Skip to main content

Privacy Policy

Last updated: October 11, 2025

Introduction

At Postle.io, we believe privacy isn't something you should have to worry about. This policy explains what information we collect, why we collect it, and what rights you have over your data.

We're committed to transparency—no hidden data collection, no selling your information, and no surprise changes. If you have questions after reading this, email us at support@postle.io.

1. Information We Collect

We only collect information that's necessary to provide and improve our service. Here's what we collect and why:

Account Information

  • Email address: Required for account creation, login notifications, and important service updates
  • Name: Optional, used to personalize your experience
  • Password: Securely hashed (we never store plain-text passwords)
  • Profile photo: Optional, for account personalization

Social Media Account Data

When you connect social media accounts (Facebook, Instagram, Twitter, LinkedIn, TikTok, YouTube, Pinterest), we collect:

  • OAuth access tokens: Encrypted and stored securely to schedule posts on your behalf
  • Profile information: Username, profile picture, and account name (to display in the app)
  • Post data: Content, media, and metadata for posts you create in Postle.io
  • Analytics data: Post performance metrics (views, likes, comments, shares) fetched from platform APIs

Usage Data

We collect information about how you use Postle.io:

  • Pages you visit within the app
  • Features you use (composer, calendar, analytics)
  • Actions you take (creating posts, scheduling, editing)
  • Device information (browser, operating system, screen size)
  • IP address (for security and fraud prevention)

Payment Information

  • Stripe Customer ID: Links your account to Stripe for billing
  • Subscription status: Your current plan and billing cycle
  • Billing history: Receipts and invoices

Important: We do not store credit card numbers or bank account details. All payment processing is handled securely by Stripe.

Communication Data

  • Support emails and chat messages
  • Feedback and feature requests
  • Bug reports and error logs

2. How We Use Your Information

We use your information to:

Provide Our Service

  • Create and maintain your account
  • Authenticate you securely
  • Schedule and publish posts to your connected social media accounts
  • Fetch and display analytics from social platforms
  • Store and optimize your media files (images, videos)
  • Process payments and manage subscriptions

Improve Our Service

  • Understand which features are most useful (only with your consent to Analytics cookies)
  • Identify and fix bugs and performance issues
  • Develop new features based on usage patterns
  • Ensure the platform works reliably across devices and browsers

Communicate With You

  • Send transactional emails (post confirmation, scheduling errors, account changes)
  • Respond to support requests
  • Notify you of critical service updates or security issues
  • Send occasional product updates (you can opt out anytime—we're not big on marketing emails)

Ensure Security and Compliance

  • Detect and prevent fraud and abuse
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Protect our users and the platform

3. How We Share Your Information

We never sell your data. Period. We only share your information in these specific situations:

Third-Party Services (Essential for Functionality)

We use trusted partners to help run Postle.io:

ServicePurposeData Shared
SupabaseDatabase, authentication, file storageAll account and post data
StripePayment processingEmail, name, billing info
SentryError monitoringError logs, device info (only if you consent to Analytics)
ResendTransactional emailsEmail address, name, email content
Social PlatformsPublishing postsPost content, media, scheduling data

Each of these services is carefully vetted and complies with GDPR and industry security standards.

Social Media Platforms

When you schedule a post, we send it to the platforms you selected (Facebook, Instagram, etc.) using their official APIs. Each platform has its own privacy policy governing how they handle that content.

Legal Requirements

We may disclose your information if required by law, such as in response to:

  • Valid legal requests (subpoenas, court orders)
  • National security or law enforcement requirements
  • Protecting the rights, property, or safety of Postle.io or others

If we're compelled to disclose user information, we'll notify you unless prohibited by law.

Business Transfers

If Postle.io is acquired by or merges with another company, your information may be transferred. We'll notify you before this happens and provide options to delete your account if you prefer.

4. Data Storage and Security

We take data security seriously. Here's how we protect your information:

Where Your Data Is Stored

  • Primary database: Supabase (hosted in EU and US data centers)
  • File storage: Supabase Storage (for uploaded images and videos)
  • Backups: Automated daily backups, stored in the same regions

How We Secure Your Data

  • Encryption in transit: All data transmitted over HTTPS/TLS
  • Encryption at rest: Database and files encrypted at rest
  • OAuth tokens: Encrypted before storage, never logged
  • Password security: Hashed using bcrypt (industry standard)
  • Row Level Security (RLS): Database enforces that users can only access their own data
  • Regular security audits: We review and update security practices regularly
  • Access controls: Strict employee access policies (only essential personnel)

Your Responsibilities

Security is a shared responsibility. You can help by:

  • Using a strong, unique password
  • Enabling two-factor authentication (when available)
  • Not sharing your login credentials
  • Logging out of shared devices or using incognito/private browsing
  • Reporting suspicious activity to support@postle.io

5. Your Privacy Rights

You have full control over your data. Here are your rights under GDPR and CCPA:

Right to Access

Request a copy of all data we have about you. We'll provide it in a readable format (JSON export).

How: Settings → Privacy → Export My Data, or email support@postle.io

Right to Rectification

Update or correct inaccurate information in your account.

How: Settings → Profile, or contact support for bulk changes

Right to Erasure ("Right to be Forgotten")

Delete your account and all associated data. This is permanent and cannot be undone.

How: Settings → Privacy → Delete Account

What happens:

  • Your account is immediately deactivated
  • Data is anonymized within 30 days
  • Backups are purged within 90 days
  • Some data may be retained for legal compliance (billing records, fraud prevention)

Right to Data Portability

Export your data in a machine-readable format (JSON) to use elsewhere.

How: Settings → Privacy → Export My Data

Right to Object

Object to certain data processing activities, like analytics.

How: Disable Analytics cookies in Cookie Settings

Right to Withdraw Consent

Change your mind about cookie preferences at any time.

How: Cookie Settings (footer of any page)

Right to Lodge a Complaint

If you're in the EU and unhappy with how we handle your data, you can file a complaint with your national Data Protection Authority.

Exercising Your Rights

Most rights can be exercised directly through your account settings. For anything else, email us at support@postle.io with:

  • Your account email
  • Which right you're exercising
  • Any specific details or requests

We'll respond within 30 days (often much faster). There's no charge for these requests unless they're excessive or clearly unfounded.

6. Data Retention

We keep your data only as long as necessary. Here's our policy:

Active Accounts

  • Your data is retained as long as your account is active and you're using the service
  • No automatic deletion—we won't delete your posts or analytics unless you ask

Deleted Accounts

  • Grace period: 30 days to change your mind (data is soft-deleted)
  • After 30 days: All data is permanently deleted and cannot be recovered
  • Backups: Purged within 90 days

Legal and Compliance Records

Some data must be retained for legal/compliance reasons:

  • Billing records: 7 years (tax law requirement)
  • Fraud prevention data: Up to 5 years
  • Legal disputes: Until resolution

Aggregated Analytics

  • Personal data is removed after 12 months and anonymized into aggregated statistics
  • Anonymized data (no way to identify you) may be retained indefinitely for product insights

7. International Data Transfers

Postle.io operates globally, which means your data may be transferred across borders. Here's how we handle this responsibly:

Where We Transfer Data

  • EU users: Data primarily stored in EU data centers (Supabase EU region)
  • US users: Data stored in US data centers (Supabase US region)
  • Cross-border: Some services (Stripe) may process data in the US

Legal Safeguards for EU Users

For EU to US data transfers, we rely on Standard Contractual Clauses (SCCs)—legally binding agreements approved by the European Commission to ensure GDPR-level protection.

Our service providers are also certified under:

  • EU-US Data Privacy Framework (where applicable)
  • GDPR compliance programs
  • ISO 27001 security standards

8. Children's Privacy

Postle.io is not intended for children under 16 years old. We do not knowingly collect personal information from anyone under 16.

If you're a parent or guardian and believe your child has provided us with personal information, contact us immediately at support@postle.io. We'll delete the information as quickly as possible.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Here's how we handle changes:

Minor Updates

Small clarifications or added details that don't change your rights:

  • Updated "Last updated" date at the top
  • Notice on the website for 30 days

Material Changes

Significant changes that affect how we handle your data (e.g., new data collection, new third-party services):

  • Email notification to all users
  • Prominent notice on the website
  • 30-day notice period before changes take effect
  • Option to delete your account if you disagree

Your continued use of Postle.io after the changes take effect constitutes acceptance of the updated policy.

10. Contact Us

We're here to answer your privacy questions. No automated responses, no runaround—just real humans who care about your data.

Company Information

Data Protection Requests

For GDPR/CCPA requests (access, deletion, portability), please email support@postle.io with "Data Protection Request" in the subject line.

Response Time

We aim to respond to all privacy inquiries within 48 hours (often faster). Legal requests will be fulfilled within 30 days as required by law.

This Privacy Policy was last updated on October 11, 2025. You can view previous versions on our GitHub repository.