Legal
Privacy Policy
Last updated:
This Privacy Policy explains how PostJay("we", "us", or "our") collects, uses, discloses, and safeguards your information when you use our social media scheduling service (the "Service"). By accessing or using the Service, you agree to the terms of this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Account information
When you create an account we collect your email address, a hashed password, and an optional display name. If you sign in through a third-party identity provider, we receive only the information that provider returns (typically your email and a stable user identifier).
1.2 Social account connections
To publish on your behalf, the Service must connect to your accounts on supported platforms (Twitter/X, Instagram, Facebook, LinkedIn, TikTok, YouTube, Pinterest, Threads, and Bluesky). We store the OAuth access and refresh tokens issued by each platform. All access and refresh tokens are encrypted at rest using AES-256-GCM with keys held outside the database. We never see your platform passwords.
1.3 Content you create
We store the posts, drafts, captions, scheduling timestamps, and media files you upload through the Service. Media files are stored on our object storage provider (Cloudflare R2) under access-controlled keys scoped to your account.
1.4 Usage and device data
We collect technical information automatically when you use the Service, including IP address, browser type, operating system, referring pages, pages visited, timestamps, and error reports. We use this data to operate the Service, detect abuse, and improve performance.
1.5 Payment information
We do not store full payment card details on our servers. Payments are processed by Stripe or Lemon Squeezy. We receive only a customer identifier, subscription status, plan, and the last four digits of your card for display purposes.
1.6 Data from Meta platforms (Facebook, Instagram & Threads)
When you connect a Facebook Page, an Instagram Business or Creator account, or a Threads profile, we access the following data through Meta's APIs, only with your explicit authorization and only to provide the features you request:
- Profile & account information — the account/Page ID, username, display name, profile picture, and public counts (followers, following, media/post counts). Used to identify and display the accounts you connect.
- Content publishing — we create and publish the posts, images, videos, reels, stories, and carousels that you compose and schedule in the Service. We only publish content you have explicitly scheduled.
- Insights & analytics — post- and account-level metrics such as impressions, reach, likes, comments, saves, and shares. Used to show you performance data for content published through the Service.
- Comments — where you enable it, we read and manage comments on content you have published.
We use data obtained from Meta platforms solely to deliver the scheduling, publishing, and analytics features you request. We do not use it for advertising, do not sell it, and do not use it to train machine-learning models. The OAuth access and refresh tokens for your Meta accounts are encrypted at rest (AES-256-GCM) and are deleted immediately when you disconnect the account in the Service or remove our app from your Facebook, Instagram, or Threads settings.
You can revoke our access at any time from your Facebook, Instagram, or Threads account settings, or by disconnecting the account within the Service. To request deletion of data associated with these connections, visit our Data Deletion page. Our access to and use of information received from the Meta APIs adheres to the Meta Platform Terms and Meta Developer Policies.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service;
- Authenticate you and secure your account;
- Publish content to the social platforms you connect, at the times you schedule;
- Send transactional emails such as receipts, password resets, scheduling failures, and team invitations;
- Detect, investigate, and prevent fraudulent or abusive use of the Service;
- Comply with our legal obligations and respond to lawful requests;
- Improve and develop new features (using aggregated, non-identifying analytics).
We do not sell your personal data, share it with advertisers, or train third-party machine-learning models on your content.
3. Cookies
We use a small number of strictly necessary cookies to keep you signed in and remember your preferences. We do not use third-party advertising cookies. For details, see our Cookies Policy.
4. Sharing & Disclosure
We share information only with the following categories of recipients:
- Social platforms — we transmit the content you have explicitly scheduled to the platforms you have connected, using the credentials you provided.
- Service providers— infrastructure vendors such as our database host (Supabase / Postgres), object storage (Cloudflare R2), email delivery (Resend), queueing (Upstash QStash & Redis), and error reporting (Sentry). These vendors process data on our behalf under written data-processing agreements.
- Payment processors — Stripe or Lemon Squeezy, to handle subscription billing.
- Team members — if you invite teammates to your workspace, they may view drafts, scheduled posts, analytics, and connected accounts shared with the team.
- Legal compliance — when we are required to disclose information by law, court order, or to protect the rights, property, or safety of PostJay, our users, or the public.
- Business transfers — if we are acquired or merge with another company, your information may be transferred subject to this Policy.
5. Data Retention
We retain your account data for as long as your account is active. If you cancel and delete your account, we permanently delete your personal data within 30 days, except where we are required to retain it for legal, tax, or accounting reasons (typically up to 7 years for billing records). Encrypted social tokens are deleted immediately upon account closure or platform disconnection.
6. Your Rights (GDPR, UK GDPR, CCPA)
If you are located in the European Economic Area, the United Kingdom, California, or another jurisdiction with comparable data-protection laws, you have the following rights:
- Access — request a copy of the personal data we hold about you;
- Rectification — request that we correct inaccurate or incomplete data;
- Erasure — request that we delete your personal data (the "right to be forgotten");
- Restriction — request that we limit how we process your data;
- Portability — request a machine-readable export of your data;
- Objection — object to processing based on legitimate interests;
- Withdraw consent — where we rely on consent, you can withdraw it at any time.
To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.
7. International Transfers
PostJay operates globally. Your information may be processed in countries outside your country of residence, including the United States and the European Union. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to protect your data during international transfers.
8. Security
We implement industry-standard administrative, technical, and physical safeguards to protect your data, including encryption in transit (TLS 1.2+), encryption at rest for sensitive fields (AES-256-GCM), short-lived JWTs, per-IP rate limiting, automated vulnerability scanning, and regular security reviews. However, no method of transmission or storage is 100% secure; if we become aware of a breach affecting your data, we will notify you and the relevant authorities in accordance with applicable law.
9. Children
The Service is not directed to children under 16. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, if the changes are material, notify you by email or through the Service. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
11. Contact
PostJay is operated by SESUDIA LLC, the entity responsible for your personal data under this Policy. Questions about this policy or our data practices? Email [email protected] or write to us at 30 N Gould St Ste N, Sheridan, WY 82801, United States.