PostPad

Privacy Policy

Last updated: April 19, 2026

Overview

PostPad (“we”, “us”) provides a service for scheduling and publishing videos to social media platforms. This policy explains what data we collect, how we use it, and your rights.

Data we collect

  • Account data: email address, name, and password hash (never stored in plain text).
  • Connected platform accounts: we store an encrypted OAuth access token and refresh token for each social account you connect (Instagram, TikTok, YouTube). Tokens are encrypted at rest using AES-256-GCM.
  • Media: videos you upload are stored in Cloudflare R2. We store metadata (filename, size, duration, dimensions) in our database.
  • Scheduled posts: caption, target account, scheduled time, publish status, error history.
  • Operational logs: API request logs and error traces (with tokens redacted) for debugging. Retained 30 days.

How we use it

We use your data only to provide the service: authenticate you, publish your scheduled posts, send transactional email (verification, password reset, failure alerts), and diagnose errors. We do not sell your data or share it with third parties except as required to deliver the service (see below).

Third-party processors

  • Instagram, TikTok, YouTube: we send your videos and captions to these platforms on your behalf when you schedule a post.
  • Cloudflare R2: video file storage.
  • Resend: transactional email delivery.
  • Sentry: error tracking (request headers and tokens are redacted before transmission).

Your rights

You can request deletion of your account and all associated data at any time. From inside the app, open Settings → Delete my account. Your data is removed immediately and irreversibly. If you requested deletion from Meta’s account settings, our Data Deletion Callback processes the request automatically.

Data retention

Data is retained while your account is active. Upon deletion, account data, media, and tokens are removed immediately. Anonymized operational logs may persist up to 30 days for debugging.

Security

All data is transmitted over HTTPS. Platform OAuth tokens are encrypted at rest. Passwords are hashed with industry-standard algorithms. We follow a defense-in-depth approach including rate limiting, CSP/HSTS headers, and regular security reviews.

Contact

For privacy questions, email [email protected].