LEGAL DOCUMENT

Privacy Policy

How Postally collects, uses, shares, and protects your information when you use our social media management platform.

Last updated: June 2026
Effective immediately

Postally (postally.io) is a social media management platform that lets you connect social accounts, schedule and publish content, and view performance analytics from one dashboard. This policy explains what data we collect, how we use and share it, the legal basis for doing so, and the rights you have over your data.

By using Postally you agree to the practices described here. Terms used in this policy have the same meaning as in our Terms of Service.

Who We Are

Postally is the entity that operates the Service and is the data controller for the personal data described in this policy. For privacy questions, data subject requests, or any other privacy-related inquiry, contact us at hello@postally.io.

What We Collect

Account information

Your name, email address, password (stored hashed), and any profile details you choose to provide. If you join or create a team workspace, we also store workspace name, member roles, and invitation status.

Billing information

If you subscribe to a paid plan, payments are processed by Dodo Payments, our payment processor, which collects and handles your payment details directly under its own privacy policy. Postally stores only the billing metadata needed to manage your subscription — customer identifier, plan, billing period, and subscription status. We do not store full card numbers.

Content you create

Posts, captions, comments, scheduled drafts, AI-generated drafts, and media you upload to Postally for publishing across your connected accounts.

Data from your connected social accounts

When you connect a social account to Postally via OAuth — for example Facebook, Instagram, LinkedIn, X (Twitter), YouTube, TikTok, Threads, or Bluesky — we access the following through that platform's official API:

  • Account profile — id, name, username, profile picture, and any platform-specific linkage (for example, the Facebook Page linked to an Instagram Business account).
  • Account or channel metadata required to publish on your behalf.
  • Posts, captions, media, comments, and replies you publish through Postally.
  • Performance metrics — reach, impressions, views, likes, reposts/retweets, saves, shares, comments, follower counts, and other engagement metrics exposed by each platform for your own posts and account, used to render analytics in your dashboard.
  • Access and refresh tokens — encrypted at rest, used solely to authorize API calls on your behalf.

This data is used only inside your Postally dashboard. We never sell it, share it for advertising, or use it to train AI models.

Usage and log data

When you use Postally we collect standard server and application logs — IP address, browser and device type, approximate location derived from IP, pages and features accessed, timestamps, and error diagnostics. We use this for security, abuse prevention, debugging, and product analytics.

Communications

If you contact us by email, in-app chat, or social channels we retain those messages so we can respond and so we can review support history if you contact us again.

How We Use Your Data

We use the data we collect for the following purposes. Where EU/UK GDPR applies, the legal basis for each is identified in parentheses.

  • Provide the Service — authenticate you, publish content you have explicitly composed or scheduled, and render analytics for your connected accounts (performance of contract).
  • Billing and subscription management — process payments, issue invoices, and prevent payment fraud (performance of contract; legal obligation).
  • Security and abuse prevention — detect unauthorized access, abuse, or policy violations and protect the integrity of the Service (legitimate interest).
  • Product improvement — analyze aggregated usage data to fix bugs, improve features, and prioritize roadmap (legitimate interest).
  • Service communications — notify you of account, security, billing, or material product changes (performance of contract; legitimate interest).
  • Marketing communications — send occasional product updates or marketing email (consent; you can opt out at any time).
  • Legal compliance — respond to lawful requests, defend our legal rights, and meet tax, accounting, and regulatory obligations (legal obligation).

We do not sell your data, share it with third-party advertisers, or use it to train external AI models.

AI Features

Postally includes AI-assisted features such as caption generation, image generation, content suggestions, and personas. When you use these features, the text and images you provide as input are sent to third-party AI model providers that process the input on our behalf solely to return a response.

AI features are opt-in: nothing is sent to an AI provider unless you trigger a feature that uses one. You can avoid AI processing entirely by not using these features.

Sharing Your Data

We share your data only with the following categories of recipients, and only for the purposes described:

  • Service sub-processors — cloud hosting, database, queue, transactional email, error monitoring, payment processing, and AI providers. Each is bound by a data processing agreement and only processes data on our instructions.
  • Connected social platforms — content, comments, and metadata you choose to publish are sent to the social platforms you have connected.
  • Team workspace members — if you join or create a team workspace, other members of that workspace can see content, drafts, and connected accounts shared inside the workspace.
  • Legal and regulatory authorities — when we are legally required to disclose information in response to a valid legal request.
  • Successor entities — in connection with a merger, acquisition, financing, or sale of assets, your data may be transferred to the successor, who will be bound by privacy commitments at least as protective as these.

International Data Transfers

Postally and its service providers operate from infrastructure located in multiple countries, which means your data may be processed and stored outside your country of residence. By using the Service you acknowledge this transfer.

Social Media API Compliance

Postally's use and transfer of information received from social media APIs adheres to each platform's API Services User Data Policy and Developer Terms, including the Limited Use requirements where applicable. This includes, but is not limited to:

  • Meta Graph API (Facebook and Instagram) — Meta Platform Terms and Developer Policies.
  • LinkedIn Marketing Developer Platform — LinkedIn API Terms of Use.
  • X (Twitter) API — X Developer Agreement and Policy.
  • YouTube Data API — YouTube API Services Terms and the Google API Services User Data Policy, including its Limited Use requirements.
  • TikTok Open API — TikTok Developer Terms of Service.
  • Threads API — Meta Platform Terms.
  • Bluesky / AT Protocol — Bluesky Terms of Service.

Your Rights

Depending on where you live, you have the right to:

  • Access the personal data we hold about you.
  • Correct data that is inaccurate or incomplete.
  • Delete your data and your Postally account.
  • Export a copy of your data in a portable format.
  • Restrict or object to certain processing, including processing based on legitimate interest.
  • Withdraw consent at any time, where processing is based on consent.
  • Complain to a supervisory authority. EU residents can lodge a complaint with their national data protection authority; UK residents with the Information Commissioner's Office.

To exercise any of these rights, email hello@postally.io. We respond within 30 days and may ask you to verify your identity before acting on a request. You can also revoke Postally's access to a connected social account at any time directly from that platform's account settings.

California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the right to know what personal information we collect about you, to request deletion or correction of that information, to receive a portable copy, and to limit the use of sensitive personal information. We do not sell personal information and we do not share it for cross-context behavioral advertising. To exercise these rights, email hello@postally.io. We will not discriminate against you for exercising any of these rights.

Data Retention

We retain your data only as long as needed to provide the Service and meet legal obligations:

  • Connected-account data (profile, posts, metrics) — removed when you disconnect that account from Postally.
  • Account-level data — removed on request by emailing us, except where we are legally required to retain it.
  • Access and refresh tokens — revoked when you disconnect the corresponding social account.
  • Billing and invoice records — retained for the period required by applicable tax and accounting law.
  • Server and security logs — retained for a limited period for security, abuse prevention, and debugging.

Data accessed through social platform APIs is handled in accordance with each platform's Limited Use requirements and deleted once it is no longer needed to perform the action you requested.

Security

We use commercially reasonable technical and organizational safeguards to protect your data, including encryption in transit (TLS), password hashing, least-privilege access controls, and audit logging. No method of transmission or storage is 100% secure, so while we strive to protect your data we cannot guarantee its absolute security.

Cookies and Tracking

Postally uses cookies and similar technologies to keep you signed in, remember your preferences, and measure how the Service is used. You can accept or refuse non-essential cookies via your browser settings. Refusing essential cookies may limit parts of the Service. Postally does not currently respond to browser "Do Not Track" signals, as no consensus standard for their interpretation exists.

Marketing Communications

If you have opted in to marketing email, you can unsubscribe at any time using the link in any marketing message or by emailing hello@postally.io. Transactional messages relating to your account, security, billing, or material service changes are not subject to opt-out.

Children's Privacy

Postally is not directed to children under 13, and we do not knowingly collect personal information from them. If we learn that we have collected information from a child under 13 we delete it. If you are a parent or guardian and believe your child has provided us with personal information, contact us at hello@postally.io.

Links to Other Sites

Postally may link to third-party sites we do not operate. We are not responsible for their content or privacy practices and recommend you review their policies before sharing any information.

Changes to This Policy

We may update this policy from time to time. The latest version will always be posted on this page with an updated date at the top. For material changes we will notify you in-app or by email before the change takes effect.

Contact Us

Questions about this policy or requests under any privacy law — email us at hello@postally.io.