Privacy Policy

1.1 Personal Data

We collect the following personal information from you:

• Name: We collect your name (or display name) to personalize your experience and communicate with you effectively.
• Email: We collect your email address to send you important information regarding your account, updates, and communication.
• Profile Image and Timezone: We collect these to display your account in the dashboard and to schedule posts in your local time.
• Payment Information: We collect payment details to process your subscription securely. Card and bank account details are not stored by us; they are collected and processed by our payment processor, Paddle.
• Social Media Authentication Access Keys: We collect access tokens and refresh tokens for the social media accounts you connect (Instagram, YouTube, TikTok, Threads, LinkedIn, and Meta/Facebook) to enable cross-posting functionality. These tokens are encrypted at rest using AES-256-GCM.
• Content You Upload: Captions, titles, hashtags, images, videos, thumbnails, and scheduled publishing times that you create through the service.

1.2 Non-Personal Data

We collect non-personal information such as your IP address, browser type, device information, access logs, and a one-time Cloudflare Turnstile bot-protection token. This information helps us secure the service, analyze trends, and improve your experience.

We collect and use your personal data to:

• Provide account registration, authentication, and account management.
• Enable cross-posting and scheduled publishing to your connected social media accounts, including media upload, storage, and delivery of publishing results.
• Process subscription payments, billing, refunds, and related notices.
• Provide customer support and deliver service announcements.
• Improve the service, develop new features, and detect fraudulent or abusive use.
• Comply with applicable legal obligations.

OnPost uses YouTube API Services to enable cross-posting functionality to YouTube. By using our service to interact with YouTube, you are also subject to the YouTube Terms of Service.

OnPost's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

You may revoke OnPost's access to your Google account at any time via the Google security settings page, or by disconnecting your YouTube account inside OnPost.

As we use YouTube API Services, your data may also be subject to Google's Privacy Policy. For more information on how Google collects and processes data, please refer to the Google Privacy Policy.

We do not share your personal data with any other parties except as required to deliver the service. This includes:

• Connected social media platforms (Instagram, YouTube, TikTok, Threads, LinkedIn, Meta/Facebook) — when you publish a post, the necessary content and credentials are transmitted to the platform you selected.
• Service providers acting on our behalf:
  • Supabase, Inc. — authentication and database hosting
  • Cloudflare, Inc. — media object storage (R2) and bot protection (Turnstile)
  • Vercel Inc. — website hosting and serverless execution
  • Paddle.com Market Limited — subscription payment processing
  • Resend, Inc. — transactional email delivery
  • Channel Corp. — customer support (Channel Talk)

These providers are bound by contract to process personal data only for the purposes we specify and to maintain appropriate security measures.

OnPost is not intended for children, and we do not knowingly collect any data from children.

We retain your personal data only as long as necessary to provide the service and to comply with our legal obligations:

• Account information: deleted within 30 days after account deletion is requested. Service access is suspended immediately upon request; the 30-day window exists solely to allow recovery from accidental deletion.
• Social media tokens: deleted immediately when you disconnect a social account or delete your account.
• Uploaded media: deleted immediately upon your request or account deletion. Media uploaded but never published is automatically deleted after 24 hours.
• Payment and transaction records: retained for the period required by applicable consumer protection law (up to 5 years).
• Access logs (including IP address): retained for up to 3 months.

We may update this Privacy Policy from time to time. Material changes will be announced inside the service at least 7 days before they take effect (30 days for changes that materially affect your rights).

If you have any questions, concerns, or requests related to this Privacy Policy, you can contact us at:

Email: aimhee20@gmail.com

We take the protection of your sensitive data seriously and have implemented the following security measures:

• Encryption at rest: Social media access tokens and refresh tokens (including Google/YouTube OAuth tokens) are encrypted using AES-256-GCM.
• Encryption in transit: All data transmitted between your browser and our servers is protected with HTTPS/TLS.
• Authentication: We do not store passwords directly. Authentication is handled via Google OAuth or one-time email codes (OTP) through Supabase Auth.
• Access control: Database access is restricted with Row Level Security (RLS) so that you can access only your own data. Administrative access is limited to the minimum necessary personnel.
• Abuse prevention: Cloudflare Turnstile is used to block automated abuse, and internal scheduled jobs are gated by a separate secret-key verification.

While we implement these security measures to protect your sensitive information, please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure. We strive to use commercially acceptable means to protect your personal information, but we cannot guarantee its absolute security.

By using OnPost, you consent to the terms of this Privacy Policy.