Privacy Policy

At Poststack.ai ("we," "our," or "us"), we respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and protect your information when you use our digital marketing agency directory (poststack.ai) and social media content scheduling tool (app.poststack.ai).

This policy applies to our website at https://poststack.ai, our scheduling application at https://app.poststack.ai, and all related services, features, and content.

Service Intent: Our services are intended for business and professional use by individuals aged 18 and above. If you are under 18, you may not use our services.

Our Role: Poststack.ai acts as both a data controller (for our directory service) and data processor (when handling social media data on your behalf for scheduling services).

Information You Provide

• Contact information (name, email address, phone number)
• Agency information (company name, website, services, description)
• Profile information when claiming or editing agency listings
• Communication preferences and newsletter subscriptions
• Payment information (processed securely by PCI-compliant third-party payment processors)
• Any information you provide in contact forms or direct communications

Note on Payment Data: We do not directly store your full credit card information. All payment processing is handled by Dodo Payments, our Merchant of Record, who is PCI DSS-compliant and encrypts and securely stores your payment information. As a Merchant of Record, Dodo Payments also handles tax compliance, fraud protection, and payment security on our behalf.

Information We Collect Automatically

• Device information (IP address, browser type, operating system)
• Usage data (pages visited, time spent, click patterns)
• Cookies and similar tracking technologies
• Referrer information (how you found our website)

Information From Third Parties

• Public business information from LinkedIn and other professional networks
• Publicly available agency information for directory listings
• Analytics data from third-party services

Social Media Platform Data (for app.poststack.ai users)

When you connect your social media accounts to our scheduling service, we collect and process the following information:

• Account access permissions and authentication tokens for connected platforms (including but not limited to Facebook, Instagram, Twitter/X, LinkedIn, TikTok, YouTube, Pinterest, and other supported social networks)
• Profile and account metadata (names, IDs, usernames, profile information)
• Content you create for scheduling (posts, images, videos, captions, hashtags, links)
• Publishing history and scheduled post queue across all connected platforms
• Platform insights and engagement metrics (when you choose to view analytics)
• Connection status and authorization details for each platform

Important: We only access data from social media platforms that you explicitly authorize. By connecting a social media account, you agree to provide information under that platform's terms and privacy policies. We rely on you to comply with applicable privacy laws when sharing content about individuals through our services.

We use your information for the following purposes:

• Directory Services: To maintain and display agency listings
• Social Media Publishing (app.poststack.ai): To schedule and publish content to your connected social media accounts (Facebook, Instagram, Twitter/X, LinkedIn, TikTok, YouTube, Pinterest, and other supported platforms) on your behalf, store your scheduled posts until publication time, manage your social media posting queue across multiple platforms, and provide analytics on published content performance
• Communication: To respond to inquiries and send newsletters
• Verification: To verify agency ownership and authenticity
• Service Improvement: To analyze usage and improve our platform
• Legal Compliance: To comply with applicable laws and regulations
• Marketing: To send relevant updates and promotional content (with consent)

We may share your information in the following circumstances:

• Public Directory: Agency information is publicly displayed in our directory
• Social Media Platforms: We share your scheduled content with your connected social media platforms (Facebook, Instagram, Twitter/X, LinkedIn, TikTok, YouTube, Pinterest, etc.) at the time you choose to publish. We use each platform's official APIs to publish posts on your behalf. We do NOT share your social media data with any other third parties beyond the platforms you've authorized.
• Service Providers: With trusted third parties who help us operate our service (detailed below)
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In the event of a merger, acquisition, or sale
• Consent: When you have given explicit consent for specific sharing

Third-Party Service Providers

We work with the following categories of service providers who may process your data:

• Payment Processing (Dodo Payments): Our Merchant of Record for handling all payment transactions, tax compliance, fraud protection, and secure storage of payment information
• Cloud Hosting: For application infrastructure and data storage
• Database Services: For secure data storage and management
• Authentication Services: For secure user authentication
• Email Services: For sending transactional and marketing emails
• Analytics Providers: For understanding service usage and performance

All service providers are bound by data processing agreements that ensure GDPR compliance and appropriate data protection measures.

We do not sell your personal information to third parties.

We implement appropriate technical and organizational measures to protect your personal data:

Technical Safeguards

• Encryption in Transit: TLS 1.2+ for all data transmission
• Encryption at Rest: Database encryption and secure file storage
• API Token Protection: Facebook/Instagram access tokens are encrypted, never logged, and stored in secure environment variables
• Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA) for all administrative accounts
• Automated Security Monitoring: Real-time logging of data access attempts and alerts for suspicious activity

Organizational Safeguards

• Regular security assessments and vulnerability testing
• Employee security and privacy training programs
• Background checks for staff with data access
• Documented security policies and incident response procedures
• Regular backups and disaster recovery procedures
• Secure hosting with reputable cloud providers

Under applicable privacy laws (including GDPR), you have the following rights:

• Access: Request access to your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your personal data
• Portability: Request transfer of your data
• Objection: Object to processing of your data
• Restriction: Request limitation of processing
• Withdraw Consent: Withdraw consent at any time
• Disconnect Social Media: Immediately revoke Poststack's access to any connected social media accounts and request data deletion

To exercise these rights, contact us at [email protected]

We use cookies and similar technologies to:

• Remember your preferences and settings
• Understand how you use our service
• Improve your user experience
• Measure the effectiveness of our marketing

You can control cookies through your browser settings. However, disabling cookies may affect some functionality of our service.

We retain your personal data only for as long as necessary to:

• Provide our services to you
• Comply with legal obligations
• Resolve disputes and enforce agreements

Specific Retention Periods

• Social Media Access Tokens: Stored until you disconnect your account or after 60 days of inactivity
• Scheduled Post Content: Deleted 30 days after successful publication
• Published Post History: Retained for up to 12 months for analytics purposes, unless you request earlier deletion
• Account Data: Retained while your account is active and for 30 days after account deletion to allow for recovery
• Deleted Data: All data, including backups, permanently removed within 30 days of deletion request

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data during such transfers, including standard contractual clauses and adequacy decisions.

Data Processing Locations

Your data may be processed in the following locations:

• Primary Data Storage: United States (cloud infrastructure)
• Social Media Platforms: Data is transferred to each connected platform's servers (Facebook/Meta in USA, Twitter/X in USA, etc.) when publishing content
• Backup Storage: May be replicated across multiple geographic regions for redundancy

Note: When you publish content to social media platforms, your content becomes subject to that platform's terms, privacy policy, and data processing locations. Content shared on social media can be accessed globally according to each platform's sharing settings.

All data processors and service providers are bound by Data Processing Agreements (DPAs) ensuring GDPR-compliant data protection measures. For transfers outside the European Economic Area (EEA), we rely on Standard Contractual Clauses approved by the European Commission.

We process your personal data under the following legal bases as required by GDPR:

• Consent: You explicitly consent when connecting Facebook/Instagram accounts to our scheduling service, subscribing to newsletters, or accepting cookies for analytics purposes
• Contract Performance: To provide our directory and scheduling services as outlined in our Terms of Service
• Legitimate Interest: To improve our services, ensure platform security, prevent fraud, and provide customer support
• Legal Obligation: To comply with applicable laws, regulations, and legal processes

You may withdraw your consent at any time by disconnecting your social media accounts, unsubscribing from communications, or deleting your account. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.

For users of our scheduling service (app.poststack.ai), you have multiple ways to delete your social media data:

User-Initiated Deletion

• Disconnect Social Media Accounts: Visit your account settings and disconnect any connected platform (Facebook, Instagram, Twitter/X, LinkedIn, TikTok, YouTube, Pinterest, etc.). Your social media data for that platform will be deleted within 48 hours.
• Delete Your Poststack Account: Deleting your account removes all data, including all social media connections, within 30 days.
• Request Specific Data Deletion: Email [email protected] to request deletion of specific data or individual platform data.

Platform-Initiated Deletion

If you remove Poststack's access through a social media platform's settings (such as Facebook's App Settings or Twitter's Connected Apps), we will automatically receive a deletion request where supported and delete all data associated with that platform within 30 days. You'll receive confirmation once deletion is complete.

Facebook/Instagram Specific: We implement Facebook's Data Deletion Callback to automatically process deletion requests initiated through Facebook settings.

What Gets Deleted

• All social media access tokens and credentials (immediately)
• Scheduled posts and content queue for disconnected platforms (immediately)
• Published post history and analytics for disconnected platforms (within 30 days)
• Account metadata for disconnected platforms (within 30 days)
• All data backups and cached information (within 30 days)

Important Note: Content already published to social media platforms remains on those platforms according to their respective policies. To remove published content, you must delete it directly from the social media platform. We cannot delete content from third-party platforms once published.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Your California Rights

• Right to Know: Request disclosure of personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of your personal information
• Right to Limit Use: Limit use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

Important: We do not sell your personal information to third parties. We do not share personal information for cross-context behavioral advertising.

Categories of Personal Information We Collect

• Identifiers (name, email, IP address)
• Commercial information (payment history, subscriptions)
• Internet activity (usage data, browsing history on our site)
• Professional information (agency details, business information)
• Social media data (with your consent, for scheduling services)

To exercise your California privacy rights, contact us at [email protected] with "California Privacy Rights" in the subject line.

Our services are intended for business and professional use by individuals aged 18 and above. We do not knowingly collect personal information from individuals under 18. If you are under 18, you may not use our services.

If you believe we have collected information from someone under 18, please contact us immediately at [email protected] and we will take steps to delete such information.

We may update this privacy policy from time to time. When we do, we will:

• Update the "last updated" date at the top of this page
• Notify you of significant changes via email or website notice
• Provide you with the opportunity to review the changes

If you have any questions about this privacy policy or our data practices, please contact us:

We will respond to your inquiries within 30 days.