Legal

Privacy Policy

Last updated: 26 March 2026

Operated by Joshua Mackay Pty Ltd (ABN 15 666 819 870), trading as Gridwolf.

1. Introduction

Gridwolf (gridwolf.com.au) is a content development and social media management platform operated by Joshua Mackay Pty Ltd (ABN 15 666 819 870), an Australian Proprietary Limited Company registered in Western Australia.

This Privacy Policy explains what personal information we collect, why we collect it, how we store and protect it, and what rights you have over your data. It applies to all users of the Gridwolf platform, website, and related services.

We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For users located in the European Economic Area (EEA) or the United Kingdom, we also comply with the General Data Protection Regulation (GDPR).

2. Information We Collect

Account Information

When you create a Gridwolf account, we collect your name, email address, and a securely hashed password. Authentication is handled through Supabase Auth. We never store plaintext passwords.

Brand Configuration Data

To provide our content development service, we collect brand information you provide, including: brand name, bio, tagline, industry, tone preferences, content pillars, brand colours, and posting schedule preferences.

Uploaded Brand Assets

You may upload brand assets such as logos, photos, documents, and PDFs. These files are stored securely in Supabase Storage and are used to help our AI understand your brand voice and generate contextually relevant content.

Content Data

We collect and store raw content ideas you input, as well as AI-generated draft content created through the platform. This includes scheduled posts, published post metadata, and content calendar data.

OAuth Tokens from Connected Platforms

When you connect a social media account (Facebook, Instagram, LinkedIn, X/Twitter, Pinterest, or YouTube), we receive and store OAuth access tokens and refresh tokens. These tokens allow Gridwolf to publish content and manage profiles on your behalf. See Section 4 for full details on how we handle these tokens.

Review Source URLs

You may provide a Google Reviews URL or other review source URLs. These are stored to allow Gridwolf to incorporate review content into your social media strategy.

Usage Data

We collect usage data such as feature usage patterns and session data to improve the product and user experience. This data is used internally and is not shared with third parties for advertising purposes.

Payment Information

Payments are processed by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. Stripe may provide us with limited information such as the last four digits of your card and the card brand for display purposes. Please refer to Stripe's Privacy Policy for details on how they handle your payment data.

3. How We Use Your Data

We use your data for the following purposes:

  • Providing the service: Developing your content ideas into platform-specific posts, scheduling them, and publishing them to your connected social media accounts.
  • AI content generation: Your brand configuration, uploaded assets, content ideas, and documents are sent to Anthropic's Claude API to generate contextually relevant, on-brand content. Anthropic processes this data in accordance with their data handling policies and does not use API inputs to train their models.
  • Publishing content: OAuth tokens are used solely to publish content and manage profiles on your behalf on the platforms you have connected.
  • Product improvement: Aggregated, anonymised usage data helps us understand how features are used and improve the platform.
  • Account management: Processing payments, sending service-related communications, and providing customer support.

Important commitments:

  • We do not sell, rent, or trade your personal data to third parties.
  • We do not use your content to train AI models.
  • We do not share your data with advertisers.
  • We do not use your OAuth tokens for any purpose other than publishing content and managing profiles on your behalf.

4. OAuth and Third-Party Platform Access

Gridwolf connects to third-party social media platforms via OAuth 2.0 to publish content on your behalf. This section explains exactly how we handle platform access and tokens.

Permissions We Request

We request only the minimum permissions (scopes) necessary to publish content and manage your profiles. We do not request access to your private messages, friend lists, or any data beyond what is needed to post content and retrieve basic profile information.

How Tokens Are Stored

  • OAuth access tokens and refresh tokens are encrypted at rest using AES-256 encryption in our database.
  • Tokens are stored in PostgreSQL (Supabase) with Row Level Security (RLS) enforced, meaning each user can only access their own tokens.
  • Tokens are never exposed in client-side code, browser logs, API responses to the frontend, or application logs.
  • All communication with platform APIs occurs server-side over encrypted connections (TLS 1.2+).

Revoking Access

You can disconnect any social media platform at any time through your Gridwolf account settings. When you disconnect a platform:

  • The associated OAuth tokens are permanently deleted from our database immediately.
  • Gridwolf will no longer have any access to that platform account.
  • You can also revoke Gridwolf's access directly through the platform's own settings (e.g., Facebook Settings > Business Integrations, LinkedIn Settings > Permitted Services).

Account Deletion

When you delete your Gridwolf account, all OAuth tokens for all connected platforms are permanently deleted as part of the account deletion process. See Section 6 for full details.

5. Data Storage and Security

We take the security of your data seriously. Here is how we protect it:

  • Database: All data is stored in PostgreSQL hosted by Supabase, with Row Level Security (RLS) enforced to ensure strict data isolation between users.
  • Encryption in transit: All data transmitted between your browser, our servers, and third-party APIs is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Sensitive data, including OAuth tokens, is encrypted at rest using AES-256 encryption.
  • File storage: Uploaded brand assets are stored in Supabase Storage with access controls that restrict file access to the owning user.
  • Infrastructure: Our backend is hosted on Railway and our frontend on Vercel. Both providers maintain SOC 2 compliance and enterprise-grade security practices.
  • Access control: Access to production systems and databases is restricted to authorised personnel only, with multi-factor authentication required.
  • Security practices: We conduct regular security reviews, keep dependencies up to date, and follow secure coding practices.

6. Data Retention and Deletion

Active Accounts

We retain your account data, brand configuration, content, assets, and OAuth tokens for as long as your account is active and you continue to use the service.

Account Deletion

When you delete your Gridwolf account, all associated data is permanently deleted within 30 days. This includes:

  • Account information (name, email)
  • Brand configuration data
  • Content ideas and AI-generated drafts
  • Uploaded brand assets (logos, photos, documents)
  • All OAuth tokens for connected platforms
  • Posting schedules and calendar data

Post-Deletion Retention

Published post metadata may be retained in anonymised, aggregated form for analytics purposes. This data cannot be linked back to any individual user. Backup data containing user information is purged within 90 days of account deletion.

Platform Disconnection

When you disconnect a specific platform (without deleting your account), the associated OAuth tokens are deleted immediately. Your content history for that platform is retained in your account unless you choose to delete it.

7. International Data Transfers

Gridwolf is operated from Australia. However, some of our infrastructure providers and third-party services process data in the United States and other jurisdictions. Specifically:

  • Supabase may host data in US-based data centres.
  • Anthropic (Claude API) processes content data in the United States for AI content generation.
  • Railway and Vercel may process data in US-based infrastructure.
  • Stripe processes payment data internationally in accordance with their own privacy policy.

Where data is transferred outside of Australia, we ensure appropriate safeguards are in place consistent with the Australian Privacy Act 1988 (APP 8 — cross-border disclosure of personal information). For users in the EEA or UK, transfers are conducted in compliance with GDPR requirements, including the use of Standard Contractual Clauses (SCCs) or equivalent mechanisms where applicable.

8. Your Rights

All Users

Regardless of where you are located, you can:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Export your data in a portable format.
  • Delete your account and all associated data.
  • Disconnect any connected social media platform at any time.
  • Revoke Gridwolf's access to your social media accounts at any time through the platform's own settings.

Australian Users — Privacy Act 1988

Under the Australian Privacy Principles (APPs), you have the right to:

  • Access your personal information (APP 12).
  • Request correction of your personal information (APP 13).
  • Lodge a complaint about our handling of your personal information. We will respond to complaints within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

EU/UK Users — GDPR

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the GDPR:

  • Right of access — obtain a copy of your personal data.
  • Right to rectification — correct inaccurate personal data.
  • Right to erasure — request deletion of your personal data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to restrict processing — limit how we process your data in certain circumstances.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

Our lawful bases for processing under the GDPR are: performance of a contract (providing the service you signed up for), legitimate interests (improving our service and ensuring security), and consent (where you have opted in to optional features).

To exercise any of these rights, contact us at legal@gridwolf.com.au. We will respond to all requests within 30 days.

9. Third-Party Services

Gridwolf uses the following third-party services to operate. Each has its own privacy policy governing how they handle data:

  • Supabase — Authentication, PostgreSQL database, and file storage.
  • Anthropic Claude API — AI content generation. User content is sent to Claude for processing. Anthropic does not use API inputs to train models.
  • Stripe — Payment processing. We do not store card details.
  • Railway — Backend application hosting.
  • Vercel — Frontend hosting and content delivery.
  • Meta Graph API — Publishing content to Facebook and Instagram.
  • LinkedIn API — Publishing content to LinkedIn company pages.
  • X/Twitter API — Publishing posts to X/Twitter.
  • Google YouTube Data API — Video content management on YouTube.
  • Pinterest API — Creating and scheduling pins on Pinterest.

We only share the minimum data necessary with each service to provide the functionality described. We do not share your data with any third-party services not listed here without your explicit consent.

10. Cookies and Tracking

Gridwolf uses a minimal number of cookies:

  • Essential cookies: Required for authentication and session management. These cannot be disabled as the service will not function without them.
  • Analytics cookies: If used, these are limited to anonymised, first-party analytics to help us understand how the platform is used. You can opt out of analytics cookies through your browser settings.

We do not use:

  • Third-party advertising cookies.
  • Tracking pixels from ad networks.
  • Cross-site tracking of any kind.

11. Children's Privacy

Gridwolf is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a user is under 18, we will take steps to delete their account and associated data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email before the changes take effect. Your continued use of Gridwolf after being notified of changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy, want to exercise your rights, or wish to lodge a complaint, please contact us:

Joshua Mackay Pty Ltd

Trading as Gridwolf

ABN: 15 666 819 870

Email: legal@gridwolf.com.au

Website: gridwolf.com.au

For complaints regarding our handling of personal information in Australia, you may also contact the Office of the Australian Information Commissioner (OAIC).

← Back to Home