Last updated: February 1, 2026

Privacy Policy

This Privacy Policy describes how PostMonk ("we," "us," or "our") collects, uses, stores, and shares your personal information when you use our social media management platform and related services.

1. Information We Collect

We collect information in the following categories:

1.1 Account Information

When you create a PostMonk account, we collect:

  • Full name, email address, and company or agency name
  • Billing information (processed securely by our third-party payment provider — we do not store full credit card numbers)
  • Role and team membership information

1.2 Connected Social Media Accounts

When you connect social media accounts to PostMonk, we access data through each platform's official API. This may include:

  • Meta (Facebook & Instagram): Page and profile information, post content and media, engagement metrics, audience insights, and comments — accessed via the Meta Graph API
  • X (Twitter): Profile information, tweets, engagement metrics, and follower data — accessed via the X API v2
  • LinkedIn: Organization page data, post content, engagement metrics, and follower demographics — accessed via the LinkedIn Marketing API
  • TikTok: Account profile information, video metadata, and engagement metrics — accessed via the TikTok Content Posting API
  • YouTube: Channel information, video metadata, engagement metrics, and subscriber data — accessed via the YouTube Data API

We only request the minimum permissions necessary to provide our services. OAuth tokens are encrypted at rest and are never shared with third parties.

1.3 Content You Create

Content you create, upload, schedule, or draft within PostMonk, including text, images, videos, captions, hashtags, and any AI-generated content.

1.4 Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, actions taken, device type, browser type, IP address, and referral source.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: To operate PostMonk, publish content to connected platforms, manage scheduling, and facilitate client approval workflows
  • AI content generation: To power the AI Studio feature, which generates platform-optimized content, captions, and hashtags based on your inputs and brand voice settings
  • Analytics: To provide performance insights and reporting across your connected social media accounts
  • Communication: To send you service updates, security alerts, and support messages
  • Product improvement: To analyze aggregated, de-identified usage patterns to improve our platform
  • Legal compliance: To comply with applicable laws, regulations, and legal processes

3. How We Share Your Information

We do not sell your personal information. We may share your data only in these circumstances:

  • Connected platforms: When you publish or schedule content, we transmit that content to the connected social media platform's API on your behalf
  • Service providers: We use trusted third-party providers for hosting (Google Cloud), payment processing (Stripe), email delivery, and error monitoring. These providers process data on our behalf under strict contractual obligations
  • Legal obligations: We may disclose information if required by law, regulation, legal process, or governmental request
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction
  • With your consent: We may share information when you explicitly direct us to do so

4. Data Retention

We retain your data for as long as your account is active or as needed to provide you services. Specifically:

  • Account data: Retained while your account is active, deleted within 30 days of account closure
  • Content data: Retained while your account is active. Drafts and scheduled content are deleted within 30 days of account closure
  • Connected platform data: OAuth tokens and cached platform data are deleted within 24 hours of disconnecting a social account, or within 30 days of account closure
  • Analytics data: Aggregated, de-identified analytics may be retained for product improvement purposes
  • Legal requirements: Some data may be retained longer if required by applicable law

5. Data Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit using TLS 1.3
  • Social media OAuth tokens are encrypted at rest using AES-256-GCM
  • Infrastructure hosted on Google Cloud Platform with SOC 2 Type II compliance
  • Role-based access controls limit employee access to user data
  • Regular security audits and vulnerability assessments
  • Automatic session expiration and multi-factor authentication support

For more information, see our Security Practices page.

6. Platform-Specific Data Practices

6.1 Meta (Facebook & Instagram)

PostMonk accesses your Facebook Pages and Instagram Professional accounts through the Meta Graph API. We comply with the Meta Platform Terms and Meta Developer Policies. You can revoke PostMonk's access at any time through Facebook Settings → Apps and Websites. Upon disconnection, we delete all cached Meta data within 24 hours. To request deletion of your data, see our Data Deletion page.

6.2 X (Twitter)

We access your X account through the X API v2 in compliance with the X Developer Agreement and Policy. If content is deleted on X, we remove the corresponding data from PostMonk within 24 hours. You can revoke access through X Settings → Security and account access → Apps and sessions.

6.3 LinkedIn

PostMonk accesses your LinkedIn Organization Pages through the LinkedIn Marketing API in compliance with the LinkedIn API Terms of Use. Upon revoking access, all cached LinkedIn data is deleted within 30 days. You can revoke access through LinkedIn Settings → Data privacy → Permitted services.

6.4 TikTok

We access your TikTok account through the TikTok Content Posting API in compliance with the TikTok Developer Terms of Service. Content is only posted with your explicit approval through PostMonk's scheduling or approval workflow. You can revoke access through TikTok Settings → Security → Manage app permissions.

6.5 YouTube

PostMonk accesses your YouTube channel through the YouTube Data API in compliance with the YouTube API Services Terms of Service and the Google API Services User Data Policy. By using PostMonk's YouTube integration, you also agree to be bound by Google's Privacy Policy. You can revoke access through Google Account permissions.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data
  • Right to restriction: Request that we restrict processing of your data
  • Right to data portability: Request your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected
  • Right to delete: Request deletion of your personal information
  • Right to opt-out: Opt out of the "sale" of personal information (we do not sell personal information)
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

To submit a request, email [email protected] or visit our Data Deletion page. We will verify your identity and respond within 45 days.

9. Cookies and Tracking

We use cookies and similar technologies to operate our platform and improve your experience. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

10. Children's Privacy

PostMonk is not directed to children under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

11. International Data Transfers

PostMonk is operated from the United States. If you are accessing our services from outside the US, your data will be transferred to and processed in the US. We implement appropriate safeguards, including Standard Contractual Clauses, to protect your data during international transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website or sending you an email. Your continued use of PostMonk after any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us: