Privacy Policy

Account Information

When you create a PostDart account, we collect your name, email address, and password (stored as a salted hash — we never store plaintext passwords). If you sign up using a social login, we receive your name and email from the identity provider.

Connected Social Media Accounts

When you connect a social media platform (Facebook, Instagram, YouTube, or TikTok), we receive and store an OAuth access token from that platform. These tokens are encrypted using Fernet symmetric encryption and stored in an isolated database. We never receive or store your social media passwords.

Content & Media

We store the content you create within PostDart — including post text, media files (images and videos), drafts, scheduled posts, and platform-specific overrides. Media files are stored securely and are only accessible to you and your team members.

Engagement Data

We sync engagement metrics (views, likes, reactions, shares, comments) and direct messages from your connected social media accounts. This data is used to power the Leaderboard, inbox, comment management, and AI Studio features.

Usage & Analytics

We collect anonymized usage data including pages visited, features used, session duration, and device/browser information. This helps us improve the product and fix bugs. We do not use third-party advertising trackers.

Payment Information

Payment card details are processed and stored exclusively by our payment partners (Stripe, PayPal, Amazon Pay). PostDart never receives, sees, or stores your full card number, CVV, or billing address. We only receive transaction confirmations and subscription status.

Service Delivery

To provide PostDart's core features: publishing posts, scheduling, inbox management, comment management, analytics, AI Studio tools, and team collaboration.

AI Processing

When you use AI Studio, your content is sent to Groq's servers for AI processing. This data is used solely to generate your requested output (captions, schedules, replies, etc.) and is not stored or used for model training by Groq or PostDart.

Communication

To send you essential service emails: account verification, password resets, subscription confirmations, and critical security alerts. We may also send product updates and tips, which you can unsubscribe from at any time.

Security

To protect your account and our platform through rate limiting, fraud detection, two-factor authentication, and audit logging.

Improvement

To analyze anonymized usage patterns and improve PostDart's features, performance, and user experience.

Encryption

All OAuth tokens are encrypted at rest using Fernet encryption. All data in transit is encrypted via TLS 1.3. Passwords are hashed using bcrypt with per-user salts.

Authentication

PostDart uses cookie-based JWT tokens with HttpOnly and Secure flags, preventing client-side JavaScript access and ensuring tokens are only transmitted over HTTPS.

Rate Limiting

API endpoints are rate-limited to prevent abuse: 100 requests/hour for anonymous users, 1,000 requests/hour for authenticated users, and 5 requests/minute for authentication endpoints.

Two-Factor Authentication

Users can enable TOTP-based two-factor authentication with QR code setup. When enabled, a time-based one-time password is required in addition to the regular password for login.

Infrastructure

PostDart's infrastructure is hosted on secure, SOC 2-compliant cloud providers with automated backups, monitoring, and incident response procedures.

Social Media Platforms

Facebook/Meta, Instagram, YouTube/Google, and TikTok — we interact with these platforms through their official APIs using your authorized OAuth tokens. Each platform has its own privacy policy governing how they handle your data.

AI Processing (Groq)

AI Studio features are powered by Groq. When you use AI tools, your input is sent to Groq's servers for processing. Groq does not store your data or use it for model training. See Groq's privacy policy for details.

Payment Processors

Stripe, PayPal, and Amazon Pay process all payments. These providers are PCI DSS Level 1 compliant — the highest level of payment security certification.

We Do Not Sell Your Data

PostDart does not sell, rent, or trade your personal information to third parties for advertising or marketing purposes. Period.

Team Members

If you are part of a team workspace, your team's Admin and members with appropriate roles can see shared workspace data (posts, drafts, analytics) based on their assigned permissions.

Legal Requirements

We may disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Access & Export

You can access all your data through the PostDart dashboard at any time. You can export your posts, analytics, and account data.

Correction

You can update your profile information, email, and password directly in the dashboard settings.

Deletion

You can request complete deletion of your account and all associated data. See our Data Deletion page for the full process and timeline.

Disconnect

You can disconnect any social media account at any time from the Connect page. This immediately revokes PostDart's access token for that account.

Opt-Out

You can unsubscribe from non-essential emails at any time using the unsubscribe link in any email, or through your account notification settings.

Essential Cookies

We use essential cookies for authentication (JWT session cookies) and CSRF protection. These are strictly necessary for PostDart to function and cannot be disabled.

Analytics Cookies

We may use anonymized analytics cookies to understand how users interact with PostDart. These do not contain personal information and are used solely for product improvement.

No Advertising Cookies

PostDart does not use any advertising, tracking, or retargeting cookies. We do not participate in ad networks or share cookie data with third parties.

PostDart is not intended for users under the age of 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If we discover that a child has created an account, we will promptly delete it and all associated data.

PostDart operates globally and your data may be stored and processed in countries other than your own. We ensure appropriate safeguards are in place for international data transfers, including standard contractual clauses where required by applicable law.

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any material changes via email or a prominent notice in the dashboard. Continued use of PostDart after changes constitute acceptance of the updated policy.

If you have questions about this privacy policy or your data, contact us at support@postdart.com or through the Help Center in the PostDart dashboard. For data protection inquiries, you may also contact our Data Protection Officer at support@postdart.com.