Privacy Policy

PostMe (postme.dev) is a form-to-email service for static sites and simple HTML forms. We receive form submissions, deliver them to the inbox you specify, and keep only what we need to operate the service, prevent abuse, and enforce usage limits.

Depending on how you interact with PostMe, we may process:

• Recipient email address — the inbox you register when creating a form endpoint, used for confirmation and delivery.
• Form field contents — names, messages, and other fields submitted through your form, forwarded to you by email.
• Technical metadata — such as timestamps, whether a notification was sent, and optional form configuration (subject line, redirect URLs, etc.).
• Network information — IP addresses used for rate limiting, abuse prevention, and confirmation-email throttling.
• Usage counts — per-endpoint, per-email-domain, and per-IP counters to enforce free-tier and anti-abuse limits.

We do not require account passwords today. Endpoint setup is tied to email confirmation: the first submission to a new address triggers a verification link sent to that inbox.

• Deliver form submissions to the confirmed recipient inbox.
• Send one-time (or occasional) confirmation emails when an endpoint is first used.
• Enforce monthly sending limits, rate limits, and spam protections such as honeypot fields.
• Operate, secure, and improve the service — including debugging delivery issues and monitoring for abuse.

We do not sell your personal information. We do not use form submission content for advertising profiles.

If you are in the European Economic Area or United Kingdom, we rely on: performance of a contract (providing the service you request); legitimate interests (security, abuse prevention, and service improvement); and consent where applicable (for example, when you voluntarily submit a form on a third-party site that uses PostMe).

We use trusted infrastructure partners to run PostMe. They process data on our behalf and only as needed to provide the service:

• Convex — application database and serverless backend hosting.
• Resend — transactional email delivery (confirmations and submission notifications).
• Vercel — website and API edge hosting for the public site and form endpoints.

These providers may process data in the United States or other countries. We choose vendors with appropriate safeguards for production use.

We retain endpoint records, submission records, and usage counters for as long as needed to operate the service, comply with law, resolve disputes, and enforce limits. We may delete or anonymize older data when it is no longer required for these purposes.

We use industry-standard measures including encrypted transport (HTTPS), hashed verification tokens, rate limiting, and access controls on production systems. No method of transmission or storage is 100% secure; please use unique endpoints and monitor your inbox for unexpected traffic.

Depending on where you live, you may have rights to access, correct, delete, or export personal data, or to object to certain processing. To make a request, email hi@postme.dev from the address concerned or describe the endpoint in question. We may need to verify your control of the inbox before acting on endpoint-related requests.

If you submitted a form on someone else's website, contact that site owner first — they control the form and how your message is used.

PostMe is not directed at children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children.

We may update this policy from time to time. We will post the revised version on this page and update the "Last updated" date. Material changes may also be communicated by email or a site notice where appropriate.

Questions about privacy: hi@postme.dev. Website: https://www.postme.dev.