
  • Upstash Redis (queues and cache) — AWS us-east-1
  • Anthropic (Claude) — United States
  • Replicate (image generation) — United States
  • Resend (transactional email) — United States

International transfers comply with Article 33 of LGPD: the providers listed above offer an adequate level of personal data protection equivalent to that required by Brazilian legislation, through specific contractual clauses (Data Processing Agreements) that prohibit use outside the contracted purposes.

13. Contact