Privacy Policy | PostStage

1. Who we are

PostStage (“PostStage”, “we”, “us”, “our”) is a social media scheduling and publishing service operated by Mathurs24.com, with billing and GST invoicing handled by our affiliated entity Cloudy24. We are based in India and our service (trypoststage.com) is available to customers worldwide, without geographic restriction.

This Privacy Policy explains what personal data we collect, how we use it — including data we receive through the official APIs of Meta (Facebook, Instagram, Threads), Google (YouTube, Google Business Profile), X (formerly Twitter), Pinterest, LinkedIn, and Bluesky — and the choices and rights you have. It applies to every visitor, registered user, and connected social account on PostStage.

If you have questions about this policy or wish to exercise any of the rights described below, contact our Privacy / Grievance Officer at info@trypoststage.com.

2. Information we collect

2.1 Information you provide directly

Account details: name, email address, password (stored as a salted hash, never in plain text), and profile image.
Optional profile fields: Instagram handle entered at signup (kept for reference/display only — it is not used for API authentication), and your preferred timezone.
Content you create or upload: post captions, hashtags, hashtag groups, templates, drafts, and media files (images/videos) you schedule or publish through PostStage.
Billing details you enter at checkout, processed directly by our payment processor (see Section 5).
Communications you send us — support requests, feedback, enquiry-form submissions.

2.2 Information collected automatically

Login/session metadata: IP address and user-agent captured at signup for anti-abuse review, and session/authentication cookies needed to keep you signed in.
Usage data: pages viewed, features used, posting activity, and error/diagnostic logs, used to operate and improve the service.
Google reCAPTCHA signals on certain forms, used purely for bot/abuse prevention.

We do not use third-party advertising trackers, ad pixels, or cross-site analytics cookies on PostStage.

2.3 Information from connected social media accounts

When you connect a social account, PostStage uses that platform's official OAuth flow. You are shown the platform's own consent screen and you control exactly what is authorized. We request only the permissions (“scopes”) needed to schedule, publish, and report on your content — nothing more. Per platform:

Platform	Scopes requested	What we use it for
Facebook Pages (Meta)	pages_show_list, pages_manage_posts, pages_read_engagement, pages_manage_engagement, business_management, public_profile	List Pages you administer (directly or via a Business Portfolio), publish posts/photos to a Page you select, and read basic engagement metrics on your own posts.
Instagram (Meta)	instagram_business_basic, instagram_business_content_publish, instagram_business_manage_comments	Identify your connected Instagram Business/Creator account, publish posts/Reels/carousels you schedule, and manage the auto first-comment feature (if you enable it).
Threads (Meta)	threads_basic, threads_content_publish	Identify your Threads profile and publish posts you schedule.
X (Twitter)	tweet.read, users.read, tweet.write, offline.access	Identify your X profile, publish posts you schedule, and refresh your access token in the background (offline.access) so you don't have to reconnect every two hours.
YouTube (Google)	youtube.upload, youtube.readonly	Upload videos/Shorts you schedule to your channel and read basic channel/video information needed to confirm a successful upload.
Google Business Profile	business.manage	List the business locations you manage and publish Business Profile posts/updates you schedule to a location you select.
Pinterest	boards:read, boards:write, pins:read, pins:write, user_accounts:read	List your boards, create/schedule Pins to a board you select, and read your basic Pinterest account info.
LinkedIn	openid, profile, w_member_social	Identify your LinkedIn profile and publish posts you schedule as you.

For each connected account we store: the platform's account/page/channel/board ID, username or display name, profile picture URL, account type, and the OAuth access token (and refresh token, where the platform issues one). Tokens are encrypted at rest and are used solely to publish the content you schedule and to display basic account status inside your PostStage dashboard. We do not read your DMs, private messages, contacts, or any content other platforms also let people see publicly unless that data is required to perform the publishing action you requested.

Bluesky works differently — no OAuth consent screen is involved.You generate a revocable “App Password” yourself in your Bluesky account settings and enter it, together with your handle, directly into PostStage. We use it once to obtain a session (an access token and refresh token issued by Bluesky), which we store encrypted the same way as every other platform's token. Because you create and control this credential, you can revoke it at any time directly on Bluesky — at bsky.app/settings/app-passwords— independently of disconnecting it in PostStage. We store your handle, DID (Bluesky's permanent account identifier), the session tokens, and the post content/images you schedule — nothing more.

2.4 Payment information

Subscription payments are processed by Razorpay, a PCI-DSS compliant payment gateway. PostStage does not collect or store your full card number, CVV, or UPI PIN — Razorpay handles that directly. We retain only the transaction reference, plan, billing cycle, amount, and GST details needed for invoicing and accounting under Indian tax law.

3. How we use your information

To provide the core service: scheduling, queuing, and publishing your content to the platforms you connect, at the time you choose.
To authenticate you, maintain your session, and protect your account (fraud/abuse detection, signup review).
To process payments, generate GST-compliant invoices, and manage your subscription.
To send transactional emails and in-app notifications you've opted into (post failures, channel/connection updates, post confirmations, billing) — each is individually toggleable in Settings.
To provide customer support and respond to enquiries.
To maintain, debug, and improve PostStage's reliability and features.
To comply with legal obligations, including tax, accounting, and law-enforcement requests.

We do not sell your personal data, and we do not use it to serve third-party advertising.

4. Platform API data — Limited Use & policy compliance

Where PostStage accesses data through a third-party platform's API, our use of that data is limited to providing or improving the user-facing features you request (publishing, scheduling, and basic status/analytics for your own content), and is governed by that platform's developer policy in addition to this Privacy Policy:

Meta Platform Terms & Developer Policies (Facebook, Instagram, Threads)
Google API Services User Data Policy, including its Limited Use requirements (YouTube, Google Business Profile)
X Developer Agreement and Policy
Pinterest Developer Terms
LinkedIn API Terms of Use

In line with these policies: PostStage does not sell platform API data, does not use it for advertising, and does not allow employees or contractors to read it except where necessary for security, legal compliance, or with your explicit consent for support purposes (e.g., debugging a failed post at your request). Data is transferred to a third party only as described in Section 5, or with your direction.

5. Who we share information with

We use a small number of trusted service providers (“subprocessors”) to run PostStage. None of them are permitted to use your data for their own purposes.

Vercel — application hosting and object/blob storage for uploaded media.
Neon / Vercel Postgres — primary database (account, post, and scheduling data).
Razorpay — payment processing (India).
Zoho ZeptoMail — transactional email delivery (account, billing, and post notifications).
Upstash (QStash) — background job scheduling that triggers your posts to publish at the exact time you set.
Google reCAPTCHA — bot/abuse protection on public forms.
The social platforms themselves — when you schedule a post, the content you authored is sent to that platform's API at publish time, exactly as if you had posted it yourself.

We may also disclose information if required by law, to enforce our Terms of Service, to protect the rights/safety of PostStage or our users, or in connection with a merger, acquisition, or sale of assets (with notice to you).

6. Data storage, security & retention

All traffic to PostStage is encrypted in transit (HTTPS/TLS).
Social platform access and refresh tokens are encrypted at rest.
Passwords are stored as salted hashes — we never store or have access to your plaintext password.
Access to production data is restricted to authorized PostStage personnel on a need-to-know basis.
When you disconnect a social account, its access tokens are deleted from our systems immediately; historical post records for that account are kept for your own reference unless you request their deletion.
We retain account data for as long as your account is active. If you delete your account (Section 8 and our Data Deletion page), we delete your personal data and connected-account tokens, except billing/invoice records, which Indian tax law requires us to retain for up to 8 years.
Backups are rotated and purged on a routine schedule; deleted data is removed from backups within a reasonable period as part of that cycle.

No system is 100% secure. If we become aware of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.

7. Cookies

PostStage uses only essential cookies: signed-in session cookies, and short-lived, httpOnly cookies used during the OAuth connection flow (to verify the round-trip and prevent CSRF). We do not use third-party advertising or cross-site tracking cookies. Google reCAPTCHA may set its own cookies when active on a form, governed by Google's privacy policy.

8. Your rights & choices

Regardless of where you live, you can at any time:

Access, correct, or update your account information from Settings.
Disconnect any connected social account from the Accounts page — this immediately revokes and deletes the stored token.
Export or request a copy of the personal data we hold about you.
Request deletion of your account and associated personal data — see our Data Deletion Instructions.
Opt in or out of individual notification types from Settings → Notifications.
Withdraw consent for a connected platform at any time by disconnecting it or revoking access directly on that platform's app-permissions page.

8.1 India — Digital Personal Data Protection Act, 2023

As an Indian entity, we process personal data consistent with the DPDP Act, 2023. You have the right to access, correct, update, and erase your personal data, and to withdraw consent at any time. Our Grievance Officer for DPDP Act purposes is reachable at info@trypoststage.com; we aim to acknowledge grievances within 7 days and resolve them within 30 days.

8.2 EEA / UK — GDPR

If you are in the EEA or UK, you additionally have the right to data portability, to restrict or object to certain processing, and to lodge a complaint with your local data protection authority. Our lawful bases for processing are: performance of a contract (providing the service you signed up for), legitimate interest (security, fraud prevention, service improvement), and consent (where you explicitly grant platform permissions or opt into notifications).

8.3 California — CCPA/CPRA

California residents have the right to know what personal information we collect, request its deletion, and opt out of its “sale” or “sharing.” We do not sell or share personal information as defined under the CCPA/CPRA.

To exercise any of these rights, email info@trypoststage.com. We may need to verify your identity before fulfilling a request.

9. International data transfers

PostStage is operated from India and uses infrastructure providers (Vercel, Neon, Upstash) that may process data on servers located outside India, including in the United States. By using PostStage, you understand your data may be transferred to and processed in countries with different data protection laws than your own. We require our subprocessors to maintain appropriate safeguards consistent with their respective certifications and contractual commitments.

10. Children's privacy

PostStage is not directed at, and is not intended for use by, anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us personal data, contact us at info@trypoststage.com and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal/regulatory reasons. We will post the revised policy here with an updated effective date, and for material changes we will notify you by email or an in-app notice.

12. Contact us

Questions, requests, or complaints about this Privacy Policy or our data practices can be sent to info@trypoststage.com. We aim to respond within 5 business days.