Last updated: June 16, 2026
Postger ("we", "us", or "our") operates the Postger platform at postger.com. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data.
By creating an account or using Postger, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the service.
When you sign up, we collect your email address and, optionally, your name and a profile avatar. If you sign in through Google or GitHub, we receive your name, email, and profile picture from those providers. We also store a timestamp of when you accepted our Terms of Service.
To publish content and retrieve analytics on your behalf, Postger connects to social media platforms through their official OAuth flows. We store the access tokens and refresh tokens required to maintain these connections. All tokens are encrypted at rest using application-level encryption. We never store your social media passwords.
Connected platforms may include Facebook, Instagram, LinkedIn, TikTok, YouTube, Pinterest, Threads, Bluesky, Google Business Profile, and Mastodon. For each connected account, we also store the account name, handle, avatar URL, and follower count to display within the Postger interface.
We store the posts you draft, schedule, and publish through Postger, including captions, media files (images and videos), hashtags, and per-platform variations. We also store idea board cards, post templates, approval comments, and version history for your content.
When you use the unified inbox, we retrieve and store comments, direct messages, and mentions from your connected social accounts. This includes the sender's name, handle, avatar, and message content. We may also perform automated sentiment analysis on incoming messages to help you prioritize responses.
We collect performance metrics from your connected social accounts, including impressions, reach, engagement rates, follower growth, and per-post metrics such as likes, comments, shares, and clicks. This data is stored as periodic snapshots and used to generate reports and recommendations within the platform.
All subscription payments are processed by Polar, which acts as our Merchant of Record. This means Polar is the legal entity that sells the subscription to you, processes your payment, collects applicable sales tax or VAT, and handles refunds and chargebacks. When you subscribe to a paid plan, your billing relationship is with Polar, and their Terms of Service and Privacy Policy apply to all payment-related matters.
We do not store your credit card number, bank account details, or any other full payment credentials. That information is collected and stored exclusively by Polar. On our side, we only store your plan type, subscription status, billing period, and trial dates so we can grant you access to the correct features.
We store information about your organization (name, logo, default timezone, billing email), workspaces, and team memberships including roles and permissions. Invitation records include email addresses and acceptance timestamps.
If you use the AI Agent API, we store a hashed version of each API key (we cannot recover the original key after creation), along with its permissions, expiration date, and usage metadata. API audit logs record the action performed, HTTP method and path, response status code, IP address, and user agent for each API request.
We store session data including your device information, IP address, and last active timestamp to manage authentication and detect unauthorized access. If you enable two-factor authentication, we store your TOTP secret and recovery codes in encrypted form.
We use the data we collect to:
We do not sell your personal data to third parties. We do not use your content or social media data for advertising purposes.
Postger relies on the following third-party services to operate:
Each third-party service operates under its own privacy policy. We recommend reviewing those policies for a complete understanding of how your data may be handled by those providers.
We take the security of your data seriously. Social media OAuth tokens and platform credentials are encrypted at rest using application-level encryption. API keys are stored as irreversible HMAC-SHA256 hashes. Two-factor authentication secrets and recovery codes are encrypted. Session tokens are hashed before storage.
We use HTTPS for all data in transit, enforce Content Security Policy headers, and follow industry best practices for web application security. While no system is completely immune to security risks, we design our infrastructure to minimize exposure and respond quickly to any incidents.
We retain your data for as long as your account is active or as needed to provide the service. When you delete your account or request organization deletion, we schedule the removal of your data. After the scheduled deletion date, your personal information, content, connected account credentials, and analytics data are permanently removed from our systems.
We may retain certain records (such as billing transaction IDs and audit logs) for a limited period after account deletion to comply with legal obligations or resolve disputes.
Postger uses essential cookies to maintain your authentication session and remember your preferences (such as your last active workspace). CSRF (Cross-Site Request Forgery) tokens protect form submissions. These are standard security measures and do not track your behavior across other websites. We do not use advertising cookies, marketing cookies, or third-party tracking cookies.
We use DataFast in cookieless mode to collect anonymous, aggregated website usage statistics (page views, referral sources, device types). The cookieless script does not place any cookies on your browser for visitor identification. Instead, DataFast generates a pseudonymous visitor identifier on the server side using a hashed combination of your IP address, browser user-agent, site domain, and a salt that rotates approximately every 24 hours (UTC).
This means the same visitor browsing on different days cannot be linked as a single profile across those days. There is no cross-domain visitor linking, no long-lived tracking cookie, and no advertising profile built from this data. Session-only storage may be used in the browser for the current tab session (for session continuity) and is cleared when you close the site session.
We use this data solely to understand how visitors use our website and to improve the service. We do not sell this data or share it with advertisers. For details on how DataFast processes data as a processor, see the DataFast Data Processing Agreement.
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable local data protection laws.
We process your personal data under the following legal bases:
Under the GDPR and similar data protection laws, you have the right to:
To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
Your data may be processed on servers located outside the EEA. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or reliance on an adequacy decision.
If you access Postger through a client portal (using a magic link provided by an agency or team), we collect your email address for authentication and store any comments or approval actions you take within the portal. Your access is governed by the organization that invited you, and you can contact that organization directly about your data. You may also contact us at the address above.
Postger uses YouTube API Services to enable publishing and analytics for YouTube channels. By connecting a YouTube channel to Postger, you also agree to be bound by the YouTube Terms of Service. Your data may also be subject to the Google Privacy Policy.
You can revoke Postger's access to your YouTube data at any time via the Google security settings page. Revoking access will disconnect your YouTube channel from Postger.
Postger is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can remove it.
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or by displaying a notice within the application. Your continued use of Postger after changes take effect constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or how we handle your data, contact us at [email protected].