Last updated: 14 May 2026

1. Who we are

Posterita is a suite of business tools operated by Tamak Group ("we", "us"), registered in Mauritius. We are the data controller for personal data processed through our products under the Mauritius Data Protection Act 2017 (DPA 2017) and, where applicable, the EU/UK GDPR.

Contact: support@posterita.com

2. Information we collect

• Account information: name, email address, organization name, role, and authentication identifiers, supplied during sign-up or via OAuth.
• Mailbox data (Google account): when you connect your Gmail account, we access message metadata (sender, subject, date), message bodies, labels, and attachments via the Gmail API using the scopes you grant.
• Document content: file attachments fetched from your mailbox, their extracted text (OCR), inferred metadata (counterparty, amount, date, document type), and the audit trail of every classification decision.
• Usage telemetry: minimal product analytics needed to operate the service (page paths, error reports). We do not run third-party advertising trackers.

3. Google API data — Limited Use disclosure

Posterita's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In concrete terms, this means we:

• Use Google user data only to deliver the document-management features you signed up for.
• Do not use Google user data to serve advertisements.
• Do not sell, rent, or transfer Google user data to third parties.
• Do not allow humans to read Google user data except (a) with your explicit consent, (b) when required for security, (c) to comply with applicable law, or (d) when the data is aggregated and used for internal operations and complies with the Limited Use policy.
• Do not use Google user data to train generalized machine-learning models. We do send specific attachments and message snippets to third-party AI providers (see Section 6) to classify your documents for you; we do not retain or repurpose those outputs to improve any model.

We request the following Google OAuth scopes and use them solely as follows:

• gmail.readonly — list and read messages and attachments you have explicitly connected.
• gmail.send — send replies and confirmation receipts that you initiate inside Posterita.
• gmail.modify — apply Posterita-managed labels to processed emails, so we don't reprocess them.
• contacts.readonly — resolve sender names against your address book to improve classification accuracy.
• userinfo.email — confirm the connected Google account identity.

4. How we use information

• To classify, deduplicate, and route your documents to the right company / person / department.
• To present the document vault, run search, and export accountant-ready spreadsheets.
• To send transactional emails (account, billing, security).
• To diagnose and fix product issues via error logs that may include user identifiers but not message bodies.

5. Legal bases (GDPR)

Where GDPR applies, we rely on: (a) performance of a contract with you for core service delivery; (b) legitimate interest for product improvement and security; (c) consent for any optional integration; (d) legal obligation for retention required by DPA 2017 / FIAMLA / tax law.

6. Third parties we share data with

We use carefully selected sub-processors. All access is scoped to what each one needs to operate; none of them resell or advertise against your data:

Sub-processorPurposeRegionSupabaseDatabase, auth, file storageEU/US (configurable)Cloudflare R2Encrypted blob storage for attachmentsGlobal edgeVercelApplication hosting and CDNGlobal edgeDeepSeekAI classification of document contentSingaporeResendTransactional email deliveryUS/EUGoogle APIsMailbox access (Gmail) you explicitly connectGlobal

7. Storage, encryption, and security

• Sensitive person fields (national ID, passport, date of birth, address) are encrypted at rest using AES-256-GCM with org-scoped keys.
• Attachment binaries are encrypted at rest in storage; OCR text is encrypted in transit and at rest.
• Database rows are isolated per organization via row-level security policies.
• All transport uses TLS 1.2+; the application enforces HTTPS.

8. Data retention

• Account data: retained for the life of your account, plus a 30-day grace period after closure.
• Document content: retained while indexed in your vault; you can delete individual files at any time.
• KYC and compliance records: retained for 5–7 years post-relationship as required by Mauritius FIAMLA, overriding the right to erasure for those specific records.
• Audit logs, signatures, billing events: append-only, retained for at least 7 years for accountability.
• Backups: rolling 30-day snapshots.

9. Your rights

Under DPA 2017 and GDPR, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data, subject to FIAMLA retention
• Export your data in a portable format
• Object to processing or withdraw consent
• Lodge a complaint with the Mauritius Data Protection Office or your local authority

To exercise any right, email support@posterita.com. We respond within 30 days.

10. Revoking Google access

You can revoke Posterita's access to your Google account at any time from inside the product (Settings → Disconnect Gmail) or directly at myaccount.google.com/permissions. Revocation stops further data access immediately; existing data already ingested into your Posterita vault remains under your control there.

11. Children

Posterita is not intended for users under 16.

12. Changes to this policy

We will post material changes here and email account owners at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

13. Contact

Tamak Group, Mauritius. Email: support@posterita.com.

‍