Information We Collect

1.1 Account Information

When you create a PostPanther account, we collect:

Full name and email address
Encrypted password credentials
Billing and subscription information (processed by Stripe; we do not store full card numbers)

1.2 Social Media Account Information

When you connect your social accounts, we collect and store:

Social media profile names, usernames, and display names
Page IDs, channel IDs, and account identifiers assigned by each platform
OAuth access tokens and refresh tokens (encrypted at rest using AES-256-GCM)
Profile photos and cover images (as provided by the platform APIs)

1.3 Content You Create

Post text, captions, hashtags, and links you draft or schedule
Images, videos, and other media files you upload
Scheduled publishing dates and times

1.4 Analytics Data

We retrieve analytics data from connected platform APIs (with your authorization) to display in your dashboard, including:

Post reach, impressions, engagement rates, likes, comments, and shares
Follower counts and audience growth metrics
Click-through rates and link performance data

1.5 Usage and Technical Data

IP address and approximate geographic location
Browser type, device type, and operating system
Features used, pages visited, and interaction timestamps
Billing history and subscription plan data
Error logs and performance diagnostics (via Sentry)

Important:

OAuth tokens are encrypted using AES-256-GCM and never stored in plaintext
We do not sell your personal data or your social media content
All data is encrypted in transit (TLS) and at rest (AES-256-GCM)

2

How We Use Your Information

We use the data we collect solely to operate and improve the Service. Specifically, we use your information to:

Publish, schedule, and manage social media posts on your behalf using the permissions you grant via OAuth
Display analytics and performance metrics for your connected accounts in your PostPanther dashboard
Manage your content calendar, drafts, and scheduled queue
Authenticate your identity and maintain your session
Process subscription payments and manage billing through Stripe
Send transactional emails (account confirmations, password resets, billing receipts) via Resend
Diagnose errors, monitor performance, and improve service reliability
Detect and prevent fraud, abuse, and security threats
Comply with legal obligations and enforce our Terms of Service

We do not use your social media content or credentials to train AI models, conduct advertising, or share data with unrelated third parties.

3

Third-Party Platform Integrations

PostPanther integrates with the following social media platforms. In each case, we access their APIs only with your explicit authorization via the platform's official OAuth flow, and we use only the permissions you grant. You may disconnect any platform at any time from your PostPanther account settings.

Facebook

We use the Facebook Graph API to publish posts to Facebook Pages you authorize. We request only the permissions necessary to post content, read page insights, and manage your connected Page(s). Your authorization is obtained via Facebook's OAuth flow. We adhere to the Facebook Platform Policy.

Instagram

We use the Instagram Graph API (via Facebook) to publish posts, stories, and reels to Instagram Business and Creator accounts you authorize. We request only the permissions needed to publish content and retrieve media insights. Authorization is obtained via Meta's OAuth flow. We adhere to Meta's Platform Policies.

Threads

We use the Threads API to publish text and media posts to your Threads profile. We access your account only after you authorize PostPanther via the Threads OAuth flow, using only the permissions required to create posts on your behalf.

Twitter / X

We use the Twitter/X API v2 to post tweets and retrieve basic account metrics. We request only the permissions necessary to create posts and read tweet analytics for the account(s) you connect via Twitter's OAuth 2.0 flow. We comply with X Developer Policy.

LinkedIn

We use the LinkedIn API to publish posts to your LinkedIn Profile or LinkedIn Pages you administer. We access your LinkedIn account only after authorization via LinkedIn's OAuth 2.0 flow, using only the permissions granted to create posts and retrieve post statistics. We comply with the LinkedIn API Terms of Use.

YouTube

We use the YouTube Data API v3 to upload videos and manage posts to YouTube channels you authorize. Authorization is performed via Google's OAuth 2.0 flow. We request only the permissions necessary to upload content and retrieve video analytics. We comply with YouTube's API Terms of Service and Google's Privacy Policy.

Google Business Profile

We use the Google My Business API to publish posts and updates to Google Business Profile locations you manage. Authorization is performed via Google's OAuth 2.0 flow. We request only the minimum permissions necessary to post content on your behalf, and we comply with Google's Privacy Policy.

Reddit

We use the Reddit API to submit posts to subreddits on behalf of Reddit accounts you authorize. Authorization is obtained via Reddit's OAuth 2.0 flow. We request only the permissions needed to create posts and read basic submission data. We comply with Reddit's Developer Terms.

Pinterest

We use the Pinterest API to create Pins and publish content to boards on Pinterest accounts and business accounts you authorize. Authorization is performed via Pinterest's OAuth 2.0 flow. We request only the permissions required to publish Pins and retrieve basic Pin analytics. We comply with Pinterest's Developer Guidelines.

TikTok

We use the TikTok Content Posting API to upload and publish videos to TikTok accounts you authorize. Authorization is obtained via TikTok's OAuth 2.0 flow. We request only the permissions necessary to post content on your behalf and retrieve basic video performance metrics. We comply with TikTok's Developer Terms of Service.

Bluesky

We use the Bluesky AT Protocol API to publish posts to Bluesky accounts you authorize. We access your account only with your explicit credential authorization and use only the permissions required to create posts on your behalf.

Telegram

We use the Telegram Bot API to publish messages to Telegram channels or groups you authorize PostPanther to manage. We access your Telegram channel only with your explicit authorization and use only the permissions required to send messages on your behalf.

4

Data Storage & Security

We implement industry-standard security measures to protect your data:

Database: User data is stored in a PostgreSQL database with access controls and regular backups
Token Encryption: All OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM before being stored in our database
Data in Transit: All communications are encrypted using TLS (HTTPS) at all times
Infrastructure: The Service is hosted on Vercel (web application) and Railway (backend services), both of which maintain their own security certifications
Media Storage: Uploaded media files are stored on Bunny CDN with secure, access-controlled storage
Error Monitoring: We use Sentry for error tracking; Sentry may receive sanitized error data and stack traces but does not receive your OAuth tokens or post content

While we implement strong security measures, no system is 100% secure. We encourage you to use a strong password and to contact us immediately if you suspect unauthorized access to your account.

5

Data Sharing & Disclosure

We do not sell, rent, or trade your personal data to any third party.

We share data only in the following limited circumstances:

Connected Social Platforms

When you publish content, we transmit your post data (text, media, metadata) to the social platforms you have explicitly connected and authorized. This data sharing is the core function of the Service and is performed only at your direction.

Stripe — Payment Processing

We use Stripe to process subscription payments. Stripe receives your billing information (name, email, payment card details). We do not store full card numbers. Stripe's use of your data is governed by the Stripe Privacy Policy.

Bunny CDN — Media Storage

Media files you upload are stored on Bunny CDN's infrastructure. Bunny CDN acts as a data processor on our behalf and does not use your media for any independent purpose.

Resend — Transactional Email

We use Resend to deliver transactional emails (account confirmations, billing receipts, password resets). Resend receives your email address and the content of transactional messages only.

Sentry — Error Monitoring

We use Sentry to detect and diagnose application errors. Sentry receives sanitized error reports and stack traces. We configure Sentry to exclude sensitive personal data, OAuth tokens, and post content from error payloads.

Legal Requirements

We may disclose your information if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of PostPanther, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

6

Cookies & Session Data

PostPanther uses a minimal cookie footprint:

Session Cookie: A JWT-based session cookie is used to authenticate you and maintain your login state. This cookie is HttpOnly, Secure, and SameSite, and expires when your session ends or when you log out.
No Third-Party Tracking Cookies: We do not use advertising cookies, cross-site tracking cookies, or behavioral analytics cookies.

You can control cookies through your browser settings. Disabling the session cookie will prevent you from logging in to the Service.

7

Data Retention

We retain your personal data for as long as your PostPanther account is active. Specifically:

Account data (name, email, settings) is retained for the lifetime of your account
OAuth tokens for connected platforms are retained until you disconnect the platform or delete your account
Post content and media are retained until you delete them or delete your account
Billing records may be retained for up to 7 years to comply with financial and tax regulations, even after account deletion
Analytics data is retained for the life of your account and deleted upon account deletion

You may request deletion of your account and all associated personal data at any time by contacting us at privacy@postpanther.com. We will process deletion requests within 30 days.

8

Your Rights & Choices

Regardless of your location, you have the following rights with respect to your data:

Access: Request a copy of the personal data we hold about you
Correction: Request that we correct inaccurate or incomplete information
Deletion: Request that we delete your personal data and account
Data Export: Request an export of your data in a portable format
Disconnect Accounts: Disconnect any connected social media platform at any time from your PostPanther account settings, which will revoke our access and delete the associated OAuth tokens
Restrict Processing: Request that we limit how we use your data in certain circumstances

To exercise any of these rights, contact us at privacy@postpanther.com. We will respond within 30 days.

9

GDPR — European Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent laws apply to our processing of your personal data.

Lawful Basis for Processing

We rely on the following legal bases to process your personal data:

Contract performance: Processing your account data, social media tokens, and post content is necessary to deliver the Service you have contracted with us for
Legitimate interests: We process usage and diagnostic data to maintain security, prevent fraud, and improve the Service
Legal obligation: We retain billing records to comply with financial and tax laws
Consent: Where we rely on consent (e.g., optional marketing communications), you may withdraw consent at any time

Your GDPR Rights

In addition to the rights listed in Section 8, EU/EEA users have the right to:

Object to processing based on legitimate interests
Not be subject to solely automated decision-making that has legal effects
Lodge a complaint with a supervisory authority in your EU member state

International Data Transfers

Our infrastructure is hosted in the United States. If you are located in the EEA or UK, your personal data is transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) and other GDPR-compliant transfer mechanisms for such transfers. For questions about international transfers or to request a copy of our Data Processing Agreement (DPA), contact us at privacy@postpanther.com.

10

CCPA — California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you specific rights regarding your personal information.

Your California Rights

Right to Know: The categories and specific pieces of personal information we have collected about you
Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.
Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights

We do not sell personal information.

PostPanther does not sell, share for cross-context behavioral advertising, or otherwise monetize your personal information to third parties.

To exercise your California rights, contact us at privacy@postpanther.com with "CCPA Request" in the subject line. We will respond within 45 days as required by law.

Privacy Policy