Posteroz Privacy Policy 

ast updated: 11 May 2025

Posteroz Ltd. (“Posteroz”, “we”, “us” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard personal data when you visit the Posteroz website, use our web/desktop/mobile apps, browser extensions or otherwise interact with any of our services (collectively, the “Service”).

If you have any questions, please contact us: privacy@posteroz.app

1. Who is the data controller?

Posteroz Ltd.
71-75 Shelton Street, London WC2H 9JQ, United Kingdom
ICO registration: ZB731245

2. Scope of this Policy

This Policy covers personal data we process in our role as controller (e.g. your account details, billing information, support communications). When we publish or schedule your content to third-party social networks (“Platforms”), we act as your processor/service provider—handling data strictly on your instructions and in accordance with our Terms of Service.

3. The data we collect

Category

Examples

How we obtain it

Account Data

Name, email, password hash, preferred language, time-zone

Directly from you at sign-up

Platform Credentials

OAuth tokens, channel IDs, page IDs

Via secure Platform authorisation flows

Uploaded Content

Photos, videos, captions, hashtags, thumbnails, scheduled post times

You upload or create within the Service

Billing & Subscription

Payment method (tokenised), billing address, VAT/Tax ID

via our payment processor (Stripe)

Usage & Device Data

IP address, browser type, device identifiers, log files, interaction events, crash reports

Automatically via cookies, SDKs and server logs

Analytics

Aggregated engagement metrics (views, likes, comments) pulled from Platform APIs

From Platforms once you connect them

Support & Feedback

Emails, chat messages, survey responses

Directly from you

We do not collect or store your plaintext social-media passwords.

4. Cookies & similar technologies

We use:

• Essential cookies – to keep you logged in and secure the Service
  
  

• Analytics cookies – to understand how features are used (Google Analytics 4 with IP-anonymisation, Plausible self-hosted EU cluster)
  
  

• Functional storage – to remember settings (e.g. dark mode)
  
  

You can manage cookies in your browser settings or via our in-app “Cookie Preferences” panel.

5. Legal bases for processing (UK GDPR Art. 6)

Purpose

Legal basis

Create & maintain your account

Contract (Art. 6 (1)(b))

Publish/schedule content to Platforms

Contract

Provide customer support

Legitimate interests (to ensure Service quality)

Send service emails (e.g. security alerts, billing notices)

Legal obligation / Contract

Improve, debug & secure the Service

Legitimate interests

Marketing emails & product updates

Consent (you may opt-out anytime)

Comply with legal requests, detect fraud

Legal obligation / Legitimate interests

6. How we use your data

1. Deliver the Service – authenticate you, store drafts, render dashboards, push posts via Platform APIs.
   
   

2. Personalise features – remember your preferred aspect ratios, tailor hashtag suggestions.
   
   

3. Analyse performance – aggregate metrics to help you track follower growth.
   
   

4. Communicate – respond to support tickets, announce feature changes, send critical alerts.
   
   

5. Improve & secure – monitor for errors, detect abuse, run A/B tests.
   
   

We never sell your personal information.

7. Sharing & disclosure

We share your data only with:

Recipient type

Purpose

Safeguards

Cloud hosting & storage (Amazon Web Services – EU West [Ireland])

Hosting databases, media files, backups

UK/EU Standard Contractual Clauses & ISO 27001 certifications

Payment processor (Stripe)

Subscription billing

PCI-DSS compliant

Analytics providers (see Cookies)

Usage statistics

IP-anonymisation, data minimisation

Customer-support tools (Intercom)

Live chat, email management

SCCs

Platforms (TikTok, Instagram, YouTube, etc.)

Posting/scheduling your Content on your behalf

OAuth tokens stored encrypted, limited scopes

Authorities or legal counsel

When required to comply with law or protect rights

Only upon valid legal request

8. International transfers

Data may be processed outside the UK/EU (e.g., when a cloud sub-processor operates servers in the US). In such cases we rely on:

• ICO/EU‐approved Standard Contractual Clauses, or
  
  

• A recognised adequacy decision, or
  
  

• Your explicit consent where appropriate.
  
  

A current list of sub-processors and transfer mechanisms is available at https://posteroz.app/subprocessors.

9. Data retention

Data type

Retention period

Account data

While your account is active + 12 months

Uploaded media & drafts

Until you delete them, or 30 days after account deletion (back-ups purged in 60 days)

OAuth tokens

Immediately deleted if you disconnect the Platform

Billing records

7 years (UK tax law)

Support tickets

24 months

Analytics logs

12 months (aggregate thereafter)

We pseudonymise or anonymise data when full deletion is not technically feasible or required for legitimate purposes.

10. Security

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
  
  

• Zero-trust network segmentation & firewalls
  
  

• Regular penetration tests & vulnerability scanning
  
  

• Principle-of-least-privilege access controls
  
  

• ISO 27001-aligned policies and incident-response plan
  
  

• OAuth tokens encrypted with KMS and rotated on breach suspicion
  
  

No system is 100 % secure, but we strive to protect your information using industry-standard practices.

11. Your privacy rights

Under the UK GDPR and (where applicable) EU GDPR you have the right to:

• Access – obtain a copy of your personal data
  
  

• Rectify – correct inaccurate or incomplete data
  
  

• Erase – request deletion (“right to be forgotten”)
  
  

• Restrict processing – temporarily limit use of your data
  
  

• Data portability – receive data in a structured, machine-readable format
  
  

• Object – object to processing based on legitimate interests or direct marketing
  
  

• Withdraw consent – at any time, where processing is based on consent
  
  

To exercise any right, email privacy@posteroz.app or use the in-app “Privacy Centre”. We will respond within 1 month (30 days). You may also lodge a complaint with the UK Information Commissioner’s Office (https://ico.org.uk) or your local supervisory authority.

12. Children

Posteroz is not directed to individuals under 16 (or the minimum digital consent age in your country, whichever is higher). We do not knowingly collect personal data from children. If you believe we have done so, contact us and we will delete it.

13. Automated decision-making

Posteroz does not engage in automated decision-making that produces legal or similarly significant effects on you. Some features (e.g., hashtag recommendations) use algorithms, but humans can request review or override.

14. Third-party links & services

Our Service may contain links to external sites or embed third-party widgets. We do not control those services and are not responsible for their privacy practices. Please review their policies.

15. Changes to this Policy

We may update this Privacy Policy to reflect changes in technology, law or our practices. Material changes will be announced by email or in-app banner at least 30 days before they take effect. Continued use after that date constitutes acceptance.

16. Contact us

Email: privacy@posteroz.app
Post: Posteroz Ltd., 71-75 Shelton Street, London WC2H 9JQ, United Kingdom
Data Protection Officer: dpo@posteroz.app

Your privacy matters. If anything in this Policy is unclear, reach out and we’ll be happy to explain it in plain language.