Privacy Policy

Effective date: April 11, 2026

OpenPost (“we,” “us,” or “our”) operates the openpost.so website and the OpenPost platform. This policy explains what data we collect, why we collect it, and what choices you have. We designed OpenPost with the belief that your data belongs to you — we handle it carefully and transparently.

1. What We Collect

Account information

When you sign up, we collect your name and email address. If you sign in through Google, we receive the profile information your Google account shares (name, email, profile photo).

Social platform credentials

When you connect a social media account (such as X, Instagram, Facebook, LinkedIn, YouTube, TikTok, Threads, or Bluesky), we receive and store OAuth access tokens and refresh tokens that allow us to act on your behalf. For platforms using app-password authentication (like Bluesky), we store the session credentials you provide. All credentials are encrypted at rest using AES-256-GCM before being written to the database.

Content you create

We store the posts, drafts, schedules, media files, templates, and tags you create within OpenPost. Media files (images and videos) are stored on Cloudflare R2 infrastructure.

Analytics data

When you use our analytics features, we pull publicly available engagement metrics (impressions, likes, shares, comments) from your connected platforms. This data is stored in aggregate form linked to your posts.

Usage and technical data

We collect standard technical data when you visit our site: IP address, browser type, device type, pages visited, and referring URL. We use this to understand how people use OpenPost and to keep the service running smoothly.

Payment data

We use Stripe to process payments. We never see or store your full credit card number. Stripe provides us with a card summary (last four digits, expiry) and billing address for receipt purposes.

2. How We Use Your Data

  • Operating the service — creating posts, scheduling content, publishing to platforms, pulling analytics, and managing your workspace.
  • Communicating with you — sending transactional emails (account confirmations, billing receipts, password resets) and, only if you opt in, product updates.
  • Improving OpenPost — understanding how features are used so we can make them better. We look at aggregate patterns, not individual accounts.
  • Keeping things secure — detecting and preventing fraud, abuse, and unauthorized access.
  • Meeting legal obligations — complying with applicable laws, responding to legal requests when required.

We do not sell your personal data. We do not use your content to train AI models. We do not share your data with advertisers.

3. Social Media Platform Data

Connecting a social account grants OpenPost specific permissions through that platform’s authorization system. Here is what we access for each:

  • X (Twitter) — Read and write tweets, read profile information, read engagement metrics. We use OAuth 2.0 with PKCE.
  • Instagram & Facebook — Publish content, read insights and engagement data, manage comments. We use the Meta Graph API with OAuth.
  • LinkedIn — Publish posts, read engagement metrics, access profile information.
  • YouTube — Upload videos, read channel analytics, manage video metadata.
  • TikTok — Publish videos, read basic engagement data.
  • Threads — Publish text posts, read engagement metrics.
  • Bluesky — Publish posts with rich text, upload media, read profile data. Uses AT Protocol session authentication.

We only request the permissions necessary to provide our service. We do not access your private messages, friend lists, or personal browsing activity on any platform. You can revoke access at any time by disconnecting the account in OpenPost or revoking permissions directly on the platform.

4. Cookies and Tracking

We use a small number of cookies to make OpenPost work:

  • Authentication cookies — keep you signed in across page loads. These are httpOnly and essential to the service.
  • Workspace cookie — remembers which workspace you last used.
  • Preference cookies — store your theme choice (light/dark) and sidebar state.

We do not use third-party advertising cookies. For full details, see our Cookie Policy.

5. Who We Share Data With

We share data only when necessary to provide the service:

  • Social media platforms — we send your content to the platforms you choose to publish on. This is the core function of the service.
  • Infrastructure providers — Supabase (database and authentication), Cloudflare (media storage and CDN), Vercel (application hosting), Stripe (payments). Each processes data according to their own privacy policies and our agreements with them.
  • Legal requirements — we may disclose data if required by law, court order, or to protect the rights, property, or safety of OpenPost, our users, or others.

We do not sell, rent, or trade your personal information with any third party for marketing purposes.

6. International Data Transfers

OpenPost is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the US and other countries where our infrastructure providers operate. We rely on standard contractual clauses and provider certifications to ensure adequate data protection during these transfers.

7. How Long We Keep Your Data

We retain your account data and content for as long as your account is active. Analytics snapshots are kept for up to 24 months to support historical reporting.

When you delete your account, we remove your personal data, posts, media files, connected platform tokens, and workspace data within 30 days. Some data may persist in encrypted backups for up to 90 days before being purged.

We may retain anonymized, aggregate data (such as total post counts or feature usage statistics) indefinitely, as this data cannot be linked back to any individual.

8. Data Security

We take data protection seriously:

  • OAuth tokens and platform credentials are encrypted at rest using AES-256-GCM with a dedicated encryption key.
  • All connections to OpenPost use TLS 1.2 or higher.
  • Database access is restricted through row-level security policies and service-role authentication.
  • API keys are stored as SHA-256 hashes — we never store plaintext keys.
  • Media files are stored in Cloudflare R2 with access controls per workspace.

For more details, see our Security page.

9. Your Rights Under GDPR

If you are in the European Economic Area (EEA) or United Kingdom, you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your personal data (“right to be forgotten”).
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

Our legal bases for processing are: contract performance (providing the service you signed up for), legitimate interest (improving and securing the service), and consent (optional marketing communications).

To exercise these rights, email privacy@openpost.so. We will respond within 30 days.

10. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act gives you the right to:

  • Know what personal information we collect and why.
  • Request deletion of your personal information.
  • Opt out of the sale of personal information (we do not sell your data, so this right is automatically satisfied).
  • Non-discrimination for exercising your privacy rights.

To make a request, email privacy@openpost.so.

11. Children’s Privacy

OpenPost is not intended for anyone under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from someone under 18, we will delete it promptly.

12. Data Deletion Requests

You can delete your data in two ways:

  • Self-service — disconnect social accounts from your Connections page, delete individual posts, or delete your entire account from Settings.
  • By request — email privacy@openpost.so and we will process the deletion within 30 days.

When a social media platform notifies us that a user has deauthorized OpenPost (for example, via Meta’s data deletion callback), we automatically remove the associated tokens and platform data from our systems.

13. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email or through a notice on the platform. Your continued use of OpenPost after changes take effect means you accept the updated policy.

14. Contact Us

If you have questions about this privacy policy or how we handle your data: