Skip to content
postato

Privacy Policy

Last updated: 2026-04-07

This Privacy Policy describes how Postato collects, uses, stores, shares, and protects personal data during the early access period. Postato is in active development and a final version of this policy will be published before general availability. This policy complies with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, Law 13.709/2018, "LGPD") and is read together with the Terms of Service.

1. Controller and contact

Postato is the controller of the personal data described in this policy. Questions, requests, and complaints related to the processing of your personal data should be sent to legal@postato.com.br. The same address is the official channel to contact the person in charge of data processing (encarregado / DPO) during early access.

2. Mediation model

Postato is a mediated carrier between you and the social networks you connect. Postato never holds the credentials (login and password) of those networks. When you connect a social account, you authorize Postato to act on your behalf through the official OAuth flow of that network, and Postato stores only the resulting tokens, encrypted at rest.

You are the publisher of the content delivered through Postato. Postato is the courier that carries the content from your interface to the connected platform. This distinction shapes what Postato collects, why, and for how long.

3. Data we collect

Postato collects only the data necessary to deliver the service. The categories below describe what is collected and from where.

3.1 Data you provide directly

  • Account data. Name, email address, password (stored as a one-way hash), and any other information you provide when creating or updating your account.
  • Workspace data. The name of your workspace and any settings you configure.
  • Billing data (when applicable). Information necessary to issue invoices, processed by our payment provider. Postato does not store full card numbers.
  • Support communications. Messages, screenshots, and attachments you send when contacting support.

3.2 Data generated by your use of the service

  • API keys. Postato generates API keys (in the format smcp_*) on your request. Only a one-way hash of each key is stored. The plain value is shown to you only once at creation.
  • Submitted content. The text, media, metadata, and scheduling parameters you send through the interface so that Postato can publish them on your behalf on the connected networks.
  • Delivery records. Status, timestamps, identifiers returned by the destination platform, error messages, and retry counts for each publication attempt.
  • Operational logs. Technical records (request identifiers, IP addresses, user agents, response codes, durations) generated to operate the service, diagnose incidents, and protect against abuse.
  • Webhook delivery records. Signed payloads, response codes, and timestamps when you configure outbound webhook endpoints.

3.3 Data received from third parties

  • OAuth tokens from connected social networks. When you connect a social account, the connected network returns OAuth tokens that authorize Postato to act on your behalf. These tokens are stored encrypted at rest and used only to perform the actions you, your applications, or your agents request through the interface.
  • Public profile information from connected networks. Identifiers, display name, and other public profile fields returned by the network during the connection flow, used to identify the connected account inside Postato.

3.4 Data collected through cookies and similar technologies

The Postato website uses Google Analytics 4 to understand how visitors use the site. Google Analytics 4 only loads after you explicitly accept cookies on the consent banner. If you decline, no analytics requests are made and no analytics cookies are set.

4. Why we process your data and on what legal basis

Postato processes personal data only for specific, legitimate purposes, with a clear legal basis under Article 7 (and Article 11, when applicable) of the LGPD.

| Purpose | Legal basis | |---|---| | Create and maintain your account | Performance of a contract | | Authenticate requests via API key, session, or MCP OAuth | Performance of a contract | | Validate, queue, transmit, retry, and record publication of submitted content on connected networks | Performance of a contract | | Store OAuth tokens of social networks you connect, encrypted, and use them to act on your behalf | Performance of a contract and your consent at the moment of connection | | Generate operational logs to run the service, diagnose incidents, and protect against abuse | Legitimate interest | | Apply rate limits and prevent abuse, fraud, and misuse | Legitimate interest | | Communicate with you about your account, security, and changes to the service | Performance of a contract and legal obligation | | Issue invoices and meet tax obligations (when applicable) | Compliance with a legal obligation | | Measure aggregated site usage through Google Analytics 4 | Your consent | | Respond to requests, complaints, and orders from public authorities | Compliance with a legal obligation and regular exercise of rights |

Postato does not use your data for behavioral advertising and does not sell your data.

5. Sharing and sub-processors

Postato shares personal data only with parties that are necessary to deliver the service and only for the purposes described in this policy. These parties act as operators (operadores) and process data under contract.

Categories of recipients:

  • Cloud infrastructure and hosting providers that run the Postato application, the database, and the queue layer.
  • Object storage providers for media you upload to Postato.
  • Email delivery providers used to send transactional messages such as account verification, password reset, and security notifications.
  • Payment provider (when billing is active) used to process subscriptions and issue invoices.
  • Web analytics provider (Google Analytics 4) limited to the website and conditioned on your consent.
  • Connected social networks (such as the platforms you choose to connect through OAuth) that receive the content you submit so they can publish it. Once delivered, the content is governed by the policies of the destination network.
  • Public authorities and courts when required by law, judicial order, or to defend Postato's rights.

Postato does not sell personal data and does not share it with third parties for marketing purposes.

6. International transfers

Some sub-processors listed in section 5 may process personal data outside Brazil. When that happens, Postato relies on the international transfer mechanisms allowed by Article 33 of the LGPD, which include transfers to countries with an adequate level of protection, contractual clauses, and your specific consent when applicable. You may request additional information about active transfers through the contact in section 1.

7. Retention

Postato keeps personal data only for as long as necessary to fulfill the purposes described in this policy or to comply with legal obligations. The general criteria are:

  • Account data: kept while the account is active. After deletion, removed within 30 days, except for fields that must be retained to comply with legal obligations.
  • OAuth tokens of connected networks: kept while the corresponding social account is connected. Removed immediately on disconnection or account deletion.
  • Submitted content and delivery records: kept for the operational period necessary to retry, audit, and report deliveries, and then archived or removed according to internal retention rules. Specific retention windows will be defined and communicated before general availability.
  • Operational logs: kept for the period strictly necessary to operate the service, investigate incidents, and protect against abuse.
  • Billing records (when applicable): kept for the period required by tax and accounting law.

After the applicable retention period, data is deleted or anonymized.

8. Security

Postato applies technical and administrative measures to protect personal data, including:

  • Encryption in transit (HTTPS) for all interactions with the interface.
  • Encryption at rest for sensitive credentials, including OAuth tokens of connected networks and webhook secrets.
  • Storage of API keys and equivalent secrets only as one-way hashes, never in plain text.
  • Validation of submissions at the entry point of the service to reject malformed or unsafe payloads.
  • Workspace isolation by construction: data belonging to one workspace is not accessible to other workspaces.
  • Protections against requests directed at private network ranges and internal services from public inputs.
  • Application of rate limits per API key and per connected platform to prevent abuse.
  • Internal access on a least-privilege basis.

No service is fully immune to incidents. In the event of a security incident that may pose a relevant risk to your rights, Postato will notify the National Data Protection Authority (ANPD) and the affected data subjects within the period set by the LGPD, by the means available.

9. Your rights as a data subject

Under Article 18 of the LGPD, you have the right to:

  • Confirm whether Postato processes your personal data.
  • Access your personal data.
  • Correct incomplete, inaccurate, or outdated data.
  • Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD.
  • Request the portability of your data to another service or product provider, in compliance with commercial and industrial secrets and the regulations of the ANPD.
  • Request deletion of personal data processed under your consent.
  • Obtain information about the public and private entities with which Postato has shared your data.
  • Obtain information about the possibility of refusing consent and the consequences of refusal.
  • Withdraw a previously given consent at any time.
  • Object to processing carried out under one of the hypotheses of Article 11 of the LGPD, in case of non-compliance.

You may exercise these rights by writing to legal@postato.com.br. Postato may need to verify your identity before responding. Postato will reply within the period set by the LGPD and the ANPD.

10. Children and adolescents

Postato is not directed at children or adolescents and does not knowingly collect personal data from people under 18 years of age. If you become aware that a person under 18 has created an account, please contact legal@postato.com.br so we can remove the account and the associated data.

11. Cookies and tracking

The Postato website does not set non-essential cookies before you give consent. The cookie consent banner shown on your first visit lets you accept or decline analytics cookies. You may change your choice at any time through the same banner. Cookies that are strictly necessary to the operation of the website (for example, to remember your consent choice or to keep an authenticated session) do not depend on consent.

12. Automated decisions

Postato does not take automated decisions that produce legal effects on you or that significantly affect your interests. Validation of submissions and application of rate limits are technical operational rules and do not constitute automated profiling.

13. Changes to this policy

Postato may update this policy. Material changes will be communicated by email to the address on your account at least 15 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent version.

14. Contact

For privacy questions, requests under Article 18 of the LGPD, or to contact the person in charge of data processing: legal@postato.com.br