PUBlish

Legal

Privacy Policy

Last updated: 15 May 2026

Who we are

PUBlish is operated by Publish Ltd, registered in United Kingdom. We act as the data controller for the personal data described below. You can reach us at privacy@pub-lish.com.

What data we collect

We only collect what we need to run the service. Categories:

  • Account data — your email address, display name, and a hashed password. Required to sign you in and attribute your work.
  • Profile data — anything you publish to your profile (bio, role, location, links, photos, pieces). This is public by design.
  • Usage logs — your IP address and a timestamp on each request. Held in server logs for 30 days for security + abuse prevention.
  • Analytics events — if you opt in via the cookie banner, anonymous product events (page views, button clicks) sent to PostHog. Never sold, never linked to advertising IDs.
  • Subscriber lists — if you build an email list on PUBlish, your subscribers’ email addresses. You are the data controller for those addresses; we are the processor. You can export the full list to CSV at any time from Settings → Subscribers.

Legal basis

We process the data above on one of three GDPR Article 6 bases:

  • Contract — account, profile, and subscriber data are required to provide the service you signed up for.
  • Legitimate interest — usage logs, for fraud and abuse prevention.
  • Consent — analytics events. You can change your decision any time on the cookies page.

How long we keep it

  • Account + profile data — until you delete your account.
  • Pieces + comments — until you delete them, or your account.
  • Server access logs — 30 days, then auto-purged.
  • Analytics events — 12 months in PostHog, then auto-purged.
  • Backups — 30 days rolling, then overwritten.

Who we share it with

PUBlish runs on a short list of vendors. Each one processes data on our behalf under a Data Processing Agreement.

  • Supabase (Frankfurt, EU) — database + auth.
  • Vercel (Frankfurt, EU) — hosting + CDN.
  • Resend (US) — transactional email (welcome, notifications).
  • PostHog (US) — product analytics — only if you opted in.
  • Stripe (EU / US) — payments. Stripe is the controller for card data; we never see it.
  • Serper.dev / SerpAPI (US) — Google rank checking.

We do not sell personal data. We do not share data with advertisers. We do not run any ad networks.

Your rights

Under GDPR you can:

  • Access — get a copy of everything we hold on you.
  • Rectify — correct anything that’s wrong.
  • Erase — delete your account. The button is in Settings → Account → Delete; everything we hold is removed within 30 days (plus the rolling 30-day backup window).
  • Port — export your data. Pieces and subscribers are downloadable from your dashboard.
  • Object — to processing based on legitimate interest. Email us at privacy@pub-lish.com.
  • Withdraw consent — revisit the cookies page any time.

You also have the right to lodge a complaint with your local data-protection authority.

International transfers

All primary infrastructure runs in the EU. Some non-essential services may transit to non-EU providers under Standard Contractual Clauses + the EU–US Data Privacy Framework: Resend, PostHog, and Serper.dev / SerpAPI.

Changes

We’ll update this page when our practices change. The “last updated” date at the top changes too. For material changes that affect your rights, we’ll email registered members.

Contact

privacy@pub-lish.com. We aim to respond within 14 days.