Skip to main content

GDPR & Data Processing

Last updated: 7 March 2026

This page explains how Posty processes personal data in accordance with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), and similar frameworks such as the UK GDPR and Australia's Privacy Act 1988. It supplements our Privacy Policy.

1. Data Controller

Posty is operated by a sole trader based in Australia. For the purposes of GDPR, Posty acts as the data controller for personal data collected directly from users (account information, usage data). When you connect social media accounts and schedule content, Posty acts as a data processor on your behalf.

To contact us regarding data protection matters: privacy@posty.social

2. Legal Bases for Processing

We process your personal data under the following legal bases:

  • Contract - Processing necessary to provide the Service you have signed up for, including account management, authentication, content scheduling, and publishing to connected social media accounts.
  • Legitimate interests - Security monitoring, fraud prevention, and improving the reliability of the Service, where these interests are not overridden by your rights.
  • Legal obligation - Where we are required to retain or disclose data to comply with applicable law.
  • Consent - Where you have explicitly opted in to specific processing activities (e.g. connecting a social media account).

3. Data We Process

  • Identity data - Name, email address, profile picture (if using Google OAuth)
  • Account data - Organisation memberships, workspace roles, settings
  • Social media credentials - OAuth access tokens and refresh tokens for connected accounts (stored encrypted)
  • Content data - Posts, captions, images, videos, and scheduling data you create
  • Usage data - Log data including IP addresses, browser type, and feature usage for security and reliability purposes

4. Data Transfers

Posty is built on Cloudflare's global infrastructure. Your data may be processed in data centres outside your country of residence, including outside the EEA. Cloudflare maintains Standard Contractual Clauses (SCCs) and other transfer mechanisms to ensure adequate protection. For more information, see Cloudflare's GDPR commitments.

5. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. Upon account deletion, we delete or anonymise your personal data within 30 days, except where retention is required by law or legitimate interest (e.g. fraud prevention).

6. Your Rights Under GDPR

If you are in the EEA or UK, you have the following rights regarding your personal data:

  • Right of access - Request a copy of the personal data we hold about you
  • Right to rectification - Request correction of inaccurate or incomplete data
  • Right to erasure - Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing - Request that we limit how we use your data in certain circumstances
  • Right to data portability - Receive your data in a structured, machine-readable format
  • Right to object - Object to processing based on legitimate interests
  • Rights related to automated decision-making - We do not make solely automated decisions that significantly affect you

To exercise any of these rights, email privacy@posty.social. We will respond within 30 days.

7. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours of becoming aware and inform affected users without undue delay.

8. Sub-processors

We use the following sub-processors to deliver the Service:

  • Cloudflare - Hosting, database (D1), object storage (R2), and CDN
  • Resend - Transactional email delivery
  • Stripe - Payment processing (for subscribers)
  • Sentry - Error monitoring and performance tracking

9. Complaints

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your local supervisory authority. In the EU, this is your national Data Protection Authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

10. Contact Us

For any data protection enquiries, contact us at privacy@posty.social.