Privacy Policy

1. Information We Collect

1.1 Account Information

When you register for an account, we collect your name, email address, company name (optional), and authentication credentials. We use Supabase for authentication and database storage.

1.2 Social Media Platform Credentials

To provide our Service, we require OAuth tokens and API keys for the social media platforms you connect (Instagram, Facebook, X/Twitter, LinkedIn, TikTok, YouTube, and Threads). These credentials are encrypted at rest and used solely to perform actions you authorize through our platform.

1.2.1 LinkedIn Data

For LinkedIn connections, Ampost currently requests the LinkedIn scopes openid, profile, email, and w_member_social. We store encrypted access tokens, refresh tokens when LinkedIn provides them, token expiry, refresh-token expiry, granted scopes, the member ID or URN, OIDC claims such as name, email address, email verification flag, profile image URL, locale, and connection metadata such as the auth flow, selected platform set, and whether organization posting is enabled for that workspace.

1.2.2 Google / YouTube Data

For YouTube connections, Ampost currently requests the Google OAuth scopes https://www.googleapis.com/auth/youtube.upload and https://www.googleapis.com/auth/youtube. We store encrypted access and refresh tokens, token expiry, granted scopes, channel ID, channel title/username, avatar URL, and a channel metadata snapshot such as description, subscriber count, video count, and view count when provided by Google.

1.2.3 TikTok Data

For TikTok connections, Ampost currently requests the TikTok scopes video.upload, video.publish, and user.info.basic. We store encrypted access and refresh tokens, token expiry, granted scopes, the creator open ID, creator username, avatar URL, nickname, available privacy levels, disabled comment/duet/ stitch flags, max video duration, selected platform set, and related connection metadata needed to validate TikTok publishing.

1.3 Content and Usage Data

We collect the content you create and schedule through our Service (posts, media, captions, metadata), analytics data (engagement metrics, post performance), and usage data (API calls, feature usage, log data).

For TikTok publishing specifically, this can include post text, photo or video metadata, requested privacy and disclosure settings, creator restriction snapshots, publish IDs, published URLs when available, provider lifecycle states, token-health transitions, and disconnect or revocation events. TikTok's current Ampost launch surface is immediate-only and may be limited to private-only visibility while app review or Direct Post approval is still pending.

For LinkedIn publishing specifically, this can include member post text, link metadata, image or video metadata, alt text, visibility controls, post URNs, published URLs, provider lifecycle states, retry history, token-health transitions, and disconnect or revocation events. Ampost's current LinkedIn launch surface is limited to member publishing; we do not claim organization/Page posting, analytics, comments, or feed-reading APIs in this launch.

For YouTube publishing specifically, this can include requested visibility settings, audience and synthetic-media disclosures, YouTube category and tag metadata, platform video IDs, published URLs, processing states, and disconnect or revocation events.

1.4 Technical Data

We automatically collect certain technical information including IP address, browser type, device information, operating system, and timestamps of API requests.

2. Legal Basis for Processing

We process personal data under the following legal bases, depending on the purpose of processing:

• Account creation, authentication, and service delivery: performance of a contract with you.
• Connecting social platforms, storing OAuth credentials, scheduling posts, and publishing content: performance of a contract and carrying out your instructions.
• Billing, subscriptions, invoices, and tax records: performance of a contract and compliance with legal obligations.
• Security, abuse prevention, debugging, rate limiting, and fraud prevention: our legitimate interests in protecting the Service, our users, and connected platform integrations.
• Service communications: performance of a contract and our legitimate interests in keeping you informed about the Service.
• Optional marketing communications: consent, where required by applicable law.

Where we rely on legitimate interests, we balance those interests against your privacy rights and expectations.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Publish and schedule content to connected social media platforms on your behalf
• Process API requests and deliver analytics
• Send service-related communications (notifications, updates)
• Detect, prevent, and address technical issues and abuse
• Comply with legal obligations

We do not use your content to train AI models or for any purpose other than providing the Service to you. We do not sell your personal data.

4. How We Share Your Information

We share your information only in the following circumstances:

• Social Media Platforms: Content you publish is transmitted to the platforms you have connected (including Instagram, Facebook, X/Twitter, LinkedIn, TikTok, YouTube, and Threads) according to their respective APIs.
• Service Providers: We use Supabase (database, authentication, storage) and Vercel (hosting) as infrastructure providers. They process data on our behalf under strict data processing agreements.
• Google / YouTube: When you connect YouTube, Ampost exchanges OAuth credentials with Google, reads channel data needed to establish the connection, and sends your publishing requests, metadata, and media to the YouTube Data API on your behalf.
• Legal Compliance: We may disclose information if required by law, regulation, or valid legal process.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

5. Data Storage and Security

Our primary application database and server-side application runtime are hosted in Frankfurt, Germany. We use Supabase for database and authentication services, and Vercel for application hosting and server-side functions. We implement industry-standard security measures including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• OAuth tokens and API keys are encrypted before storage
• Row-Level Security (RLS) policies in Supabase ensuring data isolation between tenants
• Regular security reviews and monitoring

While we implement strong security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Third-Party Services

Our Service integrates with third-party social media platforms. Each platform has its own privacy policy and terms of service. When you connect a platform to Ampost, you are also subject to that platform's policies. We encourage you to review the privacy policies of:

• Meta (Instagram, Facebook, Threads)
• TikTok
• LinkedIn
• Google (YouTube)
• X Corp. (X/Twitter)

Ampost's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements where applicable.

For LinkedIn, please also review LinkedIn's Privacy Policy and Professional Community Policies. LinkedIn may separately impose product-access restrictions, commercial-use review, or token revocation requirements on applications like Ampost.

7. Cookies

We use minimal cookies and browser storage for essential functionality, including Supabase authentication session cookies, temporary OAuth state cookies for connected platform flows, and local storage for theme preference.

We do not currently use advertising cookies, retargeting cookies, or third-party tracking cookies. You can review our current cookie settings and browser storage practices on the Cookie Settings page.

8. Data Retention

We retain your account information and content for as long as your account is active. Upon account deletion, we permanently delete your data within 30 days, except for:

• Data required for legal compliance or dispute resolution
• Aggregated, anonymized data that cannot identify you
• Backup archives (purged within 60 days per backup rotation)

You may export your data at any time by contacting us.

Disconnecting a LinkedIn account through Ampost clears the stored connection in our systems and, where LinkedIn supports it, we rely on the provider token lifecycle to end further API access. Published LinkedIn posts remain on LinkedIn unless you delete them there. If LinkedIn does not provide a refresh token for your app or later revokes it, Ampost marks the connection as reconnect-required and asks you to complete the OAuth flow again.

Disconnecting a YouTube account through Ampost revokes access with Google when the API permits and marks the stored connection inactive in our systems. Published videos remain on your YouTube account unless you delete them there or ask us to assist with a deletion request that the available Google APIs support.

9. Your Rights

As Ampost is based in Poland (EU), the General Data Protection Regulation (GDPR) applies to all users. Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure:Request deletion of your personal data ("right to be forgotten").
• Portability: Receive your data in a structured, commonly used format.
• Objection: Object to processing of your personal data in certain circumstances.
• Withdraw Consent: Withdraw consent where processing is based on consent.
• Restriction: Restrict processing of your personal data in certain circumstances.
• Complaint: Lodge a complaint with a supervisory authority. The Polish Data Protection Authority (PUODO) is our lead supervisory authority.

To exercise any of these rights, contact us at the email address below. We will respond within 30 days (or the statutory period under GDPR) as required by applicable law.

10. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will delete it promptly.

11. International Data Transfers

Our primary application database and server-side application runtime are hosted in Frankfurt, Germany, within the European Union. We use infrastructure, payment, logging, media storage, and platform API providers to operate the Service. Some providers may process limited personal data outside the EU/EEA. Where that happens, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other GDPR-approved transfer mechanisms.

Our company is based in Poland, an EU member state. The processing of personal data is governed by Polish law and the GDPR, with PUODO (Polish Data Protection Authority) as the lead supervisory authority.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website. Your continued use of the Service after such notification constitutes acceptance of the updated policy.

13. Contact Us

Ampost is operated from Poland (EU). If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

• Privacy requests: privacy@ampost.io
• Legal requests: legal@ampost.io
• Support: support@ampost.io

You also have the right to lodge a complaint with the Polish Data Protection Authority (PUODO) at uodo.gov.pl.