post mate

Privacy Policy

Last updated: May 18, 2026

post mate ("post mate", "we", "our") is a social-media scheduling and cross-posting tool operated from Ukraine. This policy explains what data we collect, why we collect it, how we store it, who we share it with, and how you can access, export, or delete it.

If anything here is unclear, write to privacy@post-mate.com — a real person reads every message.

1. Who is the data controller

The controller of personal data described below is FOP Shevchyk Yurii Kostiantynovych (Individual Entrepreneur registered in Ukraine, Tax ID / РНОКПП 3649208513; registered address available on request). For GDPR / UK GDPR matters write to privacy@post-mate.com.

2. What we collect

2.1 Account data

  • Email address and display name (from sign-up or Google sign-in)
  • Hashed password (only when you sign up with email + password — never stored in plain text)
  • A randomly generated user ID we use internally to link your records
  • Optional preferences you set (timezone, weekly goal, queue schedule, notification settings)

2.2 Social-account data

When you connect a social network through post mate, we receive and store the minimum necessary to publish on your behalf:

  • Platform handle, display name, profile picture URL, platform user ID
  • OAuth access tokens (and, where applicable, refresh tokens) — encrypted at rest with AES-256-GCM
  • The exact OAuth scopes you granted

Per-platform specifics:

  • Instagram (Meta) — handle, account ID, avatar, aggregated post insights (reach, impressions, likes count, comments count, saves, video views). We never read individual comments, direct messages, or stories of other users.
  • Threads (Meta) — handle, account ID, avatar, aggregated post insights (views, likes, replies, reposts, quotes). We never read reply contents or mentions.
  • Facebook — only the auto-granted public_profile (name, profile picture). We do not store or display it.
  • YouTube (Google) — channel ID, channel name, and the public metrics of videos you upload through post mate. Scopes requested and how they are used are described in detail in §3 below.
  • TikTok — open ID, display name, avatar. We upload videos you submit; TikTok requires user-initiated confirmation before publication.
  • LinkedIn — member ID, name, email, profile picture. We publish to your personal feed only.
  • Pinterest — username, account ID, board list. We create pins on boards you select.
  • Bluesky — handle and an app password you supply (encrypted at rest). We never see or store your main Bluesky password.

2.3 Content data

  • Captions, links, scheduled times, target accounts, and per-platform overrides you set
  • Media files (images, videos, PDFs) you upload — stored on Cloudflare R2 (EU region) and served back to you via signed URLs
  • Status of each publication attempt and the response from the network

2.4 Billing data

Payments are processed by Paddle as Merchant of Record. We receive a subscription identifier, plan, status, and the amount charged. We never see or store card numbers. Paddle's privacy notice applies to the data they collect from you directly: paddle.com/legal/privacy.

2.5 Technical data

  • IP address (for rate limiting and abuse prevention)
  • User-agent string and basic device info (for debugging)
  • Error reports from Sentry (stack traces; we redact request bodies and tokens)
  • Audit log of admin actions on your account

2.6 What we do not collect

  • Your social-network passwords
  • Card or bank details
  • The content of comments, messages, or DMs on any connected platform
  • Facial-recognition data, biometric identifiers, or precise location
  • Browsing history outside post-mate.com

3. Google API Services data (Limited Use)

When you connect a Google account (currently used only for publishing to YouTube) you grant post mate the following OAuth scopes:

  • https://www.googleapis.com/auth/youtube.upload — to upload the videos you submit to your own YouTube channel.
  • https://www.googleapis.com/auth/youtube.readonly — to read your channel ID, channel name, and the public metrics of videos you uploaded through post mate, so we can display publication status in your dashboard.

post mate's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In plain English:

  • We use Google user data only to provide and improve the user-facing features that you signed up for — scheduling videos to your YouTube channel and showing their publication status.
  • We do not transfer Google user data to third parties, except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger / acquisition / sale of assets with your prior explicit notice.
  • We do not use Google user data for serving advertisements, including retargeted, personalised, or interest-based advertising.
  • We do not allow humans to read your Google user data unless we have your explicit consent, do so for security purposes (e.g. investigating abuse), to comply with applicable law, or where the data has been aggregated and anonymised for internal operations.
  • We do not use Google user data to develop, improve, or train generalised AI or machine-learning models.

You can revoke post mate's access to your Google account at any time from myaccount.google.com/permissions or by clicking Disconnectnext to your YouTube account in post mate's Settings → Connections. When you revoke or disconnect, the stored OAuth tokens are deleted immediately and we stop accessing Google user data on your behalf. To delete all data post mate holds about you, follow the steps at /legal/data-deletion.

4. How we protect your data

We apply the following technical and organisational measures, with stricter controls applied to sensitive data (OAuth access and refresh tokens, Google user data, Bluesky app passwords, billing identifiers):

  • Encryption in transit — all traffic to post-mate.com, and all calls from our servers to social-network APIs (including Google APIs), use HTTPS with TLS 1.2 or higher.
  • Encryption at rest — OAuth access tokens, refresh tokens, Bluesky app passwords, and other credentials are encrypted at the column level with AES-256-GCM using keys held in a managed secret store (Vercel project secrets), never in source code. Database backups are encrypted by the database provider.
  • Access control — production database, object storage, and secret-store access is restricted to the founder (sole engineer) under the principle of least privilege. There are no shared accounts. All administrative actions on user accounts are recorded in an internal audit log.
  • Monitoring & logging — runtime errors are captured by Sentry with request bodies, query strings, and authorization headers redacted, so OAuth tokens and post content do not leave our infrastructure. Product analytics (PostHog, EU region) never receive Google user data.
  • Bot & abuse protection — sign-up and sign-in endpoints are protected by Vercel BotID and platform-level DDoS mitigation. IP addresses are used for rate limiting only.
  • Vendor due diligence — each sub-processor listed in §6 has a data-processing agreement and is reviewed before being added. Sub-processors do not receive Google user data beyond what is strictly necessary to operate the service (hosting the database row, transmitting the API request, etc.).
  • Data minimisation — we request only the OAuth scopes necessary for the features you enable, and we do not store data we do not need (see §2.6 for what we explicitly do not collect).
  • Incident response — in the event of a personal-data breach affecting Google user data or other personal data, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33, by email to the address on file.

5. Why we collect it (legal basis)

Under GDPR we rely on the following bases:

  • Contract — to provide the service you signed up for (account, connections, publishing, billing).
  • Legitimate interest — to keep the service secure (rate limiting, fraud prevention, audit log).
  • Consent — when you authorize a social-network connection via OAuth. You can revoke it any time.
  • Legal obligation — to keep billing records as required by tax law.

6. Who we share it with

We use the following sub-processors. They only receive what they need to run their function, and we have data-processing agreements with each:

  • Vercel (US) — application hosting and serverless functions
  • Neon (EU) — Postgres database
  • Cloudflare R2 (EU) — object storage for media files
  • Cloudflare — CDN, DDoS protection
  • Paddle (UK / US) — payment processing and tax
  • Resend (US) — transactional emails (verification, receipts)
  • Sentry (US, EU region) — error monitoring
  • The social networks you choose to connect — content you publish flows directly to them through their official APIs.

We never sell or rent your data, and we never share it with advertising networks. Google user data is never shared with sub-processors for any purpose other than operating the post mate service itself.

7. How long we keep it

  • Active account data: for as long as your account exists.
  • After you delete your account: all personal data is hard-deleted within 30 days. Encrypted backups roll off within 90 days.
  • Disconnected social accounts: OAuth tokens (including Google / YouTube tokens) are revoked and deleted immediately. Past publishing logs are kept for 90 days for your reference, then anonymised.
  • Billing records: retained for up to 7 years for tax and legal compliance.
  • Sentry error logs: 30 days.

8. Your rights

Wherever you live, you can:

  • Access the data we hold about you (Settings → Export)
  • Correct anything inaccurate (Settings → Profile)
  • Delete your account and all associated data (instructions here)
  • Object to or restrict processing, withdraw consent, or request portability — email privacy@post-mate.com.
  • Lodge a complaint with your local data-protection authority — for Ukrainian residents, that is the Ukrainian Parliament Commissioner for Human Rights.

9. International transfers

Some of our sub-processors are located in the United States. We rely on the EU Standard Contractual Clauses (SCCs) and equivalent safeguards for those transfers.

10. Children

post mate is not intended for children under 16. We do not knowingly collect data from children. If you believe a minor signed up, email privacy@post-mate.com and we will delete the account.

11. Cookies

We use only first-party cookies essential to the service: a session cookie issued by Better Auth, an anti-CSRF token, and short-lived OAuth state cookies. We do not use third-party advertising or analytics cookies.

12. Changes to this policy

If we materially change this policy we will email all active users at least 14 days before the change takes effect. The latest version is always at post-mate.com/legal/privacy.

13. Contact

Email privacy@post-mate.com. We respond within 7 days.