Privacy Policy

1. Information we collect

From developers

• Account data: email address, full name (if provided through your identity provider), and the plan you are on.
• API keys: stored only as a hash; we cannot reveal a key after generation.
• Billing data: processed by Stripe; we receive a Stripe customer ID and subscription state but never your card details.
• Usage logs: request metadata (timestamps, endpoint, status codes, request IDs) used for triage, abuse detection, and billing accuracy.

From end users (via your application)

• OAuth tokens: access and refresh tokens from each Platform a user connects through Synposter. These are encrypted at rest with AES-256-GCM and decrypted only at the moment a post is published or a token is refreshed.
• Platform identifiers: the user's ID and handle on each connected Platform, to display in your dashboard and construct permalinks.
• Post content: the text and media URLs of every post attempted through the Service, retained for audit, debugging, and cross-platform delivery.

2. How we use information

• To operate the Service: authenticate API requests, publish content to Platforms on your behalf, refresh OAuth tokens, and serve the developer dashboard.
• To prevent abuse: rate limiting, anomaly detection, and investigating Terms violations.
• To bill you: track usage against your plan, charge for paid plans through Stripe.
• To communicate with you: account notifications, outage alerts, security advisories, and (with your consent) product updates.
• To meet legal obligations: respond to lawful requests, enforce our Terms, and defend against legal claims.

We do not sell your data, and we do not use end-user content to train machine-learning models.

3. How we share information

We share information only as follows:

• With Platforms: when you publish a post, we transmit the content (text + media bytes) to the relevant Platform's API. The Platform's own privacy policy governs what happens next.
• With infrastructure providers: Supabase (database and object storage), Cloudflare (edge network), and Stripe (billing). These vendors process data on our behalf under written data-processing agreements.
• For legal reasons: when required to comply with a subpoena, court order, or similar lawful demand, or to protect the rights, safety, or property of Synposter, our customers, or the public.
• In a corporate transaction: if we are acquired or merge with another company, your data may be transferred subject to a continuation of this policy.

4. Data security

• OAuth access and refresh tokens are encrypted at rest using AES-256-GCM. The encryption key is held outside the database in a separate secret store.
• API keys are stored only as a SHA-256 hash; we cannot recover a key after generation, only invalidate and regenerate.
• Database connections are TLS-encrypted in transit. Supabase enforces row-level security on every user-scoped table.
• Access to production systems is restricted to a small number of authorized engineers using SSO + 2FA.

No system is perfectly secure. If we discover a breach affecting your data we will notify you without undue delay and within any timelines required by applicable law.

5. Data retention

• Account data is retained while your account is active and for up to 30 days after deletion to allow for cancellation reversal and chargeback handling.
• OAuth tokens are deleted immediately when an end user disconnects their account, when you delete the associated profile, or when you delete your developer account. We make a best-effort attempt to revoke them at the Platform.
• Post audit rows (text, media references, status, timestamps) are retained for the lifetime of your account so you can query historical posts. You can delete individual posts via DELETE /v1/posts/{id}.
• Logs are retained for 90 days for triage and abuse investigation, then purged.

6. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. To exercise these rights, email privacy@synposter.com from the address on your account. We will respond within the timelines required by applicable law (typically 30 days).

If you are an end user whose social account was connected through a developer's application: you can revoke authorization directly from the Platform's settings. That immediately invalidates the tokens we hold for your account. To request deletion of any residual data, ask the developer who runs the application; they can remove the connected account through their Synposter dashboard or API.

7. Cookies and analytics

The marketing site (synposter.com) and developer dashboard use a small number of strictly necessary cookies for authentication and CSRF protection. We do not use third-party advertising or behavioral-tracking cookies. We may use a privacy-respecting analytics tool (e.g., Plausible) to count page views in aggregate.

8. International transfers

Synposter is operated from Singapore. Our infrastructure providers operate globally. By using the Service you consent to your data being processed in countries that may have different data-protection laws than your own, subject to the safeguards in our agreements with those providers.

9. Children

The Service is not intended for users under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email and through the dashboard at least 14 days before they take effect.

11. Contact

Privacy questions or requests: privacy@synposter.com. General questions: hello@synposter.com.