Privacy Policy

Poostit (“Poostit,” “we,” “us”) is an all-platform social scheduling tool. This Privacy Policy describes what information we collect, how we use it, and the choices you have. It applies to the Poostit website and the scheduling product (collectively, the “Service”).

Contact: poostitapp@gmail.com.

a) Information you give us

• Account details: email address, an optional name, and (for waitlist signups) an optional social handle and primary platform preference.
• Post content you create or schedule: titles, descriptions, link URLs, alt text, tags, image files you upload, destination selection (Pinterest board, Tumblr blog, Instagram / Threads account), and scheduled time.
• Connected-platform credentials: OAuth access tokens, refresh tokens when issued, granted scopes, token expiration times, and basic identity info returned by each platform (username, account type, primary blog name).
• Feedback you send through the in-app feedback widget: rating (if any), message text, optional screenshot (bug-report mode), and the email you provide for follow-up.

b) Information from connected platforms

When you connect a third-party platform, we use its official API to retrieve only what is necessary to operate the Service. Each platform's minimum scopes are listed below; we do not request scopes we do not use.

• Pinterest — basic profile (username, account type), your boards (id, name, privacy), and the IDs of pins we publish on your behalf. Scopes: user_accounts:read, boards:read, pins:read, pins:write.
• Tumblr — your username and primary blog name, and the IDs of posts we publish on your behalf. Scopes: basic, write, offline_access.
• Instagram — your basic profile (id, username, account type) and the IDs of posts and carousel containers we create on your behalf. Scopes: instagram_business_basic, instagram_business_content_publish. We use the Instagram API with Instagram Login (Business and Creator accounts).
• Threads — your basic profile (id, username) and the IDs of posts and carousel containers we create on your behalf. Scopes: threads_basic, threads_content_publish.

c) Automatic information

• Standard server logs (IP, user agent, timestamp) for security and abuse prevention. Logs are retained for up to 30 days.
• Anonymous page-view and Web Vitals metrics via Vercel Analytics. We do not use third-party advertising trackers. We do not sell personal information.

• To operate the scheduler: store your queue, render the calendar, and publish posts on time.
• To call each connected platform's API on your behalf, using your stored token, to read the destinations available to you (boards, blogs) and to publish the posts you scheduled.
• To surface engagement stats (impressions, likes, notes) when you ask, by fetching them live from each platform's analytics endpoint.
• To communicate with you about your account, beta access, invitations, and critical service notices.
• To detect, prevent, and respond to abuse, fraud, or security incidents.

We do not train AI models on platform data. We do not use platform data for any purpose other than delivering the features you've asked Poostit to perform.

Because Poostit accesses third-party data through their official APIs, we follow each platform's Developer Policy and Terms of Service in addition to this Policy (Pinterest Developer Guidelines, Tumblr API Terms, Meta Platform Terms for Instagram and Threads). Specifically:

• We do not sell, license, or share connected- platform data with third parties for advertising, training, or analytics.
• We retain platform data only as long as necessary to operate the Service. When you disconnect a platform or delete your Poostit account, we revoke the token and delete stored platform data within 30 days. Already-published posts remain live on the platform itself — they belong to your account there.
• We honor each platform's caching and refresh requirements, and we re-fetch live data (boards, blog names, container status) when accuracy matters.
• We do not attempt to derive or infer information about platform users that they have not explicitly chosen to share with our connected user.
• Uploaded images are stored on our infrastructure long enough to serve them to each platform's API during publish; we garbage-collect them within 7 days after a successful publish.

We share information only:

• With the platform you connected (Pinterest, Tumblr, Instagram, or Threads), when you ask us to publish or read content on your behalf. Image URLs we send to those platforms must be publicly fetchable by their servers — they retrieve the file before publishing.
• With infrastructure providers who host the Service under contract: Convex (database, serverless functions, file storage), Vercel (frontend hosting + analytics), and Resend (transactional email). These providers process data on our instructions and are bound by confidentiality.
• If required by law, or to protect the rights, safety, or property of Poostit, our users, or the public.

We never sell your data.

Tokens and user data are stored in Convex with encryption at rest and in transit. Access tokens are never exposed to the browser. We use OAuth 2.0 (or OAuth 1.0a where the platform requires it) with state verification on every authorization flow. We follow the principle of least privilege for production data access.

• Disconnect any platform at any time from Connections. This revokes the token from our side; you can also revoke it from the platform's own app-permissions page (Pinterest, Tumblr, Meta Business Suite).
• Access, correct, or delete the data we hold by emailing poostitapp@gmail.com. See the next section for the explicit deletion path.
• Leave the waitlist by replying to any waitlist email or emailing us.
• Residents of the EU/UK and California may have additional rights (access, portability, deletion, opt-out of sale; we don't sell anyway). Contact us to exercise them.

You can request deletion of your Poostit account and all associated data at any time. There are two paths:

• From the app: go to Connections and disconnect each platform. Then email us at poostitapp@gmail.com with the subject “Delete my account.”
• By email only: email poostitapp@gmail.com from the address tied to your Poostit account, subject “Delete my account.” Include the email you signed up with if it differs.

We complete deletion within 30 days. This revokes any platform tokens we hold for you, removes your scheduled and draft posts, deletes uploaded images from our storage, and removes your account record. Already-published posts on Pinterest, Tumblr, Instagram, or Threads stay live on those platforms — they belong to your account there, and you can delete them through the platform's own interface.

Poostit is not directed to children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has signed up, contact us and we will delete it.

Poostit is operated from the United States. If you use the Service from another region, your information may be transferred to and processed in the U.S. by us and our subprocessors.

We'll update this page when our practices change. Material changes will be announced via email to active users. The “Last updated” date at the top reflects the latest revision.

Questions, requests, or complaints? Email poostitapp@gmail.com. We respond within 14 days.