We collect the bare minimum to make the product work.

Hetzmarkt is an online marketing automation platform operated by Routbox Inc., a Delaware corporation (the “Company,” “we,” “our,” or “us”). You can reach us at privacy@hetzmarkt.com.

• Account data: your email address, which is stored by our authentication provider (Supabase) and used to sign you in via one-time code.
• Workspace data: brand profile details you enter (name, audience, voice, color palette, banned words, required phrases, product catalog), the posts you generate, edit, schedule, and publish, and any images you upload or that we generate on your behalf.
• Connected accounts: when you connect a social network (X, LinkedIn, Facebook, Instagram, YouTube), we receive an OAuth access token (and sometimes a refresh token) from that platform. We never receive your password.
• Usage telemetry: minimal technical logs (timing, error counters) used to keep the system running. We do not run third-party advertising trackers.

• We do not sell, rent, or share your data with advertisers.
• We do not train AI models on your content. Text generation runs on infrastructure we control; image generation runs through Cloudflare Workers AI, which has its own no-training policy on inference traffic.
• We do not store your social-network passwords. OAuth tokens are the only credential we hold, and they are encrypted at rest with per-tenant scoping.

Your data is used solely to deliver and improve the product: generating posts in your voice, scheduling and publishing them to the accounts you've connected, surfacing them back to you in the dashboard, and processing your subscription if applicable.

• Database: Supabase (Postgres) in the AWS US-West-1 region. Every tenant-scoped table enforces row-level security, so one customer's data is not visible to another.
• Object storage: Cloudflare R2, with object keys prefixed by tenant id.
• AI inference: text on hardware we operate; images via Cloudflare Workers AI scoped to our Cloudflare account.
• Edge runtime: Cloudflare Workers globally distributed; ephemeral, no persistent storage.

All traffic to Hetzmarkt is served over HTTPS (TLS 1.2+). OAuth tokens for connected social accounts are encrypted at rest using AES-256-GCM with a key we hold separately from the database. Database backups are encrypted by Supabase by default.

To operate the service we rely on these providers:

• Supabase — authentication and database
• Cloudflare — Workers, Workers AI, R2 storage, Tunnel, DNS, edge CDN
• Social platforms you connect — X, LinkedIn, Meta (Facebook + Instagram), Google (YouTube). We send them only what's necessary to publish on your behalf.

Each provider has its own data-processing terms. We do not pass your data to any other third party.

You can request export or deletion of all data associated with your tenant at any time by emailing privacy@hetzmarkt.com. We will complete deletion within 30 days, except where retention is required to comply with law or to enforce our agreements.

If you are in the European Economic Area, the United Kingdom, or California, you have additional rights under GDPR / UK GDPR / CCPA (right to access, rectify, port, restrict, or object). The contact above is the address to exercise them.

Hetzmarkt is not directed to children under 16, and we do not knowingly collect data from them.

We may update this policy as the product evolves. Material changes will be announced in-app and by email to active users.