Legal
Privacy Policy
This Privacy Policy explains what personal data LittlePoster.ai processes when you use the service, why we process it, and the choices you have. We act as the data controller for your account data and as a processor for the post content you schedule through the service.
1. What we collect
- Account data: name, email, profile picture, and the OAuth identifier from your sign-in provider (Google).
- Workspace data: organization name, members, roles, and per-channel permissions.
- Connected channels: the network, external account ID, profile metadata, and encrypted OAuth tokens we need to publish on your behalf.
- Content: posts, drafts, media files, comments, and analytics we fetch from connected networks.
- Billing: subscription state and the customer ID from Stripe. We do not store full payment card details.
- Usage and logs: IP address, user agent, request paths, and timing data we record to operate and secure the service.
2. Why we process it
- to provide, secure, and improve the service;
- to publish content to the networks you have connected, fetch analytics, and deliver replies to your inbox;
- to bill and collect fees through Stripe;
- to send transactional email (failures, re-auth, security alerts);
- to comply with legal obligations and enforce our Terms.
3. How we protect it
OAuth tokens are encrypted at rest using AES-256-GCM envelope encryption. Data in transit is encrypted with TLS. Access to production systems is restricted, logged, and reviewed. See our Security page for full details.
4. Subprocessors
We rely on the following subprocessors to operate the service:
- Neon — managed Postgres database hosting (EU region)
- Fly.io — application and worker hosting
- Cloudflare R2 — media object storage
- Stripe — subscription billing
- Resend — transactional email
- Anthropic and Google — AI text and image generation for opt-in features
- Sentry — error monitoring
A current list with locations and roles is maintained on request. We notify customers of material subprocessor changes before they take effect.
5. Sharing
We do not sell personal data. We share data only with the subprocessors above, with the social networks you have connected (to publish your content), and where required by law.
6. International transfers
Where personal data is transferred outside the EEA or UK, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Our Data Processing Addendum covers controller-to-processor transfers for our customers.
7. Retention
We retain account, workspace, and content data for as long as your workspace is active. When you close a workspace, we delete content within 30 days, except where law or legitimate billing records require longer retention. Server logs are kept for up to 90 days.
8. Your rights
Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing. To exercise any of these rights, email privacy@littleposter.ai. You can also lodge a complaint with your local supervisory authority.
9. Cookies
We use a small number of first-party cookies to keep you signed in and remember workspace context. We do not run advertising or cross-site tracking cookies.
10. Children
LittlePoster.ai is not directed to children under 16. We do not knowingly collect personal data from anyone under 16.
11. Changes
We will notify you of material changes by email or in-app at least 14 days before they take effect.
12. Contact
Data controller: LittlePoster Lda., Lisbon, Portugal. Email privacy@littleposter.ai for any privacy question.