Privacy Policy
Effective Date: 15 March 2026 · Last Updated: 15 March 2026
1. Introduction
Welcome to Obelisk Stamps ("we", "us", "our"), operated at obelisk-stamps.com. We are committed to protecting your privacy and ensuring that your personal data is handled securely and responsibly. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding that data.
By using our website or services you agree to the practices described in this policy. If you do not agree, please do not use our services.
2. Information We Collect
2.1 Information You Provide Directly
- Account & Profile Information: Name, email address, and profile picture when you sign in via Google OAuth.
- Contact Information: Name, email address, and message content submitted through our contact form.
- Order Information: Shipping address, purchase details, and transaction records when you make a purchase.
- User-Generated Content: Any content you provide when interacting with our AI tools (e.g., stamp images uploaded for identification).
2.2 Information Collected Automatically
- Usage Data: IP address, browser type, operating system, referring URL, pages visited, and timestamps.
- Cookies & Similar Technologies: Session cookies for authentication and preferences. See Section 8 for details.
- Device Information: Screen resolution, device type, and language settings.
2.3 Information from Third-Party Services
- Google OAuth: When you sign in with Google, we receive your name, email address, and profile picture as authorised by you during the consent flow.
- Meta Platform (Facebook & Instagram): When an administrator connects a Facebook Page or Instagram Business Account, we receive and store Page Access Tokens to publish content on behalf of the Page. We do not access personal Facebook or Instagram user data of visitors or followers. See Section 5 for full details.
3. How We Use Your Information
We use your information for the following purposes:
- Service Delivery: To operate the website, process orders, respond to enquiries, and provide our stamp identification and collection management tools.
- Authentication: To verify your identity via Google OAuth and manage your account session.
- Social Media Publishing: To publish content (images, videos, captions) to connected Facebook Pages and Instagram Business Accounts on behalf of authorised administrators. We only post content that the administrator explicitly creates and approves within our admin panel.
- AI-Powered Features: To generate carousel images, cinemagraph animations, narrated videos, captions, and stamp identification results using third-party AI services (OpenAI, Google, Luma).
- Analytics & Improvement: To understand how our website is used and improve functionality and user experience.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
- Marketing: To send promotional emails only if you have explicitly opted in to receive them.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:
- Consent: Where you have given clear consent (e.g., marketing emails, connecting social media accounts).
- Contract: Where processing is necessary to fulfil a purchase or provide a requested service.
- Legitimate Interest: Where processing is necessary for our legitimate business interests (e.g., analytics, security), provided those interests are not overridden by your rights.
- Legal Obligation: Where processing is required to comply with applicable law.
5. Meta Platform Data (Facebook & Instagram)
Our application integrates with the Meta Platform (Facebook and Instagram) to enable administrators to publish content directly from our admin panel. This section describes exactly how we handle Meta Platform Data.
5.1 What Meta Data We Access
- Page Access Tokens: Long-lived tokens that allow us to publish posts, photos, and videos to a specific Facebook Page on behalf of the Page administrator.
- Page ID: The numeric identifier of the connected Facebook Page.
- Post IDs & Permalinks: Identifiers and URLs of posts we create, used to track, edit, or delete published content.
- Instagram Business Account ID & Media IDs: Identifiers used to publish carousel posts, reels, and stories to the connected Instagram account.
5.2 What Meta Data We Do NOT Access
- We do not access, collect, or store personal data of Facebook or Instagram users, followers, or visitors.
- We do not read private messages, comments, likes, or engagement metrics from followers.
- We do not access friend lists, photos, or any personal content from user profiles.
- We do not build user profiles or create advertising audiences from Meta Platform Data.
- We do not sell, license, or transfer Meta Platform Data to any third party.
5.3 How We Use Meta Data
We use Meta Platform Data solely for the following purposes:
- Publishing photo posts, video posts, and carousel posts to connected Facebook Pages.
- Publishing carousel posts, reels, and stories to connected Instagram Business Accounts.
- Editing captions of published posts.
- Checking whether a published post is still live.
- Deleting posts from Facebook or Instagram when requested by the administrator.
- Maintaining an internal activity log of posting actions for the administrator's reference.
5.4 Storage & Security of Meta Data
- Page Access Tokens are stored as encrypted environment variables on our hosting platform (Google Cloud Run) and are never exposed in client-side code, URLs, or logs.
- Post IDs and permalinks are stored in our database solely to enable post management (editing, archiving, deleting).
- We retain Meta Platform Data only as long as the Facebook Page or Instagram Account remains connected. When disconnected, all associated tokens and post records are deleted.
5.5 Meta Data Deletion
You may request deletion of all Meta Platform Data we hold by contacting us at the email address in Section 13. Upon receiving a verified request, we will delete all stored tokens, post records, and activity logs associated with your Facebook Page or Instagram Account within 30 days.
6. Third-Party Services & Data Processors
We use the following third-party services to operate our platform. Each service only receives the minimum data necessary to perform its function:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Cloud Platform | Hosting, storage, authentication | All application data (encrypted at rest and in transit) |
| Meta Platform (Facebook/Instagram) | Social media publishing | Page tokens, post content (images, videos, captions) |
| OpenAI | AI image generation, caption writing, content analysis | Article text, image prompts, stamp images for identification |
| Luma AI | Cinemagraph video generation | Source images for animation |
| YouTube (Google) | Video publishing | Video files, titles, descriptions |
| GitHub | Source code hosting, CI/CD | Application source code, deployment configuration |
We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.
7. Data Protection & Security
We implement industry-standard security measures including:
- Encryption in Transit: All data is transmitted over HTTPS/TLS.
- Encryption at Rest: Database and cloud storage use encryption at rest.
- Access Control: Administrative access is restricted via Google OAuth with role-based permissions. Only authorised administrators can access the admin panel.
- Token Security: API tokens (Meta, OpenAI, YouTube) are stored as environment variables on the server, never in client-side code or version control.
- Regular Updates: We keep our dependencies and infrastructure updated to address known security vulnerabilities.
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
8. Cookies & Tracking Technologies
We use the following cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Essential | Maintains your login session | Browser session |
| Currency preference | Functional | Remembers your selected currency | 1 year |
We do not use third-party advertising cookies or tracking pixels. You can disable cookies in your browser settings, but this may affect website functionality (e.g., you will not be able to stay logged in).
9. Data Retention
- Account Data: Retained as long as your account is active. Deleted within 30 days of account deletion request.
- Order Data: Retained for 6 years to comply with UK tax and accounting regulations.
- Contact Form Submissions: Retained for up to 2 years, then deleted.
- Social Media Post Records: Retained until the administrator archives or deletes them, or until the connected account is disconnected.
- AI-Generated Content: Retained as long as the associated article exists. Deleted when the article is deleted.
- Server Logs: Retained for up to 30 days for debugging purposes.
10. Your Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request that we limit how we process your data.
- Portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Withdraw Consent: Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, please contact us using the details in Section 13. We will respond within 30 days.
11. Children's Privacy
Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us:
- Email: info@obelisk-stamps.com
- Website: obelisk-stamps.com