Privacy

Privacy policy.

Last updated: 10 May 2026 · Effective: 10 May 2026

This is the privacy policy for ashtonvossai.com, operated by Ashton Voss (an Australian sole operator based in Brisbane, Queensland). It explains what personal information is collected, how it is used, who it is shared with, and your rights over it.

This policy is designed to comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth), the Spam Act 2003 (Cth), the EU General Data Protection Regulation (GDPR) for European visitors, and the US CAN-SPAM Act for American subscribers.

1. Who we are

Operator: Ashton Voss, sole operator, Brisbane, Australia.
Website: ashtonvossai.com
Contact: mail@ashtonvossai.com

2. What information we collect

2.1 Information you give us

When you subscribe to the VAA Weekly newsletter via the form on this site, we collect:

  • Your email address (required)
  • Your first name (optional)
  • The date and time of your subscription
  • The IP address used at the time of subscription (for double opt-in confirmation and anti-abuse purposes only)

2.2 Information collected automatically

This site does not use Google Analytics, Facebook Pixel, or any other third-party behavioural tracking. The site is hosted on Vercel, which collects standard server-level request logs (IP address, user agent, request path, timestamp) for security and infrastructure operations. These logs are not used for advertising or profiling.

Email opens and link clicks within the newsletter are tracked by our self-hosted email platform (Listmonk) for engagement and list-hygiene purposes. You can opt out of open tracking by disabling image loading in your email client.

3. How we use your information

We use the information you provide for one purpose: to send you the VAA Weekly newsletter and occasional related educational content that you explicitly subscribed to receive.

Specifically, we use your data to:

  • Send you the weekly newsletter you requested
  • Confirm your subscription via a double opt-in email
  • Process unsubscribe requests
  • Maintain list hygiene by removing inactive or bouncing addresses
  • Comply with legal obligations
We will never sell, rent, lease, share, or otherwise disclose your personal information to third parties for their own marketing or advertising purposes.

4. How you opt in

You only join the newsletter list by taking an explicit, affirmative action — either:

In both cases, a double opt-in confirmation email is sent before any further messages. You must click the confirmation link to be added to the active list.

We do not purchase, scrape, rent, append, or otherwise acquire email addresses from third parties.

5. How you opt out

Every email we send includes:

  • A one-click unsubscribe link in the footer
  • The List-Unsubscribe and List-Unsubscribe-Post email headers (RFC 8058) for one-click unsubscribe in Gmail, Yahoo, Apple Mail, and Outlook

Unsubscribes are processed immediately and permanently. You can also email mail@ashtonvossai.com at any time to be removed.

6. Subprocessors and third parties

We use the following third-party services to operate the newsletter and website. Each is bound by their own privacy commitments, which we have reviewed:

  • Vercel Inc. — website hosting (United States). Privacy policy.
  • Listmonk — self-hosted email list manager running on a DigitalOcean droplet in Sydney, Australia. Your subscription data lives in our own Postgres database on this server; it is not shared with any Listmonk-operated cloud.
  • DigitalOcean LLC — infrastructure provider hosting the Listmonk server (Sydney region). Privacy policy.
  • Amazon Web Services (Amazon SES) — email delivery transport (Sydney region, ap-southeast-2). Email addresses and message content pass through SES for delivery only. Privacy policy.

7. International data transfers

Your data is primarily stored in Sydney, Australia (Listmonk + AWS SES ap-southeast-2). Server logs from Vercel may be processed in the United States. Where data is transferred outside Australia or the EU, it is protected by the relevant provider's standard contractual clauses and data processing addenda.

8. Data retention

We keep your subscription data for as long as you remain subscribed. If you unsubscribe, your email address is moved to a suppression list and retained only to ensure we don't email you again — never for marketing. You can request full deletion (including from the suppression list) by emailing mail@ashtonvossai.com.

9. Your rights

Regardless of where you live, you have the right to:

  • Access the personal information we hold about you
  • Correct any inaccurate information
  • Delete your data ("right to erasure")
  • Object to processing or withdraw consent at any time
  • Export your data in a portable format
  • Lodge a complaint with the relevant authority (in Australia, the OAIC)

To exercise any of these rights, email mail@ashtonvossai.com. We respond within 30 days.

10. Security

We take reasonable steps to protect your information:

  • All site and API traffic is encrypted in transit via HTTPS (TLS 1.2+)
  • The Listmonk database is on a private server with restricted SSH access
  • API keys and credentials are stored in environment variables, never in source control
  • Bounce, complaint, and suppression handling is automated to prevent re-sending to disengaged addresses

11. Children's privacy

This site is not directed at children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has subscribed, please email us and we will delete the record immediately.

12. Social Poster app and Meta Platform integrations

This section covers the Social Poster app at poster.ashtonvossai.com, an internal single-tenant tool used by Ashton Voss to publish short-form video content to Instagram, YouTube, and TikTok and to manage automated comment-to-DM responses on Instagram. No third-party Instagram, YouTube, or TikTok user authenticates with this app — the only operator is Ashton Voss.

12.1 Why we list each platform integration

Meta, Google, and TikTok require operators of API-integrated applications to disclose what platform data is accessed, how it is used, and how long it is retained. The sections below set this out for each integration the Social Poster app uses.

12.2 Instagram (Meta Graph API) data

The app authenticates against a single Instagram Business account (@ashtonvossai) using the following OAuth scopes:

  • instagram_business_basic — read profile metadata (Instagram Business Account ID, username, display name, profile picture URL) on first connection so the operator can confirm the correct account is bound. Stored: locally on the operator's server in environment configuration.
  • instagram_business_content_publish — upload an MP4 video file from the operator's dashboard, create a Reels media container via Meta's Graph API, and publish it to the operator's own Instagram Business account. Content is original creator content owned by the operator.
  • instagram_business_manage_comments — receive webhook events for comments on the operator's own Instagram posts and, when a configured keyword automation matches, post a single short public reply on the comment (e.g. "Just DMed you"). The app does not edit, hide, or moderate other commenters' content.
  • instagram_business_manage_messages — send a single direct message to a user who has just commented on the operator's own post when the comment matches a configured keyword. Sent within Meta's standard 24-hour messaging window after the trigger event. The app does not initiate cold outreach, send broadcast messages, or message users who have not interacted with the operator's posts. Users are de-duplicated per (automation rule, igsid) so no user receives the same DM twice.

12.3 What Instagram data we store

For every comment that arrives via Meta's webhook (whether or not it matched a keyword automation), we record one row in a private SQLite database on the operator's server containing:

  • The Instagram comment ID
  • The Instagram media (post) ID the comment was left on
  • The commenter's Instagram-scoped user ID (igsid) and public username
  • The text of the comment
  • Whether a DM was dispatched in response, and any error from Meta if it failed
  • A unix timestamp

Outbound DMs are passed through Meta's Send API for delivery. We do not retain a copy of the DM content beyond a delivery-success/failure flag. We do not store inbound DMs from users (we do not handle inbound DMs at all).

12.4 YouTube (Google) data

The app authenticates against the operator's own YouTube channel via Google OAuth (scopes: youtube.upload, youtube) to upload short-form videos as YouTube Shorts and to read public statistics (views, likes, comments) for analytics on the operator's own videos. No third-party YouTube user data is accessed.

12.5 TikTok data

The app authenticates against the operator's own TikTok account via the TikTok Login Kit and Content Posting API (scopes: user.info.basic, video.upload, video.publish) to publish short-form videos. No third-party TikTok user data is accessed. The TikTok DM API is not exposed to third-party applications and the app does not interact with TikTok messaging.

12.6 Where this data lives

  • Operator's server — a DigitalOcean droplet in Sydney, Australia, accessible only by Ashton Voss. The SQLite database, environment-variable credentials, and uploaded clip files all live on this server.
  • Meta Platform — comment events transit through Meta's webhook infrastructure; outbound DMs and Reels publish requests transit through Meta's Graph API.
  • Google / TikTok — content uploads pass through their respective APIs for publication.

API tokens are stored exclusively in encrypted server-side environment files. They are never embedded in source code, never shared with third parties, and never sent to any analytics or marketing service.

12.7 Retention and deletion

Comment-event records are retained on the operator's server for analytics and audit purposes. If you have commented on an Ashton Voss Instagram post and would like the corresponding comment-event record (including your username, igsid, and comment text) removed from our database, email mail@ashtonvossai.com with the comment URL. We process such requests within 30 days. Note that to delete the underlying comment from Instagram itself, you should also delete the comment from your own Instagram account — Meta retains its own copy under their privacy policy.

12.8 What we do not do

  • We do not sell, rent, or share Instagram, YouTube, or TikTok user data with any third party.
  • We do not use platform data for advertising, profiling, or behavioural targeting.
  • We do not aggregate platform data with the newsletter subscriber list described in earlier sections of this policy.
  • We do not authenticate any user other than Ashton Voss against the Social Poster app.

13. Changes to this policy

If this policy changes materially, we will update the "Last updated" date at the top and, where appropriate, notify subscribers by email before the change takes effect.

14. Contact

Questions about this policy or your data?

Ashton Voss
Brisbane, Queensland, Australia
mail@ashtonvossai.com