Privacy Policy

PostCake ("PostCake", "we", "us") is a social media scheduling tool and publishing API that helps creators, teams, and software products post short-form video and related content to third-party platforms (TikTok, Instagram, YouTube, LinkedIn, X). This policy describes what we collect, why we collect it, how it is stored and shared, and what choices you have.

PostCake is the data controller for the account, billing, and usage data described below. For content posted to third-party platforms, those platforms are independent data controllers and their own privacy policies apply.

• Account data: name, email address, and password hash (or federated identity) used to sign in to PostCake.
• OAuth tokens issued by third-party platforms when you authorize PostCake to act on behalf of an account you control.
• Platform user identifiers (the platform-side user id, username, channel id, page id, and profile image URL) returned by the OAuth flow, so we can show you which account a scheduled post will publish from.
• Post content (video files, captions, hashtags, thumbnails) you upload to PostCake or submit through the API for publication.
• Post analytics (views, likes, comments, shares, and similar engagement metrics) fetched from third-party platforms about content published through PostCake.
• Billing data (plan, subscription status, invoice history). Card details are handled by our payment processor and never reach PostCake servers.
• Request logs (endpoint, method, status code, duration, error messages) for operational reliability and abuse prevention. Retained 90 days.

PostCake's use of information received from YouTube APIs and Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. By using the YouTube features of PostCake you also agree to the YouTube Terms of Service and acknowledge the Google Privacy Policy.

We request the minimum YouTube scopes required to perform the actions you initiate:

• youtube.upload — to upload Shorts and videos you schedule from PostCake.
• youtube.readonly — to list channels and fetch metadata for posts you have published through PostCake.
• yt-analytics.readonly — to read view, like, and engagement counts for posts you have published through PostCake.

YouTube and Google data is used only to deliver the publishing and analytics features you initiate. We do not use it for advertising, we do not transfer it to third parties except as needed to provide the service (and only with comparable protections), and we do not allow humans to read it except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.

You may revoke PostCake's access to your YouTube account at any time through the Google security settings page: https://myaccount.google.com/permissions.

When you connect an Instagram, Facebook, or Threads account, PostCake acts as a Meta platform developer and must comply with the Meta Platform Terms and Developer Policies. We request only the permissions necessary to publish content you submit and read engagement metrics for that content (instagram_content_publish, pages_show_list, pages_read_engagement, business_management, and read-only insights scopes).

We do not derive sensitive categories of data from Meta data, we do not sell or license it, and we do not use it for advertising or to build user profiles outside the publishing flow you initiate.

When you connect a TikTok account, PostCake operates under the TikTok Developer Terms of Service. We use the Content Posting API to publish videos you schedule and the Display API / Insights endpoints to read engagement metrics for content published through PostCake. We do not combine TikTok data with data from other sources to build user profiles, and we do not share TikTok data with advertisers or data brokers.

OAuth access and refresh tokens, and any third-party platform identifiers, are encrypted at rest using AES-256-GCM before being written to our database. Production data is hosted on DigitalOcean managed PostgreSQL in the EU region with encryption in transit and at rest enabled. Video files are streamed through PostCake's object storage during upload and are deleted after the post is published or after 30 days if a scheduled post is never sent — whichever comes first.

We share data with third parties only as necessary to operate PostCake. We do not sell personal data, we do not share data with advertisers, and we do not use third-party platform data to retarget end users.

• DigitalOcean — managed PostgreSQL and object storage (EU region).
• Cloudflare — CDN, DDoS protection, and request log ingestion.
• Polar.sh — billing, subscription management, and payment processing. Card details are submitted directly to Polar and never touch PostCake servers.
• Resend — transactional email (sign-in links, invoices, post failure notifications).
• Amplitude — aggregated product analytics on the PostCake dashboard. Identifiers passed to Amplitude are opaque PostCake-internal ids; we do not forward third-party platform data.
• Third-party platforms (TikTok, Instagram, YouTube, LinkedIn, X) — receive only the content and instructions necessary to fulfill the publishing actions you initiate.

You can disconnect any third-party account from the PostCake dashboard under Settings → Connections. Disconnecting revokes the stored OAuth token and deletes the associated platform identifiers within 7 days.

You can delete your PostCake account from Settings → Account → Delete account. This permanently removes account data, scheduled posts, stored OAuth tokens, and analytics caches within 30 days. Anonymized aggregate counters and billing records required by tax law are retained for the period required by applicable regulations.

To request deletion by email, contact canberk.hayretdag@gmail.com from the email address on the account. We honor verified deletion requests within 30 days.

Depending on where you live, you may have the right to access, correct, port, restrict, or delete your personal data, and to object to certain processing. To exercise these rights, contact canberk.hayretdag@gmail.com. You also have the right to lodge a complaint with your local data protection authority.

End users of platforms PostCake publishes to can revoke PostCake's access at any time from each platform's own authorization settings (YouTube/Google, Instagram, Facebook, TikTok, LinkedIn, X).

OAuth tokens are retained while a connection is active. Scheduled and published post records, captions, and analytics are retained while the account is active and for 30 days after deletion. Video source files are deleted after publication or after 30 days of an unsent scheduled post. Request logs are retained for 90 days. Billing records are retained for the period required by applicable tax law (typically 7–10 years).

PostCake is operated from the EU. Where data is transferred to subprocessors outside the EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

PostCake is not directed to and is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

We use industry-standard controls (TLS in transit, AES-256-GCM at rest for secrets, least-privilege IAM, audit logging, automated dependency scanning). No system is perfectly secure; we encourage you to report suspected vulnerabilities to canberk.hayretdag@gmail.com.

We'll post material changes to this page and update the "Last updated" date. Continued use of PostCake after a change constitutes acceptance of the revised policy.

Data controller: PostCake. Questions, requests, or complaints: canberk.hayretdag@gmail.com.