// Legal

Privacy Policy

Last updated: May 2026

1. Who we are

VoxBurst is a social media management platform operated by FORTHEAN LABS LLC, a Texas limited liability company ("we", "us", "our"). This Privacy Policy describes how we collect, use, and protect personal information when you use VoxBurst at voxburst.com, app.voxburst.io, voxburst.io, and any associated subdomains or APIs (collectively, the "Service").

We do not knowingly collect or solicit personal information from anyone under the age of 18. The Service is intended solely for users who are 18 years of age or older. If you believe a minor has provided us personal information, please contact us and we will delete it promptly.

2. Information we collect

Account information

When you create an account, we collect your name, email address, and a hashed password (using a modern salted hashing algorithm). If you sign up via OAuth (Google, etc.), we receive your email and name from that provider.

Social platform credentials

When you connect a social account, we store OAuth access tokens (and refresh tokens where applicable) to publish on your behalf. We do not store your passwords for any social platform. Tokens are encrypted at rest using AES-256. OAuth tokens are used solely to publish content and retrieve analytics on your behalf — they are never shared with third parties for any purpose unrelated to operating the Service, are not logged or cached in plaintext, and are only transmitted over TLS-encrypted connections. Access to stored OAuth tokens is restricted to the minimum system components required to perform publishing operations.

Content you create

Post drafts, scheduled posts, media uploads, and analytics data you generate while using the Service are stored on our servers.

Usage and log data

We automatically collect IP addresses, browser type, pages visited, and actions taken within the Service for security, debugging, and product improvement purposes.

Payment information

Billing is handled by Stripe. We do not store credit card numbers. We receive a payment confirmation and subscription status from Stripe.

3. How we use your information

We process your personal information for the following purposes and on the following legal bases:

To provide and operate the Service, including scheduling and publishing your social media postsPerformance of contract
To authenticate your identity and protect your accountPerformance of contract
To process payments and manage your subscriptionPerformance of contract
To send transactional emails (account confirmation, password reset, post failure notifications)Performance of contract
To improve and debug the product using aggregated analyticsLegitimate interest
To comply with applicable laws and regulationsLegal obligation
To send product updates and marketing communications (where you have opted in)Consent

We do not sell your personal data. We do not use your content to train foundation AI models, and we do not share your content with our AI providers for their own model training. Brand Voice and Persona features process your content within your workspace only, to generate a private style profile that conditions content generation for your account. This profile is not used to train shared models, is not accessible to other customers, and is deleted when you delete the corresponding persona or your account. See our AI Policy for full details.

4. Third-party services

We share data with third parties only as necessary to operate the Service:

  • Stripe: payment processing and subscription management
  • Amazon Web Services (AWS): cloud infrastructure, data storage, and transactional email delivery via Amazon SES. Data is hosted in AWS us-east-1 (United States).
  • Sentry: error monitoring and crash reporting. Sentry may receive limited technical metadata (stack traces, request URLs) but does not receive post content or social credentials.
  • Google Tag Manager / Google Analytics: website analytics on the marketing site (voxburst.com). Gated by your cookie consent choice via our consent management platform.
  • Ahrefs Analytics: website traffic analytics on the marketing site. Gated by your cookie consent choice.
  • Social media platforms: data is shared with the platforms you connect (Twitter/X, Instagram, LinkedIn, etc.) when publishing posts on your behalf.
  • Anthropic — AI text generation. Anthropic does not train on API customer data by default.
  • Google (Gemini API, paid tier) — AI text and multimodal generation. Voxburst uses the paid API tier; Google does not train on customer data on the paid tier. Google retains request data for up to 55 days for abuse monitoring purposes.
  • Stability AI — AI image generation under enterprise licence terms.
  • Alibaba Cloud (Qwen) — available as a bring-your-own-key (BYO-key) option only. Voxburst does not proxy Qwen requests. Users selecting Qwen connect their own API key and are subject to Alibaba Cloud's own terms of service, including potential data processing in China and Singapore.

We do not share your personal data with third parties for their own advertising purposes.

5. International data transfers

VoxBurst is operated from the United States. Your data is stored in AWS us-east-1 (Northern Virginia, USA). When we share data with sub-processors such as AI providers or analytics tools, that data may be processed in countries outside your own, including the United States and countries where those providers operate.

For transfers of personal data from the European Economic Area (EEA) or United Kingdom, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum (IDTA) with our sub-processors. A copy of our Data Processing Agreement is available on request — see our Security page.

FORTHEAN LABS LLC does not currently have a designated EU/UK representative under GDPR Article 27. If you have questions about data processing affecting EEA or UK residents, please contact us directly.

6. Data retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data from active systems within 30 days. Residual copies in encrypted backups are purged within 90 days of that deletion. We may retain data longer where required by law or to resolve disputes.

When you disconnect a social account from VoxBurst, the associated OAuth access token and refresh token are deleted from our systems immediately, and we revoke the token with the platform where the platform's API supports programmatic revocation. When you delete your VoxBurst account, all connected social account tokens are revoked and deleted as part of the account deletion process.

Note: Third-party AI providers may retain API request data for their own abuse-monitoring purposes independent of our retention schedules (for example, Google retains Gemini API request data for up to 55 days). We do not control third-party provider retention periods.

Post content and analytics may be retained in anonymized, aggregated form indefinitely for product improvement purposes.

7. Security

We use industry-standard security practices including TLS 1.2+ encryption in transit, AES-256 encryption at rest for sensitive credentials, role-based access controls, and audit logging. For more detail, see our Security page.

In the event of a confirmed security incident affecting your personal data, we will notify affected workspace administrators without undue delay and in accordance with applicable law — typically within 72 hours where GDPR applies.

8. Children's data

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you are a parent or guardian and believe your child has submitted personal information to us, please contact us and we will delete it promptly.

9. Your rights

Depending on your location, you may have rights regarding your personal data. To exercise any of these rights, contact us.

You can disconnect any connected social account at any time from your workspace settings. Disconnecting an account immediately revokes VoxBurst's access and deletes the associated OAuth tokens from our systems.

  • GDPR (EU/EEA residents): right of access, rectification, erasure ("right to be forgotten"), portability, restriction of processing, objection to processing, and the right to withdraw consent at any time where consent is the legal basis. You also have the right to lodge a complaint with your local supervisory authority (e.g. your national Data Protection Authority).
  • UK GDPR (UK residents): same rights as above. You may also complain to the Information Commissioner's Office (ICO).
  • CCPA/CPRA (California residents): right to know what personal information we collect and how it is used, right to delete, right to correct inaccurate personal information, right to opt out of sale (we do not sell personal data), right to limit use of sensitive personal information, and the right to non-discrimination for exercising your privacy rights.

We will respond to verifiable requests within 30 days (or as required by applicable law).

10. Cookies

We use cookies and similar tracking technologies on the Service. These fall into two categories:

  • Strictly necessary: session authentication, CSRF protection, and theme preferences. These are required for the Service to function and are not subject to consent.
  • Analytics: we load Google Tag Manager and Ahrefs Analytics on our marketing pages (voxburst.com) to understand traffic and improve the site. These tools may set cookies that track your browsing session. They are blocked until you consent via our cookie banner.

When you first visit voxburst.com, a consent banner powered by Cookiebot will ask for your preferences. You can accept, decline, or customise which categories of cookies are allowed. You can change your preferences at any time by clicking the cookie settings link in the site footer. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Cookies used within the authenticated app (app.voxburst.io) are strictly necessary for authentication and session management and are not subject to the analytics consent choice.

11. Changes to this policy

We may update this Privacy Policy from time to time. For material changes — including changes to how we use personal data, the legal bases we rely on, or the third parties we share data with — we will provide at least 14 days' notice by email or by displaying a prominent notice in the Service before the change takes effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

Questions about this Privacy Policy or requests to exercise your rights? Contact us through our contact form. We aim to respond within 5 business days.

FORTHEAN LABS LLC
Texas, United States