Privacy Policy

Last updated: April 28, 2026

This Privacy Policy explains what tinyposter, operated by Franc & Eli, LLC (“tinyposter,” “we,” “us”), collects, why, and what choices you have. We aim to collect the minimum amount of information needed to run the service. We do not sell your personal information.

1. Information we collect

Account information.

When you sign up we collect your email address and any name you provide, via Supabase Auth. If you sign in with a third-party identity provider, we receive the basic profile information that provider returns.

Connected social accounts.

When you connect a social platform (X, Threads, Bluesky, Facebook, Instagram, LinkedIn, TikTok, and others available through our publishing partner Bundle.social), we receive identifiers, handles, and profile metadata for those accounts. OAuth tokens for those platforms are held by Bundle.social on our behalf; tinyposter does not store the raw access tokens.

Content you create.

We store the post content you draft, schedule, or publish (including text, images, and metadata such as target accounts, scheduled time, and publish status).

Billing information.

Payments are handled by Stripe. We receive your subscription state, plan, customer ID, and invoice metadata from Stripe. We do not see or store your card number or full payment credentials.

MCP and API tokens.

We store a hash of any tokens you generate, along with a label, the last few characters for display, and usage timestamps. The full token is shown only once at creation.

Usage and logs.

Our hosting provider (Vercel) and database provider (Supabase) record standard server logs (including IP address, user agent, request paths, and timestamps) for security, debugging, and abuse prevention. We use these logs short-term and rely on those providers' retention policies.

Cookies.

We use cookies that are strictly necessary to keep you signed in and to keep the dashboard working (for example, the Supabase Auth session cookie and Stripe's billing portal cookies). We do not use analytics or advertising cookies. Because these cookies are strictly necessary, no consent is required, but we display a cookie notice on first visit so you are informed.

2. How we use your information

• to operate the service: authenticate you, store your posts, deliver them to connected platforms, and surface their status;
• to bill you and manage your subscription;
• to enforce quotas, rate limits, and our acceptable-use rules;
• to communicate with you about your account, security, and material changes to the service;
• to debug, improve, and secure the service;
• to comply with legal obligations.

We do not use Your Content to train AI models. We do not sell or rent your personal information to third parties.

3. Subprocessors

We share information with the following service providers, only as needed to run the service. Business customers subject to GDPR/UK GDPR should also review our Data Processing Addendum.

• Supabase — authentication and database hosting.
• Vercel — web hosting and serverless functions.
• Stripe — subscription billing and payment processing.
• Bundle.social — OAuth with social platforms and publishing on your behalf.

Each subprocessor handles your information under its own privacy policy. The connected social platforms themselves (X, Meta, etc.) act as independent controllers for the data you publish to them.

4. Data retention

We keep your account data for as long as your account is active. When you delete your account, we delete or anonymize your account record, drafts, scheduled posts, and connected-account metadata within 30 days, subject to short retention windows in backups. We may keep limited records longer when necessary to comply with legal obligations, resolve disputes, or enforce our agreements (for example, billing records required by tax law).

5. Security

We rely on TLS in transit, row-level security in our database, scoped credentials for subprocessors, and hashed storage for MCP tokens. No system is perfectly secure; if we discover a breach affecting your information we will notify you as required by law.

6. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal information, to object to or restrict certain processing, and to withdraw consent. You can exercise most of these rights directly from your dashboard, or by emailing us at hello@tinyposter.app. We will respond within the timeframes required by applicable law (typically 30 days). You also have the right to lodge a complaint with a data protection authority.

California residents have specific rights under the CCPA/CPRA, including the right to know, delete, and correct, and the right to opt out of “sale” or “sharing.” tinyposter does not sell your personal information and does not share it for cross-context behavioral advertising. Because we do not sell or share, no opt-out is required, but you may still email us at hello@tinyposter.app to confirm or to make any other CCPA/CPRA request, and we will not discriminate against you for doing so.

7. International transfers

tinyposter and our subprocessors are based in the United States. If you access the service from outside the U.S., your information will be processed in the U.S. and other jurisdictions where our subprocessors operate. We rely on appropriate safeguards (such as standard contractual clauses) where required.

8. Children

The service is not directed to children under 16 and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.

9. Changes to this policy

If we make material changes, we will update the “Last updated” date above and, where required, give you additional notice (such as an email or in-app message). Continued use of the service after the changes take effect means you accept the updated policy.

10. Contact

For privacy questions or to exercise any of the rights described above, email hello@tinyposter.app or write to our data controller at: