Legal

Privacy Policy

Last updated: June 1, 2026  ยท  Effective: June 1, 2026

1. Overview

Blog CMS ("we", "us", or "our") is committed to protecting the personal information of our users and the readers who interact with content published through our platform. This Privacy Policy explains what data we collect, how we use it, and what rights you have.

In short: We collect the minimum data needed to operate the service. We do not sell your data. You can request deletion at any time.

2. Information We Collect

Account information: When an administrator creates an account for you, we store your name, email address, hashed password, and role assignment.

Content data: Posts, media files, categories, and other content you create through the Service are stored in your company's isolated database.

Usage data: We may collect server logs including IP addresses, request timestamps, HTTP method and path, and response codes for security and debugging purposes.

Session data: We use server-side sessions stored in our database to maintain your logged-in state. Session tokens are stored in a secure, HTTP-only cookie.

We do not collect payment card details directly โ€” billing is handled by third-party processors who maintain their own privacy policies.

3. How We Use Information

  • To authenticate you and maintain your session
  • To operate, maintain, and improve the Service
  • To send transactional emails (password resets, 2FA codes)
  • To detect, investigate, and prevent abuse or security incidents
  • To respond to your support requests
  • To comply with legal obligations

We do not use your content to train machine learning models. We do not sell or rent your personal information to third parties.

4. Sharing & Disclosure

We may share your information with:

  • Infrastructure providers: Cloud hosting, database, and storage services that process data on our behalf under data processing agreements
  • Email providers: To deliver transactional messages you request (e.g., password resets)
  • Law enforcement: When required by valid legal process or to protect the safety of our users

We will notify you of any third-party data sharing requests where permitted by law.

5. Data Storage & Security

Your data is stored on PostgreSQL databases hosted on AWS. Each company workspace has its own isolated database to prevent cross-tenant data access.

We implement industry-standard security measures including:

  • Passwords hashed using bcrypt with appropriate cost factors
  • HTTPS enforced for all connections in production
  • HTTP-only, SameSite cookies for session management
  • Content Security Policy (CSP) headers on all pages
  • Rate limiting on authentication endpoints
  • Two-factor authentication support

No method of transmission or storage is 100% secure. We encourage users to use strong passwords and enable 2FA.

6. Data Retention

We retain your account data for as long as your account is active. Server logs are retained for up to 90 days. Session records expire after 12 hours of inactivity.

When an account or company workspace is terminated, content data is retained for 30 days to allow data export, after which it is permanently deleted from our systems.

7. Cookies

We use a single session cookie to maintain your authenticated state in the admin panel. This cookie is:

  • HTTP-only (not accessible to JavaScript)
  • Scoped to this domain only
  • Expires after 12 hours
  • Marked Secure in production environments

We also store a theme preference (cms-theme) in localStorage to remember your light/dark mode choice. This is not a cookie and is not transmitted to our servers.

We do not use tracking, advertising, or analytics cookies.

8. Your Rights

Depending on your location, you may have rights including:

  • Access: Request a copy of the data we hold about you
  • Rectification: Correct inaccurate personal information
  • Erasure: Request deletion of your account and associated data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to certain processing activities

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 16, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will revise the "Last updated" date at the top and, for material changes, notify you by email or prominent in-app notice.

Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

11. Contact

For privacy-related questions, requests, or concerns, please contact us at [email protected] or through our contact page.