Effective date: 1 July 2026
Inkrush ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect when you use the Inkrush platform at app.inkrush.io, why we collect it, how we use and store it, and what rights you have over your information. This policy applies to all users of the Inkrush service and is governed by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy is made freely available in accordance with APP 1.
Inkrush is a software-as-a-service platform operated by Brenton Ferguson (ABN 58 845 467 205), trading as Inkrush, an Individual/Sole Trader registered in Queensland, Australia. Our contact for all privacy-related matters is support@inkrush.io. If you have any questions about this policy or how we handle your personal information, please contact us at that address.
We only collect personal information that is reasonably necessary to provide the Inkrush service and to comply with our legal obligations. Specifically:
When you register for an account, we collect your full name and email address. When you subscribe to a paid plan, we collect payment information through our payment processor Stripe; Inkrush itself does not store your credit card number or full payment details — only a Stripe Customer ID and your subscription status. When you connect your social media accounts to Inkrush, we collect and store access tokens, refresh tokens, and associated account identifiers (such as your Facebook Page ID, Instagram Business Account ID, LinkedIn Profile ID, YouTube Channel ID, or TikTok open_id) issued by those platforms. We collect the content you create within Inkrush, including post captions, scheduled post metadata, uploaded media files, and workspace settings. We automatically collect certain technical data including your IP address, browser type, operating system, referring URL, and usage activity such as pages visited and features used. We do not collect sensitive information as defined under the Privacy Act (such as health, racial or ethnic origin, religious beliefs, or biometric data) beyond what is necessary to process your subscription payment.
We collect and use your personal information to provide, operate, and improve the Inkrush service. Specifically: we use your name and email to create and maintain your account and to communicate with you about your subscription; we use your payment information to process subscription charges through Stripe; we use your social media tokens to post content on your behalf to the platforms you have connected; we use usage data to understand how the product is used, to fix bugs, and to improve features; and we may use your email address to send you transactional messages such as password resets, billing receipts, and important service announcements. We will not send you marketing emails without your explicit consent, and you may opt out at any time as described in Section 13.
We do not sell your personal information to any third party, ever.
We share your information with the following service providers only to the extent necessary to operate the platform:
Stripe processes subscription payments on our behalf. When you subscribe to a plan, your payment details are handled directly by Stripe under their own privacy policy. We store only your Stripe Customer ID and subscription status. Stripe is based in the United States and Ireland and operates under PCI-DSS compliance standards.
OpenAI provides our AI features including caption generation (GPT-4o), image generation (DALL-E 3), and voice generation (Text-to-Speech). When you use any of these features, the prompts and context you provide are sent to OpenAI's API. We do not send personally identifiable information to OpenAI beyond what you explicitly include in your request. OpenAI is based in the United States. By default, OpenAI does not use content submitted through its API to train or improve its AI models. For more information, see OpenAI's privacy policy at openai.com/policies/privacy-policy.
Meta (Facebook and Instagram), LinkedIn, TikTok, YouTube (Google), and other connected social platforms receive the content you schedule through Inkrush when posts are published to those platforms via their respective APIs. When you connect a social media account, the access token and account identifier for that platform are stored to enable posting on your behalf. Data received from these platforms via their APIs is used solely to provide the Inkrush service and is not used for any purpose beyond what was disclosed to those platforms during our API access application.
Hostinger provides the virtual private server (VPS) infrastructure on which Inkrush is hosted. Hostinger's servers are located in Southeast Asia (Malaysia and/or Singapore). All core account data, post history, and uploaded media are stored on this infrastructure. This constitutes an overseas disclosure under APP 8 — see Section 12 for details.
We may disclose your information if required to do so by law, or in response to a valid request by a government or law enforcement authority in accordance with applicable law.
If you use Inkrush's Email Campaigns feature, you may upload or collect email addresses belonging to third-party individuals (your subscribers). By uploading subscriber data to Inkrush, you represent and warrant that you have obtained valid consent from those individuals to receive email communications from you, and that your use of their data complies with the Australian Spam Act 2003 and the Australian Privacy Principles.
Inkrush stores subscriber email addresses and campaign engagement data (such as open and click events) on your behalf as a data processor. We do not use your subscribers' data for any purpose other than delivering the email campaigns you create. You remain the data controller for your subscriber lists and are responsible for honouring unsubscribe requests within five (5) business days and responding to any privacy requests made by your subscribers.
Your data is stored on a virtual private server (VPS) hosted by Hostinger, with servers located in Southeast Asia (Malaysia and/or Singapore). Uploaded media files are stored on the same server infrastructure. Hostinger is subject to the data protection laws of its server locations, including Singapore's Personal Data Protection Act 2012 (PDPA), and operates under its own privacy policy and data processing commitments. Because your data is hosted outside Australia, this constitutes a cross-border disclosure as described in Section 12 of this policy.
We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, loss, misuse, or disclosure. These measures include: encrypted HTTPS connections for all data in transit; passwords stored using industry-standard one-way hashing algorithms (bcrypt); access controls that limit who within Inkrush can access production systems and databases; and firewall and server hardening configurations on our VPS. While we take reasonable steps to protect your data, no system is completely secure and we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at support@inkrush.io.
We retain your account data for as long as your account is active. If you delete your account, we will permanently delete your personal information, uploaded media, connected account tokens, and post history within 30 days of the deletion request, except where retention is required by law. For example, certain billing records may be retained for up to seven (7) years for taxation and accounting purposes. Once data is deleted, it cannot be recovered.
Under the Australian Privacy Act, you have the right to: request access to the personal information we hold about you; request corrections to inaccurate or incomplete data; request the deletion of your data in accordance with our retention policy; and lodge a complaint about how we have handled your personal information.
To exercise any of these rights, please email us at support@inkrush.io. We will respond to all access and correction requests within 30 days. In some circumstances, we may be unable to provide access to certain information — for example, where providing access would reveal personal information about another person, where the information is subject to legal professional privilege, or where we are required by law to withhold it. If we refuse access to or correction of your information, we will tell you the reason for the refusal and how you may complain about the decision.
If you are not satisfied with our handling of your request, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Australian Privacy Principle 2 (APP 2) requires that we allow individuals to interact with us anonymously or by pseudonym where practicable. Due to the nature of the Inkrush service — which requires a verified account to connect social media platforms, schedule posts, and manage client workspaces — it is not practicable to provide these core services to anonymous or pseudonymous users. Accordingly, we require users to register with their real name and a valid email address. Where you contact us with a general enquiry and do not wish to identify yourself, we will accommodate this to the extent possible.
Inkrush is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@inkrush.io and we will delete that information promptly.
Inkrush uses OpenAI's APIs to power several AI features including AI caption generation (GPT-4o), AI image generation (DALL-E 3), and AI voice generation (Text-to-Speech). When you use these features, the prompts and context you provide are sent to OpenAI's API to generate results. We do not send personally identifiable information to OpenAI beyond what you explicitly include in your request. OpenAI's API, by default, does not use content submitted via API calls to train or improve OpenAI's AI models — your prompts and outputs are not used for OpenAI's model training. Inkrush itself also does not use your content to train any AI model.
AI-generated content is provided as a starting point and may not always be accurate, appropriate, or suitable for your intended audience. You remain responsible for reviewing and approving any AI-generated content before it is published. Generated images and audio files are saved to your media library on our servers and are accessible only to you within your workspace.
Some of the service providers we share your information with are based outside of Australia. Under Australian Privacy Principle 8 (APP 8), before disclosing your personal information to an overseas recipient, we are required to take reasonable steps to ensure that the recipient handles your information in a manner consistent with the Australian Privacy Principles, or to obtain your informed consent to the overseas disclosure.
OpenAI is based in the United States. When you use AI-powered features, the prompts you provide are sent to OpenAI's API servers in the US. OpenAI commits to handling personal data in accordance with applicable US privacy law and its enterprise data processing terms. By creating an account and using Inkrush's AI features, you consent to this transfer of your prompts and related data to OpenAI in the United States.
Stripe is based in the United States and Ireland. Your payment information is processed by Stripe's servers. Stripe operates under PCI-DSS Level 1 compliance standards and its own privacy policy and data processing agreements. By subscribing to a paid plan, you consent to this transfer of your payment information to Stripe.
Meta (Facebook/Instagram), LinkedIn, TikTok, and Google/YouTube are based in the United States and operate globally. When content is published to these platforms on your behalf, it is transmitted to and processed by their servers, which may be located outside Australia. Your use of the social media connection features constitutes consent to this transfer.
Hostinger hosts all Inkrush infrastructure on servers located in Southeast Asia (Malaysia and/or Singapore). This means your core account data, post history, uploaded media, and social media tokens are all stored outside Australia. Hostinger operates under applicable local data protection law including Singapore's Personal Data Protection Act 2012 (PDPA), and is subject to contractual data processing obligations. By creating an account with Inkrush, you consent to your personal information being stored and processed on Hostinger's servers in Southeast Asia.
We will not use your personal information for direct marketing without your explicit consent. Where you have opted in to receive marketing communications from Inkrush (for example, by ticking a marketing consent checkbox during signup or in your account settings), we may send you product updates, feature announcements, and promotional content.
You may opt out of marketing communications at any time by: clicking the "unsubscribe" link in any marketing email; or emailing support@inkrush.io with your opt-out request. We will process opt-out requests within five (5) business days. Opting out of marketing communications will not affect transactional messages such as billing receipts, password resets, subscription notices, or important service communications, which are necessary for the operation of your account.
Inkrush uses automated systems to power certain features of the platform. These include AI caption generation, AI image generation, and AI voice generation — all of which use automated processing to produce suggested outputs based on the prompts and context you provide. These features assist you in creating content but do not make decisions that significantly affect your rights, entitlements, or obligations in an automated way without your direct involvement. You always review and control what is published from your account.
Our subscription management system uses automated billing logic to process subscription renewals, trial expirations, and AI credit usage limits. This system makes decisions based on your account status and the information you have provided. If you believe an automated billing or account decision is incorrect, please contact us at support@inkrush.io so we can review it manually.
Inkrush uses session cookies to keep you logged in while you use the app. These are essential cookies and are deleted when you close your browser or log out. We do not use third-party tracking cookies, advertising pixels, or behavioural analytics cookies. For more detail, see our Cookie Policy.
We take data security seriously and have procedures in place to detect, investigate, and respond to suspected data breaches. Under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth), we are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) about an "eligible data breach."
An eligible data breach occurs when: (a) there is unauthorised access to, unauthorised disclosure of, or loss of personal information we hold; (b) this is likely to result in serious harm to one or more individuals whose information is involved; and (c) we have not been able to prevent the likely risk of serious harm through remedial action.
When we become aware of a suspected eligible data breach, we will assess the situation within 30 days to determine whether it constitutes an eligible data breach under the Act. If it does, we will notify affected individuals as soon as practicable. Our notification to affected individuals will include: the identity and contact details of Inkrush; a description of the breach; the kinds of personal information involved; and recommendations for steps affected individuals should take to protect themselves.
If a data breach occurs involving a third-party service provider (such as our hosting provider or a payment processor), we will work with that provider to assess and respond to the breach and will fulfil our NDB obligations in relation to any personal information we are responsible for.
Inkrush is an Australian service and our legal compliance framework is primarily based on Australian privacy law. If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with its own data protection laws (such as the EU General Data Protection Regulation — GDPR), you may have additional rights under that legislation.
If you are an EEA or UK user, you have the right to: access your personal data; rectify inaccurate data; request erasure of your data ("right to be forgotten"); restrict or object to processing; and data portability. You may also have the right to lodge a complaint with your local data protection authority. Our lawful basis for processing personal data of EEA/UK users is: performance of a contract (to provide the service you signed up for); compliance with legal obligations; and, where required, your consent. If you require a Data Processing Agreement (DPA) for GDPR compliance purposes, please contact us at support@inkrush.io to request one.
If you are located outside Australia and have questions about whether and how your local data protection laws apply to your use of Inkrush, please contact us at support@inkrush.io.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice within the Inkrush app at least 30 days before the change takes effect. Your continued use of Inkrush after the effective date of any change constitutes your acceptance of the updated policy. If you do not agree with a material change, you may close your account before it takes effect.
If you have any questions about this Privacy Policy or how we handle your personal information, please contact us at support@inkrush.io. We aim to respond to all privacy enquiries within 30 days.
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC): oaic.gov.au | 1300 363 992.