Privacy Policy

Last updated: 2025-11-30

This Privacy Policy explains how Posterly ("we", "us", "our"), operated by Grassroots Marketing LLC (trading as Posterly), collects, uses, shares, and safeguards information when you use our website and application.

Who we are

Controller: Grassroots Marketing LLC, trading as Posterly
Address: 1801 Smart Heights, Dubai, UAE
Contact: alex@poster.ly
Governing law and venue: UAE (Dubai Courts)

Information we collect

• Account & OAuth data:When you connect social accounts (e.g., Instagram, Facebook, TikTok, YouTube, Threads, X/Twitter, LinkedIn, Pinterest, Google Business Profile, Telegram, Bluesky) or design tools (e.g., Canva), we receive profile identifiers and OAuth tokens/refresh tokens necessary to publish content on your behalf or import designs. Tokens are stored securely and can be revoked at any time via the provider's security settings.
• GitHub integration (Ship & Share feature): If you connect GitHub, we access only commit messages from the last 7 days from repositories you select. We never access your source code, files, or repository contents. GitHub access tokens are encrypted and stored securely. Commit messages are automatically deleted after 30 days. You can disconnect at any time to immediately delete all GitHub data.
• Content you provide: Media files, captions, and scheduling details you upload to Posterly.
• Operational data: Minimal logs and technical data (e.g., error logs) to operate, secure, and improve the service.
• Billing: Subscription payment processing is handled by Stripe. We do not store full payment card details.

How we use information

• Provide, maintain, and improve the Posterly service.
• Publish content to the platforms you authorize.
• AI content generation (Ship & Share): Commit messages from GitHub are sent to OpenAI to generate marketing content. OpenAI processes this data according to their API data usage policy (not used for model training).
• Provide support and communicate service updates.
• Ensure security and prevent misuse.

Third‑party processors

We rely on trusted vendors to provide the service. These include:

• Supabase (database, storage, auth)
• Vercel (hosting)
• Railway (background worker hosting)
• Upstash (Redis queue)
• OpenAI (optional AI caption features)
• Google Drive (file import), Google/YouTube Data API, Google Business Profile API
• Canva (design import)
• Meta (Facebook/Instagram/Threads), TikTok, X/Twitter, LinkedIn, Pinterest, Telegram, Bluesky
• Stripe (billing)

Operational logs, queue, and metrics

To deliver scheduled posts reliably, Posterly processes jobs via a background worker and Redis-based queue. We record minimal operational data such as job identifiers (e.g., post IDs), platform, timestamps, duration, HTTP status, and error codes strictly for troubleshooting, reliability, and abuse prevention. These logs are accessible only to authorized personnel and are not sold or used for advertising.

• Queue artifacts: Completed jobs are automatically removed within ~24 hours (or after a small recent count), and failed jobs are retained for up to ~7 days for diagnosis before deletion.
• Metrics: Internal service metrics (e.g., counts of jobs and per‑platform concurrency in use) may be exposed on a private endpoint for monitoring. These metrics do not include your captions, media, or personal information.

Canva disclosures

Posterly integrates with Canva to allow you to import designs directly into your posts. When you connect Canva, we access your design metadata and thumbnails to display them in the picker, and export selected designs as images. We do not modify your Canva designs or access your Canva account beyond what is necessary for the import feature. You can disconnect Canva at any time from within Posterly or revoke access via your Canva app settings. Upon disconnection, we delete your Canva OAuth tokens within 30 days.

Google/YouTube disclosures

Posterly uses the YouTube Data API v3 to let you connect your YouTube channel, schedule and upload videos on your behalf, and optionally add uploaded videos to playlists you select. By using these features you agree to the YouTube Terms of Service and the Google Privacy Policy.

YouTube data we access. When you connect YouTube we receive: your channel ID, channel title, channel handle (custom URL), profile picture, public subscriber and video counts, OAuth access and refresh tokens, and (when you choose to use the playlist feature) the list of playlists on your own channel. We access the YouTube Data API only when you explicitly take an action in posterly, connecting an account, scheduling a video, selecting a playlist, or publishing.

How we use YouTube data. We use this data solely to provide and improve user-facing posterly features that you have requested: displaying your connected channel, uploading scheduled videos via youtube.upload, reading channel and playlist info via youtube.readonly, and adding your uploaded videos to a playlist you have chosen via youtube.force-ssl (playlistItems.insert). We do not edit or delete existing videos, comments, captions, or playlists on your channel.

Limited Use compliance.Posterly's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use YouTube data only to provide or improve user-facing features that are prominent in posterly's UI.
• We do not transfer YouTube data to third parties except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use YouTube data for serving advertisements, including retargeted, personalized, or interest-based advertising.
• We do not allow humans to read YouTube data, except: with your affirmative consent for specific data; as necessary for security purposes (e.g., investigating abuse); to comply with applicable law; or for internal operations where the data has been aggregated and anonymized.

Storage and retention. OAuth tokens are encrypted at rest in Supabase. Channel metadata (ID, title, handle, profile picture, public counts) is stored to display your connected account and to authenticate API calls. Uploaded video content itself is sent directly to YouTube and is not retained by posterly after publish.

Revocation and deletion.You can disconnect YouTube at any time from posterly's Connect page, which deletes our copy of your tokens and channel metadata within 30 days. You can also revoke posterly's access directly in your Google Account at myaccount.google.com/permissions. To request deletion of any other associated data, email alex@poster.ly.

Data retention & deletion

Upon cancellation, we promptly revoke access tokens and delete account‑level content and personal data unless a longer retention is required by law. Operational logs and backups are purged on a rolling basis and, where applicable, within 30 days. Queue artifacts are automatically cleaned as described above. You may also contact alex@poster.ly to request deletion at any time.

Children

Posterly is intended for users aged 13+. We do not knowingly collect data from children.

International transfers

Data may be processed in locations where our providers operate. We apply reasonable safeguards and use reputable vendors.

Security

We use TLS in transit and encrypt sensitive data at rest where applicable (e.g., tokens in Supabase).

Changes

We may update this policy. Material changes will be noted by updating the "Last updated" date above.

Contact

For questions or rights requests, contact alex@poster.ly. No Data Protection Officer is appointed.