Skip to main content
Postora
Start free →

Privacy Policy

Last updated: May 3, 2026

1. Who we are

Postora (“we”, “us”, “our”) is an AI-powered social media scheduling service operated at http://localhost:3000. This policy explains what data we collect, why we collect it, and your rights over it.

2. Data we collect

  • Account data — your email address and hashed password (managed by Supabase Auth).
  • Profile data — optional display name and timezone you provide in Settings.
  • LinkedIn credentials — OAuth access tokens and refresh tokens. These are encrypted at rest with AES-256-GCM and never stored in plaintext. We never see your LinkedIn password.
  • Post content — captions, media uploads, and scheduling times you create inside Postora.
  • Usage data — post counts, AI caption/image counts per billing period, used to enforce plan limits.
  • Billing data — your subscription status and Stripe customer ID. Full payment details (card numbers) are stored and processed exclusively by Stripe and never touch our servers.
  • Log data — an audit log of key actions (post scheduled, published, failed) for operational reliability and debugging.

3. How we use your data

  • To authenticate you and maintain your session.
  • To publish posts to LinkedIn on your behalf at the times you choose.
  • To generate AI captions and images in response to your prompts.
  • To enforce your plan limits and process subscription billing through Stripe.
  • To send transactional emails (e.g. password reset) via Supabase Auth. We do not send marketing emails without your explicit consent.
  • To monitor and improve service reliability.

We do not sell your data to third parties. We do not use your post content to train AI models.

4. Third-party services

We share data with the following processors only to the extent necessary to operate the service:

  • Supabase — database, file storage, and authentication. Data stored in US-east region.
  • Stripe — payment processing. Governed by the Stripe Privacy Policy.
  • Groq — AI caption generation. Your prompt and selected tone are sent to Groq; the response is returned and not retained by us.
  • Pollinations.ai — AI image generation. Your prompt is sent to Pollinations; the resulting image is downloaded and stored in Supabase Storage under your account.
  • LinkedIn — posts are published via the LinkedIn API using your OAuth token. Governed by the LinkedIn Privacy Policy.
  • Vercel — hosting and edge functions. Governed by the Vercel Privacy Policy.

5. Cookies and local storage

We use a single session cookie set by Supabase Auth to keep you logged in. We do not use advertising or tracking cookies. The LinkedIn OAuth flow uses a short-lived CSRF state cookie that is deleted immediately after the OAuth callback completes.

6. Data retention

Your data is retained for as long as your account is active. Post content and logs are kept indefinitely unless you delete them. If you close your account, all personal data is deleted within 30 days of your request, except where we are required to retain it by law (e.g. billing records for 7 years under tax regulations).

7. Your rights

Depending on where you are located, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your post data.
  • Withdraw consent for LinkedIn access (by disconnecting your account in Settings).

To exercise these rights, email us at privacy@postora.io. We will respond within 30 days.

8. Security

LinkedIn access tokens are encrypted at rest using AES-256-GCM with a server-side key stored in environment variables. All traffic is served over HTTPS with HSTS enforced. We apply Row Level Security (RLS) in Supabase so that each user's data is isolated at the database level.

9. Children

Postora is not directed at children under 16. If you believe a child has created an account, contact us at privacy@postora.io and we will delete the account promptly.

10. Changes to this policy

We may update this policy. Material changes will be notified by email or by a banner on the dashboard. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact

Questions about this policy? Email privacy@postora.io.

Terms of Service← Back to home