Privacy Policy

1. What we collect

Account information. Your name, email, and avatar — provided to us by Clerk, our identity provider, when you sign up.

Workspace data. Workspaces you create, brand profile fields, and any media or post copy you upload.

Brand Kit. To help your posts match your brand, you can ask postme.live to learn your brand from a website address you provide. When you do, we fetch that public page server-side and extract a colour palette, fonts, a logo, and a short summary of your brand voice. You can also upload a logo or describe your brand by hand, and edit or clear any of it at any time.

Platform-provided data. When you connect a third-party account, that platform sends us a defined set of fields. We list every permission we request, what it lets us do, and exactly what we store on the dedicated Permissions & Scopes page. Per platform, in summary:

• Meta — Facebook Pages: Page id, Page name, Page profile picture URL, and aggregate engagement / insights for posts published through us. We never store your personal Facebook profile, your friend graph, your Page's commenter identities, or your Page's direct messages.
• Meta — Instagram Business: IG user id, handle, profile picture URL, follower count, and aggregate insights for posts published through us. We never store DMs, story viewers, or the identities of your followers.
• YouTube: channel id, channel title, channel avatar URL, subscriber and view counts, daily channel-level metrics, and per-video metrics for content you publish through us. We never store viewer identities, comments, or revenue data.
• TikTok: open id, display name, avatar URL, follower count, video count, and the TikTok-side ids of videos you send through us. We never store viewer identities, comments, or DMs.
• LinkedIn: your member id, name, profile picture URL, and the email on your LinkedIn account (via Sign In with LinkedIn / OpenID Connect), plus the LinkedIn-side ids of posts you publish through us. We never store your connections, messages, or other members' data.

OAuth tokens. The access and refresh tokens issued by each connected platform are stored encrypted at rest with AES-256-GCM. We never see or store your platform passwords.

Usage analytics. Page views and key product events (sign-up, post creation, account connection) via PostHog. This helps us understand which features get used. We don't sell or share these analytics.

Technical metadata. Standard server logs (IP address, user agent, timestamps) for security and debugging.

2. How we use the information we collect

• To run the service — authenticate you, store your media, publish on your behalf.
• To generate thumbnails, AI-assisted caption suggestions, and the on-brand images you request.
• To send service-related email (security alerts, account changes, important updates).
• To improve postme.live based on aggregate usage patterns.
• To meet legal obligations (tax, fraud prevention, lawful requests).

We do not use your media, copy, or brand details to train AI models. Caption suggestions and brand-voice summaries are generated per-request via OpenRouter, and those prompts aren't retained for training; the on-brand images you request are generated per-request via Google's Gemini API. We send each provider only what is needed to fulfil your request, at the moment you make it.

3. Google API Services User Data

For the YouTube integration, postme.live accesses information from Google APIs. Our use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

The scopes we request and what each is used for is listed on Permissions & Scopes. In summary:

• youtube.upload — to publish videos to your channel.
• youtube.readonly — to identify your channel and refresh its name, avatar, and aggregate stats.
• yt-analytics.readonly — to fetch the daily channel and per-video metrics we render in your dashboard.

We do not transfer Google user data to third parties for serving ads or any other unrelated purpose, we do not use Google user data for any purpose unrelated to providing and improving the user-facing features of postme.live, and we do not use Google user data to train generalized AI or machine-learning models. The only humans who may access Google user data are postme.live engineers, and only when (a) you have given us explicit permission for support, (b) it is necessary for security purposes such as investigating abuse, or (c) to comply with applicable law.

4. Meta Platform Data

For the Facebook and Instagram integrations, postme.live receives data from the Meta Platform. We comply with the Meta Platform Terms and the Meta Developer Policies. We use Meta Platform data only to provide and improve the user-facing features of postme.live (publishing posts you authored to the Pages and IG accounts you chose, and rendering analytics for those posts to you). We do not use Meta Platform data for advertising, we do not sell or rent it, we do not use it to train generalized AI or machine-learning models, and we do not transfer it to third parties except the sub-processors listed in §6 that are strictly necessary to operate the service.

You can revoke postme.live's access to your Facebook or Instagram account at any time from facebook.com/settings → Business Integrations. See User Data Deletion for the full step-by-step.

5. TikTok Developer Data

For the TikTok integration, postme.live receives data from TikTok. We comply with the TikTok Developer Terms of Service and the TikTok Content Sharing Guidelines. We use TikTok data only to provide and improve the user-facing features of postme.live (sending videos to your TikTok inbox for review and rendering channel-level stats in your dashboard). We do not superimpose any brand name, logo, watermark, or other promotional branding on the videos you send through postme.live. We do not use TikTok data for advertising, we do not sell or rent it, and we do not use it to train generalized AI or machine-learning models.

You can revoke postme.live's access to your TikTok account at any time from the TikTok app: Settings → Security and login → Manage connected apps. See User Data Deletion for the full step-by-step.

6. Sub-processors

We use a small number of third-party providers to operate the service. By using postme.live you consent to your data being processed by them for that purpose. Each provider is listed with the region where data is stored or processed:

• Clerk (United States) — authentication, session management, your name and email. Clerk is a US-incorporated identity provider.
• Cloudflare R2 (global edge network, Asia-Pacific origin for postme.live buckets) — media storage for your uploaded images and videos.
• OpenRouter (United States) — AI caption generation. Prompts are sent on demand and are not retained by OpenRouter or upstream model providers for training.
• Google (Gemini API) (United States) — on-brand image generation. The text prompt you submit (which may include your brand details) is sent on demand to generate the image you requested.
• PostHog Cloud EU (European Union — Frankfurt region, eu.i.posthog.com) — product analytics.
• Application database (PostgreSQL, hosted in Australia) — your workspace data, post metadata, encrypted OAuth tokens.
• Connected platforms (Meta, LinkedIn, TikTok, YouTube, your custom webhook) — destinations you choose. Their privacy policies apply once content reaches them.

7. Sharing

We do not sell your personal information. We share data only with the sub-processors listed above, with our team and contractors who need it to run the service, with professional advisors under confidentiality, and where legally required.

8. Security

OAuth tokens for connected accounts are encrypted at rest with AES-256-GCM. Sessions are HttpOnly cookies. Production traffic is HTTPS only. Webhook payloads we receive are HMAC-verified. No system is perfectly secure — we work to minimise risk and respond quickly to incidents.

9. Data location

postme.live runs primarily on infrastructure in Australia and the European Union (PostHog EU region). Some sub-processors may transfer data to the United States and other jurisdictions; we choose providers that maintain protections aligned with Australian privacy standards.

10. Retention

We keep your data while your account is active. Deleted media is removed from R2 within 30 days. If you delete your account, we delete your workspace data within 30 days, except where we're legally required to retain something (e.g. financial records).

11. Your rights

You can:

• Access your data (most of it is visible in the app).
• Correct your name and other profile fields from Settings → Profile.
• Disconnect platforms and delete media at any time.
• Request a full export or deletion — see User Data Deletion for the step-by-step.
• Withdraw consent for analytics in your browser settings.
• Lodge a complaint with the Office of the Australian Information Commissioner.

12. Cookies

We set two first-party cookies: a Clerk session cookie (HttpOnly, identity) and pts_active_org (HttpOnly, your active workspace). PostHog sets a first-party analytics cookie. We don't use cookies for advertising.

13. Children's privacy

postme.live is not directed to children under the age of 13. We do not knowingly collect personal information from anyone under 13. Some platforms you connect set a higher minimum age (Meta and YouTube require 13; TikTok requires 13 in most regions and higher in some). You must meet the higher of the platform's minimum age and your country's minimum digital-consent age to use postme.live. If you believe a child has provided us with information, email [email protected] and we will delete it.

14. Changes

We'll post material updates here and notify you in-app or by email. Continued use after the effective date means you accept the updated policy.

15. Contact

Privacy questions or requests: [email protected]
Outback Yak · Melbourne, Australia · ABN 11 672 730 773