Privacy Policy

This Privacy Policy explains how Postiz (“Postiz”, “we”, “us” or “our”) collects, uses, shares and protects personal data in connection with the Postiz social-media scheduling, publishing, analytics and team-collaboration platform (the “Service”) and the websites at postiz.com and related sub-domains (the “Site”). It applies to visitors to the Site, account holders, members of customer workspaces, prospects, event attendees, and anyone else who interacts with us. By using the Site or the Service you acknowledge this Policy. For our contractual terms, see our Terms of Service.

1. Who We Are (Data Controllers)

Postiz is operated by two affiliated entities under common ownership. References to “Postiz” mean both, except where a specific entity is named:

• Gitroom Limited — incorporated in Hong Kong; registered office at SUITE C, LEVEL 7, WORLD TRUST TOWER, 50 STANLEY STREET, CENTRAL, HONG KONG. Gitroom Limited is the contracting party for paid subscriptions, the recipient of subscription revenue, and the primary data controller for account, billing, customer-support, marketing and Service-usage data.
• Gitroom LLC — a Delaware (USA) limited liability company; registered office at 8 The Green, Suite A, Dover, DE 19901, USA. Gitroom LLC holds the developer accounts and platform-side approvals with the third-party social-media platforms whose APIs the Service uses (X / Twitter, Meta, LinkedIn, YouTube, TikTok, Pinterest, Reddit, Threads, Bluesky, Mastodon, Discord, Slack, Telegram and others). In this role Gitroom LLC acts as the integrating party with those platforms and processes the OAuth credentials, scopes and platform-side metadata required to publish on your behalf.

For all privacy questions, requests and complaints you can reach us at [email protected]. Postal contact details for both entities are set out at the end of this Policy.

2. The Service in Brief

Postiz lets you connect 28+ social-media and chat channels and centrally schedule, publish, analyse and collaborate on content. The platform includes a calendar and scheduling engine, a media library, a publishing queue, analytics, AI-assisted content generation, team and workspace management, and integrations with third-party platforms. Some features depend on your plan and on the platforms you choose to connect.

3. The Data We Collect

3.1 Account & identity data

• Name, email address, password (stored as a salted hash), profile picture, organisation name, role, language and timezone preferences.
• If you sign in via a social-login provider (e.g. Google), the basic profile fields and email returned by that provider.
• Workspace and team membership, invitations sent and accepted, and the permissions granted within a workspace.

3.2 Connected platform data

When you connect a third-party social or messaging account to Postiz we receive and store, via that platform’s API:

• OAuth access & refresh tokens (encrypted at rest), the scopes you granted, the platform username and identifier, and account-level metadata (e.g. profile picture, follower counts, page IDs, channel IDs).
• Content and engagement data needed to provide the Service: posts you create or schedule, posts already published, comments, replies, direct messages where you have explicitly enabled that feature, post-level analytics (impressions, clicks, reach, video retention, etc.), and audience-level aggregates the platform exposes.
• For YouTube specifically, the Service uses YouTube API Services. Your use of those features is also subject to the YouTube Terms of Service and the Google Privacy Policy. You can revoke Postiz’s access to your Google data at any time at https://security.google.com/settings/security/permissions.

3.3 Content you upload

Text, images, video, audio, captions, links, hashtags, schedules, prompts, comments, approval notes, calendar metadata and any other content you upload to or generate within the Service.

3.4 Billing data

Plan, subscription status, invoice history, billing email, billing address and tax identifiers. Card details and bank-account details are collected and stored directly by our payment processors (e.g. Stripe, Paddle); Postiz only receives a tokenised reference, the last four digits, the brand, and the expiry month/year.

3.5 Logs, usage & device data

• IP address, user-agent, browser type and version, operating system, device identifiers, referrer URL, language preference, approximate location derived from IP (country/region).
• Application telemetry: pages visited, features used, posts created/published/failed, API calls made, error reports, performance metrics, and crash data.
• Session and authentication data, including login timestamps, session tokens and security events (e.g. password changes, MFA enrolment).

3.6 Communications & support data

Messages you send to us by email, in-app chat, via support tickets or via our community channels; surveys, NPS responses, feedback and feature requests; engagement metrics for the marketing emails you receive (open rate, click rate, link clicked).

3.7 Cookies & similar technologies

We use cookies, local storage, pixels and SDKs for authentication, security, preferences, analytics and (on the Site) marketing attribution. Categories include strictly-necessary, functional, analytics and marketing cookies. You can manage non-essential cookies through the in-page consent banner or your browser settings; disabling strictly-necessary cookies will break parts of the Service.

4. How We Use the Data & Legal Bases

We process the data described above for the purposes below. Where the GDPR (or UK GDPR) applies, the legal basis for each purpose is shown in brackets.

• Provide the Service — authenticate users, create and manage your account and workspaces, store and publish your content to connected platforms, return analytics, and provide customer support. (Performance of contract.)
• Bill and collect payment — issue invoices, manage subscriptions, prevent payment fraud, comply with tax law. (Performance of contract; legal obligation.)
• Secure the Service — detect and prevent abuse, fraud, account takeover, brute-force attacks, spam and infrastructure attacks; investigate incidents; enforce the Terms. (Legitimate interests in keeping the Service safe; legal obligation.)
• Operate, maintain and improve the Service — debug, monitor uptime, measure performance, A/B-test features, build aggregated usage analytics. (Legitimate interests in running and improving a reliable Service.)
• Communicate with you — send service-related messages (receipts, security alerts, post-failure notices, scheduled-post confirmations) and, where you have opted in or where permitted, marketing communications. (Performance of contract; consent or legitimate interests, depending on the message and your jurisdiction.)
• Comply with law — respond to lawful requests, enforce our rights, defend claims. (Legal obligation; legitimate interests.)

We do not use the content of your scheduled posts, your connected-platform content, or your private messages to send you advertising, and we do not sell that data.

5. AI-Assisted Features

The Service offers optional AI features that generate or rewrite captions, hashtags, image prompts, video scripts and analytics summaries. To provide them we transmit your prompts and the inputs you choose to include to third-party model providers (for example Anthropic, OpenAI and similar) acting as our sub-processors. We instruct those providers not to use your inputs or outputs to train their models. AI outputs are generated probabilistically and may be inaccurate; you remain responsible for reviewing them before publishing.

6. Postiz as Controller vs Processor

For account, billing, Site analytics, marketing and security data, Postiz acts as a data controller.

For the content you publish through the Service and the personal data of your audience, followers, customers and message contacts that flows through Postiz on your instructions, Postiz acts as a data processor on your behalf, and you are the controller. You are responsible for having a lawful basis for that processing, for providing notices and obtaining consents from your end-users, and for honouring their rights. On request we will sign our standard Data Processing Addendum (DPA), which incorporates the EU Standard Contractual Clauses (and the UK Addendum) where relevant; email [email protected] to request it.

7. Who We Share Data With

We do not sell personal data and we do not rent it to third parties. We share data only with:

• Our affiliated entity — Gitroom Limited and Gitroom LLC share data between themselves to operate the Service jointly (for example, the OAuth tokens and platform-side metadata held by Gitroom LLC are used by Gitroom Limited’s scheduling pipeline to publish on your behalf).
• Sub-processors and infrastructure providers — including cloud hosting and storage, content delivery networks, database providers, error-monitoring and observability vendors, customer-support platforms, transactional email providers, analytics platforms, payment processors and AI-model providers. We require these vendors to provide adequate security and to process data only on our instructions and for the agreed purposes.
• Connected third-party platforms — when you schedule or publish content, we transmit it to the platform you selected; when you request analytics, we receive it from that platform. Each platform’s own privacy policy governs what it does next.
• Other members of your workspace — content, schedules, comments and approval activity are visible to the other people in the workspaces you join, according to the role and permissions assigned to them.
• Professional advisors — accountants, auditors, lawyers, insurers and similar advisors, under confidentiality.
• Authorities — when we are legally required to disclose data (court order, valid law-enforcement request, regulatory request) or when disclosure is necessary to investigate or prevent fraud, abuse, security threats or harm to people. Where lawful we will attempt to redirect the request to you first.
• Successor entities — in the event of a merger, acquisition, financing, reorganisation or sale of assets, in which case we will require the recipient to honour this Policy or provide notice of any new policy.

8. International Data Transfers

Postiz operates from Hong Kong (Gitroom Limited) and the United States (Gitroom LLC), and we use sub-processors in the United States, the European Union, the United Kingdom and other jurisdictions. As a result, personal data we process may be transferred to and stored in countries outside your own, including countries that may not have been recognised as providing an “adequate level of protection” by the European Commission, the UK ICO or other regulators.

Where personal data subject to the GDPR or UK GDPR is transferred to a country without an adequacy decision, we rely on the European Commission Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), supplemented by additional technical and organisational measures (encryption in transit and at rest, access controls, contractual restrictions on sub-processor use of the data). You may request a copy of the relevant safeguards by emailing [email protected].

9. Data Retention

• Account data — kept for as long as your account is active. After account closure, retained for up to 90 days to allow recovery, then deleted or anonymised, except where longer retention is required (see below).
• Scheduled content not yet published — kept until published or until you delete it.
• Published-post records and analytics — kept while your account is active, so historical analytics remain available.
• OAuth tokens — kept while the connection is active; revoked tokens are deleted promptly. You can disconnect a platform at any time from your account settings.
• Billing records — retained for the period required by tax and accounting law in the relevant jurisdictions (typically 7 years).
• Logs — operational and security logs are typically retained for up to 12 months.
• Backups — encrypted backups roll off on their normal schedule (typically within 30–90 days) after deletion from the live system.

Where retention is required for legal, regulatory, dispute-resolution or fraud-prevention reasons, we may keep data longer than the periods above.

10. Security

We maintain administrative, technical and physical safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include: encryption of data in transit (TLS) and of sensitive data at rest; encryption of OAuth tokens; password hashing with a modern algorithm; role-based access controls and least-privilege provisioning; audit logging; multi-factor authentication for staff access to production systems; vendor security reviews and contractual data-protection commitments; and incident-response procedures. No system is fully secure, and we cannot guarantee absolute security.

11. Your Rights

Depending on where you live, you may have the right to:

• access the personal data we hold about you and receive a copy in a portable format;
• request correction of inaccurate or incomplete data;
• request deletion of your data, subject to retention obligations;
• object to or restrict certain processing, including direct marketing;
• withdraw consent where processing is based on consent (without affecting the lawfulness of processing already carried out);
• opt out of the “sale” or “sharing” of personal information for cross-context behavioural advertising — Postiz does not sell personal data and does not share it for cross-context behavioural advertising as those terms are defined under the California Privacy Laws;
• lodge a complaint with your supervisory authority (in the EU/UK) or with the Privacy Commissioner for Personal Data in Hong Kong (PCPD).

Most account changes can be made by signing in to your account and editing your profile, billing or workspace settings, or by disconnecting a platform from the integrations page. To exercise rights that cannot be handled in-product, email [email protected]. We will respond within the timeframe required by applicable law (typically 30 days, extendable for complex requests). We may need to verify your identity before acting on a request. We will not discriminate against you for exercising your rights.

12. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the “California Privacy Laws”) gives you the rights summarised in Section 11, including the right to know what categories of personal information we collect about you and the purposes for which we use them (described in Sections 3 and 4), the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising your rights. Postiz does not sell personal information and does not share it for cross-context behavioural advertising. To exercise your California rights, email [email protected].

13. Hong Kong PDPO

Where the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) applies, Gitroom Limited handles personal data in accordance with the Data Protection Principles set out in the PDPO. You have the right to request access to and correction of personal data we hold about you. Requests should be sent to [email protected].

14. Children

The Service is intended for business use and is not directed to children under 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

15. Marketing & Cookies Choices

You can unsubscribe from marketing emails at any time using the unsubscribe link in any such email. Unsubscribing from marketing does not stop transactional and account-related emails, which are necessary while your account is active. You can manage cookie preferences via the consent banner on the Site (where displayed) or your browser settings. The Network Advertising Initiative provides additional opt-out tools at http://optout.networkadvertising.org.

16. Third-Party Sites and Services

The Site and the Service link to and integrate with third-party services. Their handling of your data is governed by their own privacy policies, not this one. We encourage you to review the privacy policy of any platform you connect to Postiz, including the Google Privacy Policy at http://www.google.com/policies/privacy for YouTube integrations.

17. Changes to this Policy

We may update this Privacy Policy from time to time. If a change is material we will provide reasonable notice (for example by email or in-product notice) before it takes effect. The date the Policy was last updated is shown at the top of this page; we encourage you to review it periodically.

18. Contact Us

For privacy questions, requests, or complaints, email [email protected], or write to us at:

• Gitroom Limited — SUITE C, LEVEL 7, WORLD TRUST TOWER, 50 STANLEY STREET, CENTRAL, HONG KONG.
• Gitroom LLC — 8 The Green, Suite A, Dover, DE 19901, USA.