← Back to postbridge.ai

Privacy Policy

Last updated: 29 May 2026

PostBridge AI (“PostBridge”, “we”, “our”) operates an API and integration surface that lets developers and AI agents send physical letters worldwide. This document explains what data we collect when you use PostBridge, how we use it, how long we keep it, and what rights you have.

Data we collect

Postal data (required to mail a letter):

• Sender and recipient names and postal addresses.
• Letter content — text, HTML, or a PDF URL you provide.
• Postal service selection and any optional metadata you attach.

Account + payment data:

• Email address (for traditional API keys) and/or DID / wallet address (for x402 / UCAN flows).
• Payment amounts, methods, and transaction references. For card and bank payments, Stripe stores card details — we store only the last 4 digits, network, and an idempotency key.

Operational telemetry:

• API request logs (timestamp, endpoint, response code, user ID) for debugging and abuse prevention.
• Error reports with enough context to reproduce issues — stripped of letter content when possible.

How we use it

• To deliver letters — we forward sender/recipient addresses and letter content to the print & mail partner that handles the destination country. Final delivery is performed by the recipient’s national postal service (USPS, Royal Mail, La Poste, Deutsche Post, Canada Post, etc.).
• To process payments — via Stripe (fiat), Circle (USDC), BTCPay (Bitcoin Lightning), or the x402 facilitator (on-chain USDC).
• To issue signed proof records — a W3C Verifiable Credential (PostalProof VC) that ties the letter ID to a cryptographic signature you can verify independently. Delivery proof is included when a carrier/provider supplies it.
• To improve reliability — aggregated error patterns inform validation rules and parser improvements.

We do not sell user data. We do not use letter content for training machine-learning models. We do not share postal addresses with third parties beyond the postal provider and payment processor strictly required to deliver the letter and settle the charge.

Data retention

• Letter content: uploaded document bytes are staged in hot memory for the order window only (30 minutes by default). Inline order content and document URLs are retained for support and preview regeneration, then redacted after 90 days for fulfilled orders or 30 days for expired, refunded, or failed orders. Signed PostalProof VCs (which reference letter IDs, not content) are retained indefinitely for audit purposes.
• Sender / recipient addresses: retained as part of the order record for 7 years where required for tax, accounting, dispute, and delivery audit records.
• Payment transactions: retained 7 years (tax / compliance requirement in most jurisdictions).
• API request logs: retained 30 days.

Your rights (GDPR, CCPA, and equivalents)

You have the right to:

• Access — request a copy of everything we hold on you.
• Correction — ask us to fix any inaccurate data.
• Erasure — ask us to delete your account and the data we hold, subject to legal retention requirements (e.g. payment records).
• Portability — export your letter history in JSON.
• Objection — opt out of non-essential processing.

To exercise any of these rights, email support@agents.postbridge.ai from the address on file. We verify the requester before exporting or deleting data. We aim to acknowledge within 14 days and respond within the legally required one-month window unless the request is complex or legally extended. Erasure requests are subject to legal retention requirements for payment, tax, delivery, dispute, and proof records.

Payment

PostBridge processes payments through Stripe. When you confirm an order, you receive a one-time Stripe Checkout link (proxied via postbridge.ai/orders/…/checkout); no charge occurs until you complete payment. PostBridge prints and ships only after Stripe confirms a successful payment. Receipts and tracking notifications are emailed from orders@postbridge.ai. Full card details are stored by Stripe; PostBridge stores only the last 4 digits, network, and an idempotency key.

Direct API customers (developers using a pb_live_ API key outside the Custom GPT) are billed against the API key’s prepaid balance instead of Stripe Checkout. The privacy and retention rules above apply identically in both flows.

Custom GPTs and integrations

If you use PostBridge via a Custom GPT on ChatGPT (registered via our GPT Actions manifest), OpenAI receives the requests and responses as part of the Actions flow — review OpenAI’s privacy policy for how they handle that data. PostBridge’s treatment of the postal data is unchanged regardless of which integration you use.

Clio Manage integration

When you install the PostBridge integration for Clio Manage, PostBridge reads matter, contact, and document data from your Clio account via Clio’s OAuth 2.0 API — only the data needed to render the send form and post the letter. Specifically:

• OAuth credentials: we store the access token and refresh token issued by Clio. Both are encrypted at rest with Fernet (symmetric authenticated encryption); the decryption key is held in our hosting platform’s secret store, never in application code or logs.
• Matter and contact data: read on demand when you click the “Send Royal Mail via PostBridge” button on a Matter. We do not bulk-import or sync your Clio data. The contact’s address pre-fills the send form; you can edit any field before paying.
• Document binary: the PDF you select on the form is downloaded via a pre-signed S3 URL Clio issues to us. We hold the binary only as long as needed to send it to the print partner, then drop it from working memory. The order record references the document by its Clio document ID, not by the binary.
• Webhook events: we receive a small number of Clio webhook events (e.g. app uninstall) to keep our install record in sync. Each event is HMAC-SHA256 signed by Clio against a per-install shared secret we hold encrypted at rest.
• Writeback: after a letter is dispatched, we post a Note back to the originating matter with the order ID, service, recipient, charge, and (where available) tracking number. This is the only write we make to your Clio account.

If you uninstall the Clio integration, Clio fires a deauthorize callback that immediately flips our install record to disabled. Within seconds, our Clio API client refuses to instantiate against that install — meaning no further data is read, no further events are processed. Encrypted OAuth credentials, the webhook shared secret, and external Clio org/user identifiers are retained 180 days post-uninstall to support reinstall continuity. After that, credentials are scrubbed and external Clio identifiers are pseudonymized; the internal install row remains only for audit and order traceability. Order records (matter ID, recipient address, service, charge, tracking number) are retained 7 years to comply with UK tax law (HMRC business-record retention).

We do not share Clio data with third parties beyond the print partner (recipient address and PDF) and Stripe (charge metadata; never the PDF or matter content). We do not use Clio data for training machine-learning models.

Cookies and analytics

postbridge.ai and app.postbridge.ai use Google Analytics (measurement ID G-EWLX797Q4S) to understand traffic patterns and high-level product-flow events only after you accept optional analytics cookies in the Klaro consent banner. The API itself (api.postbridge.ai) does not set analytics cookies. You can change your privacy preferences at any time, or use the official Google Analytics opt-out browser add-on. The cookie categories and exact optional storage/access behavior are listed on the Cookie Choices page.

We do not use behavioural advertising or third-party ad trackers.

Security

• HTTPS everywhere. TLS 1.2+ only.
• API keys are hashed at rest; only the prefix is visible in the dashboard.
• Ed25519 signatures for all PostalProof VCs — keys are managed in the API server’s secrets store, not in application code.
• SOC 2 audit: pending (small team — targeting 2026).

International data transfers

PostBridge is operated from the United States (hosted on Fly.io, San Jose region). Print & mail partners are located in the US, the European Union, and the United Kingdom. When you send a letter, the postal data for that letter is transferred to the partner whose country matches the recipient. For EU recipients, transfers are governed by the EU Standard Contractual Clauses.

Children

PostBridge is not designed for use by anyone under 16. We do not knowingly collect data from children.

Changes

If we materially change this policy we’ll update the “Last updated” date and, for account holders, email a summary of the changes. Using the service after an update constitutes acceptance of the new policy.

Contact

Questions or requests: support@agents.postbridge.ai
PostBridge AI — did:web:postbridge.ai

PostBridge.ai is a MoZ Consulting project.