Legal · TransparencyPermissions & Scopes
Effective June 1, 2026
Every permission postme.live requests from a connected platform is listed here. For each one, we tell you what it lets us do, why we need it, and exactly what we store after we use it. If a permission is not listed below, we do not request it.
How to read this page
Each platform shows the developer programme we use, a one-line summary of the integration, and a table of every permission (Meta calls them permissions, Google calls them scopes, TikTok calls them scopes) we request. The combined set of permissions is the smallest set we could find that lets postme.live work end-to-end. If a future feature needs an additional permission, we will update this page and request your consent again — your existing connection keeps working with the permissions you already granted.
For the broader picture see our Privacy Policy and our User Data Deletion page.
Facebook Login for Business · Graph API
Connect a Facebook Page you manage. We publish posts to that Page on your behalf and surface engagement metrics in your dashboard.
| Permission | What it lets us do | Why we need it | What we store |
|---|
pages_show_list | List the Pages you manage so you can pick which one to connect. | Without this we could not show you a chooser of your Pages — connecting would require copy-pasting a Page id. | Page id, name, and profile picture URL of the Page you actually pick. Other Pages you manage are not stored. |
pages_manage_posts | Publish text, image, and video posts to the Page you connected. | This is the core feature of postme.live for Facebook — there is no narrower scope that allows publishing to a Page. | Per published post: Page-side post id, post URL, our internal post id. |
pages_read_engagement | Fetch reactions, comments, shares, and Page-level daily insights (views, reach, engagement) for the posts and Page you connected, so we can render the analytics dashboard. | Required by Meta to read engagement and Page insights even when limited to content you authored. On current API versions this scope also grants the Page Insights read access that the legacy `read_insights` scope used to cover, so we no longer request `read_insights` (Meta blocks it at the login dialog for Live apps). | Aggregate counts (views, reach, reactions, comments, shares) per post and per Page per day, snapshot daily. No commenter or per-viewer identities. |
Instagram Business Login · Instagram Graph API
Connect an Instagram Business or Creator account. We publish images and videos and surface post-level insights.
| Permission | What it lets us do | Why we need it | What we store |
|---|
instagram_business_basic | Read your IG Business profile (handle, avatar, follower count) so we can identify the connected account. | Required to display which IG account is connected and to call any other IG Business endpoint. | IG user id, handle, profile picture URL, follower count. |
instagram_business_content_publish | Publish images, videos, and Reels to the connected Instagram Business account. | The only Meta-supported scope for publishing to IG Business. Core publishing feature. | Per published post: IG-side media id, post URL, our internal post id. |
instagram_business_manage_insights | Fetch impressions, reach, and engagement for the posts we published, so they show up in your analytics. | Insights live behind a separate scope from publish on IG. Without it we can publish but cannot show you how the post performed. | Aggregate post-level insights snapshotted on a schedule. No per-viewer data. |
YouTube (Google)
YouTube Data API v3 · YouTube Analytics API v2
Connect a YouTube channel you own. We upload videos to the channel, fetch channel and per-video analytics, and surface those in your dashboard.
| Permission | What it lets us do | Why we need it | What we store |
|---|
https://www.googleapis.com/auth/youtube.upload | Upload videos (with title, description, tags, thumbnail) to your channel. | Google does not offer a narrower upload-only scope. This is the smallest scope that lets us publish on your behalf. | Per uploaded video: YouTube video id, watch URL, our internal post id. |
https://www.googleapis.com/auth/youtube.readonly | Identify which channel is connected on the OAuth callback, refresh your channel name and avatar, and list your recent uploads to populate the dashboard. | Without this scope, the channels.list endpoint returns 403 during connect, so we cannot identify the channel. | Channel id, title, avatar URL, subscriber count, video count. |
https://www.googleapis.com/auth/yt-analytics.readonly | Fetch daily channel-level metrics (views, watch time, engagement, subscriber delta) and per-video metrics for posts you publish through us. | YouTube splits data and analytics into separate APIs. The Analytics scope is the only way to get watch-time and per-video performance over time. | Aggregate daily channel metrics and per-video metrics. No per-viewer data. |
TikTok
TikTok Login Kit · Content Posting API
Connect a TikTok account. We send videos to your TikTok inbox so you can review and publish them inside the TikTok app.
| Permission | What it lets us do | Why we need it | What we store |
|---|
user.info.basic | Read your TikTok display name and avatar to identify the connected account. | Required by TikTok before any other endpoint can be called. Smallest identification scope. | TikTok open id, display name, avatar URL. |
user.info.profile | Read your follower count and other public profile fields for the dashboard. | Provides the channel-health stats we render on the dashboard. No private data. | Follower count, following count, video count. |
user.info.stats | Read your aggregate likes count for the dashboard. | Used only for dashboard headline numbers. | Likes count, video count. |
video.list | List your recent TikTok videos to populate your analytics timeline. | Required to surface your past content in the dashboard so the analytics view reflects all of your work, not only what we published. | Per video: TikTok video id, title, publish timestamp, aggregate metrics. |
video.upload | Send videos to your TikTok inbox for review. You complete the post inside the TikTok app, where you choose privacy, hashtags, and effects. | We deliberately use the inbox (FILE_UPLOAD) flow rather than direct publish (video.publish) until our app passes TikTok's Content Posting audit. This keeps you in control inside the official TikTok app. | Per upload: TikTok publish id, our internal post id. |
LinkedIn
Sign In with LinkedIn (OpenID Connect) · Share on LinkedIn (Posts API)
Connect your personal LinkedIn profile. We publish posts to your profile on your behalf and identify the connected account.
| Permission | What it lets us do | Why we need it | What we store |
|---|
openid | Authenticate you with LinkedIn via OpenID Connect on the OAuth callback. | Required to identify the LinkedIn member who connected. The legacy r_liteprofile scope older apps used is no longer available to new apps. | Your LinkedIn member id (the OpenID Connect "sub"). |
profile | Read your name and profile picture so we can show which LinkedIn account is connected. | Without it we cannot display the connected account or attribute posts to it. | Your name and profile picture URL. |
email | Read the email address on your LinkedIn account. | Returned alongside your profile by the OpenID Connect userinfo endpoint; used only to identify the connected account. | Email address. |
w_member_social | Publish text, image, and video posts to your LinkedIn profile. | The core feature for LinkedIn — there is no narrower scope that allows posting on your behalf. | Per published post: LinkedIn post URN, post URL, our internal post id. |
AI-generated content disclosure
Postme.live can generate per-platform caption text from a base message you provide, using an external language model accessed through OpenRouter. You can always edit or replace the generated text before publishing — the final caption sent to each platform is whatever appears in your composer at submit time.
Postme.live can also generate images from a text prompt you write, using Google's Gemini image model. These images are created by AI. If you publish an AI-generated or AI-edited image, set the per-platform AI-content disclosure described below so your audience and the platform know.
The media you upload (images and videos) is sent to each platform unchanged — we do not run AI synthesis, deep-fake generation, voice cloning, or face-swap on your uploads. We do not embed watermarks, branding, or logos in your media.
How AI-content labelling is handled per platform:
- TikTok — when our integration moves from inbox uploads to direct posting, the post payload includes an
is_aigc flag that you can set in the composer to disclose AI-generated or AI-significantly-modified media, per TikTok's Content Sharing Guidelines. For inbox uploads (the current default), you set the AI-content disclosure inside the TikTok app when you finish the post. - YouTube — the YouTube Data API v3 exposes a
status.containsSyntheticMedia flag (added October 2024) for disclosing realistic altered or AI-synthesised content. The composer's YouTube panel surfaces this as an “Altered or synthetic content” checkbox that you set per video; we pass the value through unchanged. You can also change the disclosure later in YouTube Studio. - Meta (Facebook & Instagram) — Meta auto-detects industry- standard C2PA Content Credentials embedded in the media file itself and labels posts accordingly. Postme.live passes your media through unchanged, so any credentials already in the file are preserved.
We do not use any platform data we receive (your posts, your audience metrics, your connected-account profile) to train AI or machine-learning models — generalized or otherwise. This matches the Limited Use commitment in our Privacy Policy.
What we never request
- Any permission to read your direct messages, comments by other users, or private content on any platform.
- Any permission to post on behalf of accounts you do not own or manage.
- Any permission to delete content you did not create through postme.live.
- Any permission to read the contact lists, friend graphs, or follower identities of any connected account.
Platform-issued tokens
When you grant the permissions above, the platform issues postme.live an OAuth access token (and, where supported, a refresh token). We store these tokens encrypted at rest with AES-256-GCM. We never see or store your platform password. You can revoke a token at any time from Settings → Connected Accounts inside postme.live, or from each platform's own app-management screen — see User Data Deletion for the direct links.
Contact
Questions about a specific permission, or want to verify what we did with a specific token: [email protected]. We'll respond within 2 business days.