Postida
Pricing FAQ Blog About Contact
Get Started

Privacy Policy

Last updated: March 12, 2026

Postida ("we", "us", or "our") operates as a social media content tool for HVAC and home services businesses. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data. By using the Service, you agree to the collection and use of information as described in this policy.

1. Information We Collect

We collect information you provide directly when you create an account and use the Service:

  • Account Information: Your name, email address, and hashed password.
  • Payment Information: Billing is processed securely through Stripe. We never store your credit card number, CVV, or full billing details on our servers. Stripe's own privacy policy governs their handling of your payment data.
  • Content You Create: The topics, captions, and images you generate, edit, or schedule through the platform. This data is stored to display your post history and allow you to re-use past content.
  • Connected Social Accounts: When you connect a Facebook Page or Instagram Business account, we store an encrypted OAuth access token, your page or account name, profile picture URL, and account ID. These are the minimum fields required to publish posts on your behalf. Tokens are encrypted at rest using AES-256.
  • Usage Data: Generation history, post history, login timestamps, IP addresses, browser type, and feature usage patterns. This data is used to operate and improve the Service and to detect abuse.

2. How We Use Your Information

  • Deliver and operate the Service, including generating content and publishing posts on your behalf via the Meta Graph API.
  • Process payments and manage your subscription through Stripe.
  • Send service-related emails, including email verification, password resets, billing receipts, and important service updates.
  • Analyze aggregate, anonymized usage patterns to improve the platform.
  • Detect, prevent, and respond to fraud, abuse, unauthorized access, and violations of our Terms of Service.
  • Comply with legal obligations where required.

We do not use your data for targeted advertising. We do not sell your personal information to any third party.

3. Social Account Access and Meta API Data

All plans, including the Free plan, allow users to connect social accounts. Free plan users can connect 1 account with limited posting. When a user connects a Facebook Page or Instagram Business account, we access and store data through the Meta Graph API. This section describes exactly what we access and why:

  • What we access: Your connected Facebook Page(s) or Instagram Business account name, account ID, profile picture, and an OAuth access token with the permissions you grant during the connection flow.
  • Why we access it: The token is used solely to publish posts you approve or schedule through Postida. We do not read your personal timeline, private messages, follower lists, or any data beyond what is needed to publish content.
  • Token storage: Access tokens are encrypted using AES-256 before being stored in our database. They are decrypted only at the moment a post is being published and are never logged or transmitted to any party other than Meta's own API.
  • What we do not do: We do not post anything to your accounts without your explicit action or a scheduled post you set up yourself. We do not share your tokens with any third party. We do not use your Meta data for any purpose other than operating the publishing features you have enabled.
  • Token expiration: Meta access tokens expire periodically (typically every 60 days for long-lived tokens). We attempt to refresh tokens automatically before expiration. If a token cannot be refreshed, you will need to reconnect your account. We notify you when a token is nearing expiration.

You can disconnect your social accounts at any time from the Social Accounts page. Disconnecting immediately revokes our stored token and removes it from our database. You may also revoke access directly through your Facebook Business Integrations settings.

Important: Postida is an independent tool and is not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc. (Facebook/Instagram). Your use of your Facebook or Instagram accounts is governed by Meta's own Terms of Service and Privacy Policy.

4. Information Sharing and Third-Party Services

We do not sell your personal information. We share data only with the following service providers, strictly as needed to operate the Service:

  • OpenAI: When you use the AI generation feature, the topic, business type, style preferences, and optional business name you provide are sent to OpenAI's API to generate captions and images. We do not include your login email, payment details, or account credentials in these requests. If you have entered a business name in your account settings, it may be included in the prompt to personalize the generated content. OpenAI's data handling is governed by OpenAI's Privacy Policy. OpenAI states that API inputs and outputs are not used to train their models by default.
  • Meta (Facebook/Instagram): Post content, captions, images, and your connected page credentials are transmitted to Meta's Graph API to publish posts on your behalf. This transmission is necessary for the publishing feature to function. Meta's handling of this data is governed by Meta's Privacy Policy.
  • Stripe: Your billing and payment information is handled entirely by Stripe. We receive only a token reference and basic subscription status from Stripe. Stripe's data handling is governed by Stripe's Privacy Policy.
  • Server hosting providers: Our application runs on third-party server infrastructure. The hosting provider stores data on servers under strict data processing agreements and does not access your data for their own purposes.
  • Email delivery: Transactional emails (verification, password reset, billing notices) are sent via a third-party email service provider. These emails contain only what is necessary to fulfill their purpose.

We may also disclose your information if required by law, court order, or government authority, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of Postida, our users, or the public.

5. Data Security

We take the following steps to protect your information:

  • Passwords are hashed using bcrypt and are never stored in plain text.
  • Social account tokens are encrypted at rest using AES-256-CBC with a unique initialization vector per token.
  • All data transmission between your browser and our servers uses HTTPS/TLS encryption.
  • Access to production systems and databases is restricted to authorized personnel only.
  • Rate limiting and brute-force protections are applied to all authentication and API endpoints.

No system is 100% secure. Despite our best efforts, we cannot guarantee absolute security of your information. If you believe your account has been compromised, contact us immediately at support@appdore.com.

6. Your Rights and Choices

You have the following rights regarding your personal data:

  • Access: You may request a summary of the personal data we hold about you.
  • Correction: You may update your account information at any time from your Account Settings page.
  • Deletion: You may delete your account from the Account Settings page. This permanently removes your personal data, post history, and generated content from our systems, subject to the retention exceptions below.
  • Social account disconnection: You may disconnect any social account at any time, immediately revoking our access and deleting the stored token.
  • Data export: You may export your post history and generated content before deleting your account.
  • Opt out of non-essential communications: You may unsubscribe from any non-essential emails using the unsubscribe link included in those emails. Transactional emails (billing, security alerts, account verification) cannot be opted out of while your account is active.

To exercise any of these rights or submit a data request, contact us at support@appdore.com. We will respond within 30 days.

7. Cookies and Tracking

We use essential session cookies required for authentication and security. These cookies are set when you log in and expire when your session ends or you log out.

We also use Google Tag Manager (GTM) to manage analytics and marketing tags on our website. Through GTM, we may deploy the following types of tracking technologies:

  • Google Analytics (GA4) -- to understand how visitors use our website, including page views, session duration, and general traffic patterns. This data is aggregated and does not personally identify you.
  • Google Ads conversion tracking -- to measure the effectiveness of our advertising campaigns. This may set cookies to attribute sign-ups or purchases to specific ads you interacted with.
  • Remarketing/retargeting pixels -- to show relevant Postida ads to previous visitors on other websites and platforms. These pixels may collect anonymized browsing data.

You can manage or disable cookies through your browser settings. Most browsers allow you to block third-party cookies or clear cookies on exit. Disabling cookies may affect the functionality of certain features. You can also opt out of Google Ads personalization at adssettings.google.com.

8. Data Retention

We retain your data for as long as your account is active. When you delete your account:

  • Your personal information, post history, and generated content are permanently deleted within 30 days.
  • Social account tokens are immediately revoked and deleted upon disconnection or account deletion.
  • Billing and payment records are retained for 7 years as required for legal, tax, and accounting compliance. This is the minimum required by law and is handled by Stripe on our behalf.
  • Anonymized, aggregated usage statistics may be retained indefinitely as they cannot be linked back to any individual.

9. Children's Privacy

Postida is a business tool intended for adults operating HVAC or home services businesses. We do not knowingly collect personal data from anyone under the age of 13. If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information promptly.

10. International Users

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. By using the Service, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our data practices or legal requirements. Material changes will be communicated via email to your registered address at least 14 days before they take effect. The "Last updated" date at the top of this policy reflects the most recent revision. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

Contact

Privacy questions, data requests, or concerns? Contact us at support@appdore.com