Privacy Policy

Last updated: 2025-11-30

This Privacy Policy explains how Posterly ("we", "us", "our"), operated by Grassroots Marketing LLC (trading as Posterly), collects, uses, shares, and safeguards information when you use our website and application.

Who we are

Controller: Grassroots Marketing LLC, trading as Posterly
Address: 1801 Smart Heights, Dubai, UAE
Contact: alex@poster.ly
Governing law and venue: UAE (Dubai Courts)

Information we collect

• Account & OAuth data: When you connect social accounts (e.g., Instagram, Facebook, TikTok, YouTube, Threads, X/Twitter, LinkedIn, Pinterest, Google Business Profile) or design tools (e.g., Canva), we receive profile identifiers and OAuth tokens/refresh tokens necessary to publish content on your behalf or import designs. Tokens are stored securely and can be revoked at any time via the provider's security settings.
• GitHub integration (Ship & Share feature): If you connect GitHub, we access only commit messages from the last 7 days from repositories you select. We never access your source code, files, or repository contents. GitHub access tokens are encrypted and stored securely. Commit messages are automatically deleted after 30 days. You can disconnect at any time to immediately delete all GitHub data.
• Content you provide: Media files, captions, and scheduling details you upload to Posterly.
• Operational data: Minimal logs and technical data (e.g., error logs) to operate, secure, and improve the service.
• Billing: Subscription payment processing is handled by Stripe. We do not store full payment card details.

How we use information

• Provide, maintain, and improve the Posterly service.
• Publish content to the platforms you authorize.
• AI content generation (Ship & Share): Commit messages from GitHub are sent to OpenAI to generate marketing content. OpenAI processes this data according to their API data usage policy (not used for model training).
• Provide support and communicate service updates.
• Ensure security and prevent misuse.

Third‑party processors

We rely on trusted vendors to provide the service. These include:

• Supabase (database, storage, auth)
• Vercel (hosting)
• Railway (background worker hosting)
• Upstash (Redis queue)
• OpenAI (optional AI caption features)
• Google Drive (file import), Google/YouTube Data API, Google Business Profile API
• Canva (design import)
• Meta (Facebook/Instagram/Threads), TikTok, X/Twitter, LinkedIn, Pinterest
• Stripe (billing)

Operational logs, queue, and metrics

To deliver scheduled posts reliably, Posterly processes jobs via a background worker and Redis-based queue. We record minimal operational data such as job identifiers (e.g., post IDs), platform, timestamps, duration, HTTP status, and error codes strictly for troubleshooting, reliability, and abuse prevention. These logs are accessible only to authorized personnel and are not sold or used for advertising.

• Queue artifacts: Completed jobs are automatically removed within ~24 hours (or after a small recent count), and failed jobs are retained for up to ~7 days for diagnosis before deletion.
• Metrics: Internal service metrics (e.g., counts of jobs and per‑platform concurrency in use) may be exposed on a private endpoint for monitoring. These metrics do not include your captions, media, or personal information.

Canva disclosures

Posterly integrates with Canva to allow you to import designs directly into your posts. When you connect Canva, we access your design metadata and thumbnails to display them in the picker, and export selected designs as images. We do not modify your Canva designs or access your Canva account beyond what is necessary for the import feature. You can disconnect Canva at any time from within Posterly or revoke access via your Canva app settings. Upon disconnection, we delete your Canva OAuth tokens within 30 days.

Google/YouTube disclosures

Posterly uses the YouTube Data API to enable uploads and related features. By using these features you agree to the YouTube Terms of Serviceand the Google Privacy Policy. You can revoke Posterly access in your Google Account at myaccount.google.com/permissions.

Data retention & deletion

Upon cancellation, we promptly revoke access tokens and delete account‑level content and personal data unless a longer retention is required by law. Operational logs and backups are purged on a rolling basis and, where applicable, within 30 days. Queue artifacts are automatically cleaned as described above. You may also contact alex@poster.ly to request deletion at any time.

Children

Posterly is intended for users aged 13+. We do not knowingly collect data from children.

International transfers

Data may be processed in locations where our providers operate. We apply reasonable safeguards and use reputable vendors.

Security

We use TLS in transit and encrypt sensitive data at rest where applicable (e.g., tokens in Supabase).

Changes

We may update this policy. Material changes will be noted by updating the "Last updated" date above.

Contact

For questions or rights requests, contact alex@poster.ly. No Data Protection Officer is appointed.