Last updated: 23 May 2026
PostSpy is built around a simple idea: you tell us what you're watching for, and we tell you when something matches. We collect the least amount of data we can to make that work, we don't sell it, and we don't keep it longer than we have to. The detail is below.
PostSpy analyzes content already loaded during your active, authenticated browsing sessions in your own Chrome browser. It does not perform hidden background browsing or unattended web automation on platforms whose terms disallow it.
Per-platform behaviour:
The scheduler always honours: ±30% cadence jitter, a 4-minute minimum gap per page, a 150-page-load daily ceiling, an optional sleep window, automatic pause-when-you're-actively-browsing-the-same-site, and the Chrome idle / locked state.
We refer to these two behaviours as Scroll Mode (the high-friction surfaces — LinkedIn, X, Instagram, Threads, Facebook main feed) and Watch Mode (the lower-friction marketplace, job-board, classifieds, Reddit, community-group surfaces). The mode for any given page is determined automatically by the policy table built into the extension; you can see which mode applies to any spy from the spy edit drawer in your dashboard.
Just-in-time TOS classification: when a user adds a spy on a host PostSpy hasn't seen before, our server reads that host's terms of service and an AI classifier slots the host into the right mode. The result — host, tier, reasoning, and the date we read the terms — is cached for 7 days then re-checked weekly. Every classification we've ever made is publicly visible at postspy.ai/policies. We never store the raw terms-of-service body, only its sha256 hash (used to skip a re-classification when the page hasn't changed) and the AI's one-paragraph reasoning. If you believe a host's classification is wrong, email hello@postspy.ai and we'll re-classify on request.
"PostSpy", "we", "us", or "our" refers to the operator of the PostSpy Chrome extension and the website at postspy.ai. If you need to reach us, email hello@postspy.ai.
When you sign in to PostSpy with your email address, we create an account record containing:
We use a hosted authentication service (Supabase) to issue and verify the magic-link sign-in. We do not handle or store passwords.
For each page you choose to watch, we store:
The natural-language description of what you're looking for, the AI prompt embedding, and the keyword hints derived from your chat are stored locally on your computer (in your browser's IndexedDB), not on our servers. We need the URL on the server to enforce per-tier limits and to refresh your watch when your browser isn't running.
When a post on a watched page matches your saved search, PostSpy stores a record of that match consisting of: the AI-generated summary describing the post (our own words, not a copy of the original), the URL back to the source post, the source site name, the match score and intent classification, and a timestamp. This record is stored both on our servers (so your dashboard works from any device) and cached in your browser for offline access.
We do not store the original post text, screenshots, images, or any other content from the source site. The original text is sent to our AI model at the moment of matching and discarded immediately afterwards.
Match records older than 28 days are automatically deleted from both the server and your browser.
To enforce per-plan limits and bill correctly, we record metered usage on our servers: how many AI matching calls and emails we sent for your account each day, including the small AI model token counts used to compute precise cost. We do not record the content of those calls — only the counts and costs.
When PostSpy needs to decide whether a candidate post on one of your watched pages matches your saved search, it sends two things to Anthropic, our AI provider: (a) your watch description and (b) a short text excerpt from the candidate post (up to roughly 4,000 characters). Anthropic returns a yes/no decision plus a short summary written in our voice. That summary is the only thing PostSpy retains — the original post text is discarded as soon as the AI response is received. Anthropic's own data handling is governed by their privacy policy and their commercial API terms; under those terms, content submitted via the API is not used to train their models.
The PostSpy website uses cookies and local storage only to keep you signed in across page loads. We do not run advertising trackers, analytics that profile individual users, or third-party social pixels on our site.
We use the information described above to:
We share data with a small set of service providers, each only as needed to operate PostSpy:
We do not sell your personal information. We do not share it with advertisers, data brokers, or analytics platforms that build cross-site profiles. We will only disclose information to a third party outside of the providers above if we are legally required to (for example, in response to a valid subpoena).
You can, at any time:
Depending on where you live, you may have additional rights under laws such as the EU GDPR, UK GDPR, the Australian Privacy Act, or the California Consumer Privacy Act, including the right to access, correct, or restrict processing of your personal information. We honour all reasonable requests to exercise these rights.
We use standard industry practices to protect your data: all traffic to and from postspy.ai is encrypted in transit (HTTPS), authentication is handled by a managed service that issues short-lived tokens, and access to our production database is restricted to a small number of authorised individuals. No system is perfectly secure; if we ever experience a data breach affecting your information, we'll notify you promptly.
PostSpy is operated from Australia. Our service providers (Supabase, Anthropic, Resend, Stripe, Netlify) operate globally and may process your data in regions including the United States, Europe, or Asia. When data is transferred internationally, it remains subject to this Privacy Policy and to those providers' own privacy commitments.
PostSpy is not intended for children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with information, please contact us so we can remove it.
We may update this policy from time to time as the service evolves. Material changes will be announced via email to the address on your account at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
Questions, requests, or concerns about this policy or how we handle your data: hello@postspy.ai.