Legal
Privacy Policy
Last updated: May 25, 2026
This Privacy Policy describes how Postcrow ("we", "us", or "Postcrow") collects, uses, and protects information when you use postcrow.app(the "Service"). We follow the European General Data Protection Regulation (GDPR).
1. Who we are
Postcrow is a multi-platform social media scheduling tool. The data controller for the personal data we process is Postcrow. You can reach us at [email protected].
2. What we collect
- Account data — your email, a securely hashed password (adaptive scrypt, handled by better-auth), and the display name you choose.
- Project data — the projects you create, their names, time zones, and descriptions.
- Connected social accounts — OAuth access tokens and refresh tokens for the social platforms you choose to connect (Facebook, Instagram, LinkedIn, X, Pinterest, YouTube, TikTok), along with the public account name and ID returned by each platform.
- Post content you compose — text, media URLs, scheduled times, and per-platform publication results.
- Activity log — minimal audit records of significant actions (login, post create/publish, account connect) for security and debugging.
- Session metadata — IP address and user agent of the device that logged in, kept with the active session.
We do not collect: third-party advertising identifiers, browsing history outside Postcrow, contacts, location beyond approximate country from IP.
3. Why we process it (lawful basis)
- Performance of contract (Art. 6(1)(b) GDPR) — to provide the scheduling, publishing, and analytics service you signed up for.
- Legitimate interest (Art. 6(1)(f) GDPR) — to keep the Service secure, prevent abuse, and improve reliability.
- Consent (Art. 6(1)(a) GDPR) — when you explicitly connect a social platform via OAuth, you consent to us storing the token to publish on your behalf.
4. Who we share it with
We never sell your data. We share data only with the following categories of processors, strictly to operate the Service:
- Social platforms you connect— when you schedule a post, its content and any attached media are sent to the relevant platform's API (Meta, LinkedIn, X, Pinterest, etc.). Each platform has its own privacy policy.
- Anthropic (Claude API) — when you use the AI caption feature, the prompt you write is sent to Anthropic for processing. We forward only the text you typed, not your account data.
- Infrastructure providers — our application server and Postgres database are hosted in the European Union (Frankfurt, Germany).
- Payment processor (Stripe — when subscription plans launch) — billing information is handled directly by Stripe; we never see your card number.
5. International transfers
Postcrow servers are in the EU. However, social platforms you connect (Meta, LinkedIn, X, Pinterest, Google/YouTube, TikTok) operate globally and may process the content you publish to them in the United States or elsewhere. We have no control over where each platform processes content you sent them via Postcrow.
6. How long we keep it
- Active accounts — we keep your data as long as your account exists.
- Deleted accounts — within 30 days of deletion all your data, including connected tokens, posts, and analytics, is permanently removed from our database. Backups expire within 60 days.
- Session records — purged when the session expires (30 days maximum) or when you log out.
- Activity logs — kept for 12 months for security review, then deleted.
7. Your rights under GDPR
You can exercise the following rights at any time by emailing us at [email protected]. We respond within 30 days.
- Right of access — request a copy of your data.
- Right to rectification — ask us to correct inaccurate data.
- Right to erasure — delete your account and all associated data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to restriction — limit how we process your data.
- Right to object — object to processing based on legitimate interest.
- Right to lodge a complaint — with your national data protection authority (in France: the CNIL).
8. Cookies
Postcrow uses only essential and functional cookies. See our Cookie Policy for the full list.
9. Security
Passwords are hashed using an industry-standard adaptive algorithm (scrypt, handled by better-auth) before being stored. Sessions are HTTP-only, SameSite=Lax cookies signed server-side. All traffic is encrypted over HTTPS. We review access to the production database, and only authorized personnel can connect to it via an SSH tunnel.
10. Children
Postcrow is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.
11. Changes to this policy
We will notify registered users by email at least 14 days before any material change. The current version is always available at this URL with the date above.
12. Contact
Questions or requests: [email protected].