Privacy Policy

1. Introduction

PostOnce is operated by Lucro Limited, a private company limited by shares registered in the Republic of Ireland (CRO 811725) with its registered office in Co. Kildare, Ireland. In this Privacy Policy, "PostOnce," "we," "our," and "us" refer to Lucro Limited.

Lucro Limited is the data controller for personal data processed through the PostOnce platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our social media scheduling platform and services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password. If you sign up using a third-party service (such as Google), we receive your name and email from that service.

2.2 Social Media Account Data

When you connect your social media accounts (Instagram, Facebook, TikTok, YouTube, Pinterest, LinkedIn, X (Twitter), or Bluesky), we collect access tokens and basic profile information necessary to post content on your behalf. This includes:

• Account usernames and profile pictures
• Page/account IDs
• Access tokens (encrypted and stored securely)
• Basic engagement metrics for analytics

2.3 Content You Create

We store the content you create and schedule through our platform, including text, images, videos, and scheduling preferences.

2.4 Usage Data

We automatically collect certain information about your device and how you interact with our services, including IP address, browser type, and pages visited.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Schedule and publish content to your connected social media accounts
• Send you updates, security alerts, and support messages
• Provide analytics about your social media performance
• Detect, prevent, and address technical issues or fraud
• Comply with legal obligations

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information with:

• Social Media Platforms: To publish content on your behalf through their APIs
• Service Providers: Third-party vendors who assist in operating our platform (hosting, analytics)
• Legal Requirements: When required by law or to protect our rights

4a. Subprocessors

We engage a small number of trusted subprocessors to operate the Service. Each is bound by written contractual terms requiring appropriate technical and organisational measures consistent with GDPR Article 28.

Infrastructure subprocessors

• Stack Auth (@stackframe/stack) — authentication and session management
• Lemon Squeezy — billing, payments and merchant of record (Ireland)
• Bunny CDN — media delivery and edge caching
• Resend — transactional email delivery
• Hetzner (Helsinki, EU) — PostgreSQL and Redis hosting for primary data and queues

Social platform recipients

When you connect a social account, content and metadata you choose to publish are transmitted to the relevant platform on your behalf:

• Meta Platforms (Instagram, Facebook)
• TikTok
• Google (YouTube)
• LinkedIn
• Pinterest
• Bluesky
• X (Twitter)

We may engage additional subprocessors as the Service evolves and will update this list accordingly. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information. Access tokens are encrypted at rest, and all data transmission uses HTTPS encryption. However, no method of transmission over the Internet is 100% secure.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide services. When you delete your account, we will delete your personal information within 30 days, except where retention is required by law.

7. Your Rights

Depending on your location, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information
• Object to or restrict certain processing
• Data portability
• Withdraw consent at any time

To exercise these rights, please contact us at privacy@postonce.app.

Right to lodge a complaint (GDPR Article 77). If you are based in the European Economic Area, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Data Protection Commission of Ireland (DPC): www.dataprotection.ie. You may also lodge a complaint with the supervisory authority in your country of residence.

8. Third-Party Platform Integrations

Our service integrates with the following third-party platforms. Your use of these platforms is governed by their respective privacy policies:

8.1 Meta (Instagram & Facebook)

When you connect your Instagram or Facebook account, we access:

• Your Instagram Business/Creator account profile information
• Ability to publish photos, videos, reels, and stories on your behalf
• Comment management for posts published through our service
• Basic engagement metrics (likes, comments, reach)

Meta Privacy Policy: facebook.com/privacy/policy

8.2 TikTok

When you connect your TikTok account, we access:

• Your TikTok profile information
• Ability to upload and publish videos on your behalf
• Video performance metrics

TikTok Privacy Policy: tiktok.com/legal/privacy-policy

8.3 YouTube (Google)

When you connect your YouTube account, we access:

• Your YouTube channel information
• Ability to upload videos and Shorts on your behalf
• Video analytics and performance data

Google Privacy Policy: policies.google.com/privacy

8.4 Pinterest

When you connect your Pinterest account, we access:

• Your Pinterest profile and boards
• Ability to create and publish pins on your behalf
• Pin performance analytics

Pinterest Privacy Policy: policy.pinterest.com/privacy-policy

8.5 LinkedIn

When you connect your LinkedIn account, we access:

• Your LinkedIn profile information
• Ability to publish posts on your behalf
• Post engagement metrics

LinkedIn Privacy Policy: linkedin.com/legal/privacy-policy

8.6 X (Twitter)

When you connect your X account, we access:

• Your X profile information
• Ability to publish posts and threads on your behalf
• Post engagement metrics

X Privacy Policy: x.com/en/privacy

8.7 Bluesky

When you connect your Bluesky account, we access:

• Your Bluesky profile information
• Ability to publish posts on your behalf
• Post engagement metrics

Bluesky Privacy Policy: bsky.social/about/support/privacy-policy

9. Disconnecting Accounts & Data Deletion

You can disconnect any connected social media account at any time from your PostOnce dashboard under Settings → Connected Accounts. When you disconnect an account:

• We immediately revoke and delete the access tokens
• We stop accessing data from that platform
• Previously scheduled posts for that account will be cancelled
• Historical analytics data may be retained for your records

To request complete deletion of all your data, email us at privacy@postonce.app or delete your account from Settings → Account → Delete Account.

Meta Data Deletion: You can also request data deletion directly through Facebook's settings. When we receive a data deletion request from Meta, we will delete all data associated with your Facebook/Instagram accounts within 30 days.

Data Deletion Request URL: https://postonce.app/api/auth/facebook/data-deletion
Status page: /data-deletion-status

10. Children's Privacy

Our services are not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your information in compliance with applicable data protection laws, including GDPR for European users.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and where appropriate, sending you an email notification.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Data Controller: Lucro Limited (CRO 811725)
Registered Office: Co. Kildare, Ireland
Email: privacy@postonce.app (or privacy@lucro.ie)
Website: https://postonce.app
Parent Company: https://lucro.ie
Data Protection Inquiries: For GDPR-related requests, email gdpr@postonce.app