Draft — pending legal review. This document has not been reviewed by qualified legal counsel. Do not make this public until review is complete.

Privacy Policy

Effective date: 2026-04-19 · Last updated: 2026-04-19

LetsPost (“the Service”, “we”, “us”) helps creators schedule and publish short-form videos to third-party platforms (TikTok, Instagram, YouTube, Facebook). This policy explains what personal data we collect, why we collect it, how long we keep it, and the rights you have over it — including rights under the GDPR (EU/EEA), the LGPD (Brazil), and similar data protection laws.

1. Data controller

LetsPost Technologies LLC. Contact for privacy matters: adriano.neps@gmail.com

2. Information we collect

Account data: email address, display name, subscription tier.
Profile data: brand or client profile names you create inside the Service.
OAuth tokens: encrypted access tokens and refresh tokens issued by TikTok, Instagram/Meta, YouTube/Google, and Facebook when you connect those accounts.
Post metadata: titles, captions, scheduling times, target platforms, and publishing status.
Uploaded media: videos you upload are stored in Firebase Storage until published or deleted.
WhatsApp pairing data (optional): if you connect your WhatsApp number to the bot, we store the phone number and an encrypted session state. Message content is processed ephemerally and not permanently stored.
Diagnostic data: error messages, stack traces, and request metadata, collected only if you consent to analytics cookies.

3. How we use your data

Authenticate you and enforce access control to your own data.
Publish the videos you explicitly create to the platforms you explicitly authorize.
Refresh OAuth tokens as required by each platform.
Operate, maintain, and secure the Service.
Diagnose and fix errors (only if you have opted in to analytics cookies).
Send you transactional notifications about your account or subscription (no marketing emails without your explicit consent).

4. Legal bases for processing (GDPR / LGPD)

Contract performance: processing necessary to provide the Service you signed up for.
Legitimate interest: security, fraud prevention, service improvement.
Consent: analytics and error tracking (you can withdraw via the cookie preference center).
Legal obligation: where we are required to process data by applicable law.

5. Third-party platforms and processors

When you connect a social account, that platform's own privacy policy also governs the data exchanged. We request only the minimum scopes required to post on your behalf.

We use the following sub-processors:

Google Firebase / Firestore / Storage — data storage and authentication (Google Cloud, EU/US)
Sentry — error tracking, only if you consent to analytics cookies
Stripe — payment processing (no card numbers touch our servers)
Meta (WhatsApp Cloud API) — if you use the WhatsApp agent feature

6. Storage, security, and international transfers

Data is stored in Google Cloud Firestore and Firebase Storage, primarily in the United States (us-central1) region. OAuth tokens are encrypted at rest using AES-256-GCM. Access to production data is restricted to authorized operators only.

If you are located in the European Economic Area or Brazil, your data may be transferred to servers in the United States. Such transfers are governed by Google's Standard Contractual Clauses (SCCs).

7. Data retention

Uploaded media: retained in Firebase Storage until you delete the associated post or your account.
Post metadata and profile data: retained until you request account deletion, then deleted within 24 months after account deletion.
OAuth tokens: deleted immediately when you disconnect an account.
Diagnostic logs: retained for 90 days.
Billing records: retained for 7 years as required by applicable accounting law.

8. Your rights

Depending on your location, you may have the following rights regarding your personal data:

Access: request a copy of the data we hold about you.
Rectification: request correction of inaccurate data.
Erasure (“right to be forgotten”): request deletion of your data.
Portability: receive your data in a structured, machine-readable format.
Restriction / objection: restrict or object to certain processing activities.
Withdraw consent: at any time, via the cookie preference center or by contacting us.

To exercise any of these rights, contact adriano.neps@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g. ANPD in Brazil, or the supervisory authority of your EU member state).

9. Cookies

We use a strictly necessary session cookie for authentication and an optional analytics cookie (Sentry) that you can accept or reject via our . We do not use advertising or tracking cookies.

10. Children

The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe we have done so, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before the change takes effect.

12. Contact

Questions about this policy or requests to exercise your data rights: adriano.neps@gmail.com

← Back to LetsPost Terms of Service Data Deletion