Privacy Policy

Last updated: May 1, 2026

1. Scope

This Privacy Policy explains how PostKnock ("PostKnock", "we", "us", "our") collects, uses, and shares personal information in two distinct contexts:

In the application context, we distinguish between two data roles: Tenant Account Data (information about the Tenant's business and its authorized users) and Customer Data (recipient contact information and campaign content uploaded by the Tenant). For Customer Data, the Tenant is the data controller and PostKnock is a data processor acting on the Tenant's instructions.

2. Tenant Account Data We Collect

When you sign up and use PostKnock, we collect:

3. Customer Data Uploaded by Tenants

Tenants upload contact lists in order to send postcards and follow-up communications. Customer Data typically includes:

The Tenant is responsible for ensuring it has all necessary rights, consents, and legal basis to upload Customer Data to PostKnock and to send mail, place calls, or send emails to those recipients. This includes consents required under the Telephone Consumer Protection Act (TCPA), state mini-TCPA statutes, federal and state Do-Not-Call lists, state wiretap and "CIPA-style" laws, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and other state consumer-privacy statutes (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas DPDPA, and similar). PostKnock does not verify consent on the Tenant's behalf. PostKnock processes Customer Data only to provide the service the Tenant has requested and does not sell Customer Data or use it for our own marketing.

3a. Permitted Customer Data & Healthcare Use

PostKnock is widely used by healthcare practices for routine direct-mail and follow-up marketing. The Customer Data needed to run a typical PostKnock campaign is basic contact data — name, mailing address, phone number, email address, and non-sensitive Tenant-assigned identifiers — not Protected Health Information (PHI). Most healthcare-practice marketing falls within HIPAA's permitted-marketing and treatment/healthcare-operations communication exceptions (45 CFR 164.501 / 164.508), which generally do not require a Business Associate Agreement.

To keep usage of the Service simple and compliant, Tenants should not upload health information that would constitute PHI under HIPAA when combined with an identifier (diagnoses, conditions, treatments, medications, procedures, lab results, appointment reasons, or health-related descriptors), payment card data, Social Security numbers, government-issued identifiers, information about minors under 13, biometric identifiers, precise geolocation, or other "sensitive personal information" as defined under applicable state privacy laws.

PostKnock does not act as a Business Associate. Because the Service is not designed to receive or store PHI, PostKnock does not enter into Business Associate Agreements. Tenants whose intended use requires a Business Associate should use a HIPAA-covered vendor for that use case. PostKnock does not scan, scrub, or monitor uploaded data for prohibited content; the Tenant is solely responsible for what it uploads. See the Terms of Service for the full statement of permitted data, the no-BAA position, and indemnification.

3b. Tracking & Recipient Disclosure

The Service generates unique QR codes and tracked URLs (e.g., postk.co redirects) and captures device type, browser, IP address, timestamp, and approximate location associated with each scan or click, which are reported back to the Tenant as engagement analytics. The Tenant is responsible for ensuring its own privacy policy and consumer notices accurately disclose the use of these tracking technologies and that it has all rights and permissions necessary to track engagement under applicable law (including state wiretap and "CIPA-style" statutes). PostKnock displays its own privacy notice on tracking redirect pages, but does not represent that this notice satisfies the Tenant's disclosure obligations to its contacts.

4. Marketing-Site Data

When you submit a form on our marketing website we collect your name, business name, email, optional phone number, industry, and any message you provide. Form submissions are handled by a third-party form processor. We use this information solely to respond to your inquiry and follow up on your request. Our marketing site does not use tracking cookies or third-party analytics.

5. How We Use Information

We use the information we collect to:

6. Service Providers

We use third-party service providers to deliver the Service. We share with each provider only the information it needs to perform its function, under contractual obligations to protect your data. The categories of service providers we use are:

Authentication and identity management are handled by software we operate and manage ourselves — your credentials are not shared with a third-party identity provider.

We do not sell your personal information and we do not share it with third parties for their own marketing purposes. We may disclose personal information where required by law, subpoena, or court order.

7. Data Retention

We preserve your data on cancellation. Unlike some competitors, if you cancel your PostKnock subscription we do not automatically delete your campaigns, contacts, designs, or wallet balance — they remain available if you reactivate your account. This is a deliberate design choice: your marketing history should survive a billing lapse.

You may request deletion of your account and all associated Tenant Account Data and Customer Data at any time by emailing privacy@postknock.com. We will complete deletion within 45 days of a verified request, except for records we are required to retain by law (tax, fraud prevention, legal hold) or that exist solely in standard backup media subject to routine rotation. Deletion is irreversible and will also remove any unspent wallet balance and promotional credits.

8. Your Rights (Including California)

Depending on your jurisdiction you may have the right to access, correct, export, or delete personal information we hold about you, and to object to or restrict certain processing. California residents have additional rights under the CCPA/CPRA, including the right to know the categories of personal information we collect and the categories of service providers we share it with (see Section 6 above), the right to request deletion, and the right not to be discriminated against for exercising these rights. To exercise any of these rights, contact privacy@postknock.com. We will respond within the timeframes required by applicable law.

If you are a recipient whose information was uploaded to PostKnock by a Tenant, your request should be directed first to the Tenant who controls that data. We will assist the Tenant in responding to your request as required by law.

9. Security

We take reasonable technical and organizational measures to protect personal information, including:

No system is perfectly secure. If we become aware of a security incident that affects your personal information, we will notify you and applicable regulators as required by law.

10. Cookies & Tracking

Marketing website: no tracking cookies, no third-party analytics, no advertising pixels.

Application: PostKnock's web app uses browser storage (localStorage and sessionStorage) to hold your access and refresh tokens and short-lived UI state (for example, a toast after signup). Our product-analytics and session-replay provider sets a first-party identifier in browser storage to group events from the same browser session; this identifier is opaque and is not linked to your name, email, or tenant identity, and is not used for advertising or cross-site tracking. We do not use third-party advertising or cross-site tracking cookies. A bot-defense challenge on signup may set a short-lived challenge cookie for that purpose.

11. Children

The Service is intended for business users aged 18 or older. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact privacy@postknock.com and we will delete it.

12. International Transfers

PostKnock is based in the United States. If you access the Service from outside the U.S., you understand that your information will be transferred to, stored in, and processed in the United States. Our subprocessors may also process data in jurisdictions other than your own. Where required by law, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) with subprocessors.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notification at least 30 days in advance. The "Last updated" date at the top reflects the current version.

14. Contact

Questions about this Privacy Policy or your data? Contact us at privacy@postknock.com.