PostJay

Legal

Privacy Policy

Last updated:

This Privacy Policy explains how PostJay("we", "us", or "our") collects, uses, discloses, and safeguards your information when you use our social media scheduling service (the "Service"). By accessing or using the Service, you agree to the terms of this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account information

When you create an account we collect your email address, a hashed password, and an optional display name. If you sign in through a third-party identity provider, we receive only the information that provider returns (typically your email and a stable user identifier).

1.2 Social account connections

To publish on your behalf, the Service must connect to your accounts on supported platforms (Twitter/X, Instagram, Facebook, LinkedIn, TikTok, YouTube, Pinterest, Threads, and Bluesky). We store the OAuth access and refresh tokens issued by each platform. All access and refresh tokens are encrypted at rest using AES-256-GCM with keys held outside the database. We never see your platform passwords.

1.3 Content you create

We store the posts, drafts, captions, scheduling timestamps, and media files you upload through the Service. Media files are stored on our object storage provider (Cloudflare R2) under access-controlled keys scoped to your account.

1.4 Usage and device data

We collect technical information automatically when you use the Service, including IP address, browser type, operating system, referring pages, pages visited, timestamps, and error reports. We use this data to operate the Service, detect abuse, and improve performance.

1.5 Payment information

We do not store full payment card details on our servers. Payments are processed by Stripe or Lemon Squeezy. We receive only a customer identifier, subscription status, plan, and the last four digits of your card for display purposes.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service;
  • Authenticate you and secure your account;
  • Publish content to the social platforms you connect, at the times you schedule;
  • Send transactional emails such as receipts, password resets, scheduling failures, and team invitations;
  • Detect, investigate, and prevent fraudulent or abusive use of the Service;
  • Comply with our legal obligations and respond to lawful requests;
  • Improve and develop new features (using aggregated, non-identifying analytics).

We do not sell your personal data, share it with advertisers, or train third-party machine-learning models on your content.

3. Cookies

We use a small number of strictly necessary cookies to keep you signed in and remember your preferences. We do not use third-party advertising cookies. For details, see our Cookies Policy.

4. Sharing & Disclosure

We share information only with the following categories of recipients:

  • Social platforms — we transmit the content you have explicitly scheduled to the platforms you have connected, using the credentials you provided.
  • Service providers— infrastructure vendors such as our database host (Supabase / Postgres), object storage (Cloudflare R2), email delivery (Resend), queueing (Upstash QStash & Redis), and error reporting (Sentry). These vendors process data on our behalf under written data-processing agreements.
  • Payment processors — Stripe or Lemon Squeezy, to handle subscription billing.
  • Team members — if you invite teammates to your workspace, they may view drafts, scheduled posts, analytics, and connected accounts shared with the team.
  • Legal compliance — when we are required to disclose information by law, court order, or to protect the rights, property, or safety of PostJay, our users, or the public.
  • Business transfers — if we are acquired or merge with another company, your information may be transferred subject to this Policy.

5. Data Retention

We retain your account data for as long as your account is active. If you cancel and delete your account, we permanently delete your personal data within 30 days, except where we are required to retain it for legal, tax, or accounting reasons (typically up to 7 years for billing records). Encrypted social tokens are deleted immediately upon account closure or platform disconnection.

6. Your Rights (GDPR, UK GDPR, CCPA)

If you are located in the European Economic Area, the United Kingdom, California, or another jurisdiction with comparable data-protection laws, you have the following rights:

  • Access — request a copy of the personal data we hold about you;
  • Rectification — request that we correct inaccurate or incomplete data;
  • Erasure — request that we delete your personal data (the "right to be forgotten");
  • Restriction — request that we limit how we process your data;
  • Portability — request a machine-readable export of your data;
  • Objection — object to processing based on legitimate interests;
  • Withdraw consent — where we rely on consent, you can withdraw it at any time.

To exercise any of these rights, email hello@postjay.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.

7. International Transfers

PostJay operates globally. Your information may be processed in countries outside your country of residence, including the United States and the European Union. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to protect your data during international transfers.

8. Security

We implement industry-standard administrative, technical, and physical safeguards to protect your data, including encryption in transit (TLS 1.2+), encryption at rest for sensitive fields (AES-256-GCM), short-lived JWTs, per-IP rate limiting, automated vulnerability scanning, and regular security reviews. However, no method of transmission or storage is 100% secure; if we become aware of a breach affecting your data, we will notify you and the relevant authorities in accordance with applicable law.

9. Children

The Service is not directed to children under 16. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, if the changes are material, notify you by email or through the Service. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

11. Contact

Questions about this policy or our data practices? Email hello@postjay.com.