Legal

Privacy Policy

Last updated: April 21, 2026

1. Introduction

Postlyr ("we," "our," or "us") operates the website postlyr.io and the web application at https://app.postlyr.io (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, and your choices regarding your data.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with these terms, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you sign up for Postlyr, we collect the following information through our authentication provider (Supabase Auth):

Email address — used for account identification and communication.
Name — your display name, sourced from your login provider (e.g., Google, GitHub).
Avatar URL — your profile image from your login provider.
Timezone — used for scheduling functionality.

2.2 Connected Social Accounts

When you connect a social media account (X/Twitter, LinkedIn, Threads, Mastodon, or Bluesky), we store:

Your platform handle, display name, and avatar URL.
OAuth access tokens and refresh tokens necessary to publish content on your behalf.
For Bluesky: your handle/DID and app password (Bluesky uses AT Protocol, not OAuth).
For Mastodon: your instance server URL.

These credentials are stored securely in our database and are used solely to interact with platform APIs on your behalf (publishing posts, retrieving analytics).

2.3 Content Data

We store the threads and posts you create within Postlyr, including:

Post text content and ordering.
Scheduling timestamps.
Publishing status and platform-specific post IDs after successful publication.

2.4 Analytics Data

Postlyr does not permanently store analytics data. When you view your analytics dashboard, metrics (impressions, engagement, follower counts) are fetched in real-time from each connected platform's API and are not persisted on our servers.

2.5 Information We Do Not Collect

We use a small number of cookies for authentication, user preferences, and optional analytics. For full details, see our Cookie Policy.
We do not use cookies for advertising or marketing purposes.
We do not collect payment information (billing is processed through third-party payment processors).
We use Vercel Analytics (privacy-friendly, no personal data collected) to understand usage patterns. This is only loaded with your consent.
We use Crisp for support chat. On the public site and in the authenticated app, it may use support-related session identifiers and limited account context so we can respond to requests and restore the correct conversation when needed.
We do not use third-party advertising trackers.
We do not sell, rent, or share your personal data with advertisers.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service.
Authenticate your identity and manage your account.
Publish content to your connected social media accounts on your behalf.
Schedule posts for future publication.
Retrieve and display analytics from connected platforms.
Send service-related communications (e.g., account notifications, security alerts).
Respond to your support requests.

4. Third-Party Services

Postlyr integrates with the following third-party services:

Supabase — for authentication and user management. Your login credentials are handled by Supabase; we never see or store your passwords.
Social Platform APIs (X/Twitter, LinkedIn, Threads, Mastodon, Bluesky) — for publishing content and retrieving analytics. Your interactions with these platforms are also subject to their respective privacy policies.
Crisp — for customer support chat. It may be used on the public site and inside the authenticated application to provide requested support and to restore the correct support session when needed.

We recommend reviewing the privacy policies of these third-party services.

5. Data Security

We take reasonable measures to protect your information, including:

All communication with our servers is encrypted via TLS/HTTPS.
Authentication is handled via secure JWT tokens — no server-side sessions or tracking cookies are used.
OAuth state parameters are ephemeral (in-memory), expire after 10 minutes, and are single-use.
PKCE (Proof Key for Code Exchange) is used for OAuth flows where supported.

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide the Service.

You can disconnect any connected social account at any time, which deletes the associated tokens and platform data from our database.
You can delete your threads and posts at any time through the application.
If you wish to delete your entire account and all associated data, please contact us at support@postlyr.io. Account deletion cascades to all connected accounts, threads, and posts.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion of your personal data.
Object to or restrict the processing of your data.
Request portability of your data in a machine-readable format.

To exercise any of these rights, please contact us at support@postlyr.io.

8. Children's Privacy

Postlyr is not intended for use by anyone under the age of 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with their data, please contact us and we will remove it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: support@postlyr.io