1. What We Collect
When you subscribe to TracPost, we collect and store:
- Your email address and account credentials (password stored as a bcrypt hash, or passwordless via magic link)
- Business information you provide: business name, type, location, and website URL
- Social media account profile information (usernames, account IDs) from connected platforms: Instagram, Facebook, TikTok, Twitter/X, YouTube, Pinterest, LinkedIn, and Google Business Profile
- OAuth access tokens and refresh tokens for publishing to connected platforms, encrypted at rest using AES-256-GCM
- Media assets you upload (photos, videos) stored on Cloudflare R2
- Content generated by our AI pipeline: blog posts, social captions, SEO metadata, brand playbook data
- Usage data: actions taken, API calls, pipeline activity logs
- Payment information processed by Stripe (we do not store credit card numbers)
2. How We Use Your Data
- Authenticate your identity and manage your session across web dashboard and mobile app
- Publish content to your connected social media accounts on your behalf
- Generate AI-powered content: blog posts, social captions, brand playbooks, and content strategy
- Host your blog microsite and serve it via your custom domain or TracPost subdomain
- Analyze your uploaded media using AI vision for content triage, persona detection, and quality scoring
- Send transactional emails: welcome messages, verification codes, pipeline notifications
- Monitor token expiration and automatically refresh platform credentials
- Display your account status, connected platforms, scheduled content, and analytics
3. Platform-Managed Accounts
TracPost may create and manage social media accounts on your behalf as part of our managed service. These accounts are branded with your business information and used exclusively for publishing your content. You may request transfer of account ownership at any time. Upon cancellation, managed accounts are either transferred to you or deactivated per your preference.
4. Data Storage and Security
Your data is stored in a PostgreSQL database hosted by Neon with encryption at rest (AES-256) and TLS in transit. OAuth tokens are encrypted at the application layer using AES-256-GCM before storage — they cannot be read via database access alone. Passwords are hashed using bcrypt and are never stored in plaintext. Media assets are stored on Cloudflare R2 with access controls. Payment processing is handled entirely by Stripe; we never see or store your credit card information.
5. Third-Party Services
TracPost integrates with the following third-party services:
- Meta (Facebook/Instagram) — social media publishing via Graph API
- TikTok — video publishing via Content Posting API
- Twitter/X — tweet publishing via API v2
- Google (YouTube, Business Profile) — video publishing and local business posts
- Pinterest — pin creation via API v5
- LinkedIn — professional content publishing via Marketing API
- Anthropic (Claude AI) — content generation, vision analysis, brand intelligence
- Stripe — subscription billing and payment processing
- Cloudflare R2 — media asset storage
- Resend — transactional email delivery
- Vercel — application hosting and blog domain provisioning
Each platform's own privacy policy applies to data shared through their APIs. We do not sell, rent, or share your data with any parties beyond these service integrations.
6. AI Content Generation
TracPost uses AI (Anthropic Claude) to generate content on your behalf. Your business information, uploaded media, and brand playbook data are sent to the AI API as prompts. Generated content (blog posts, captions, hooks) is stored in your account. We do not use your data to train AI models. Anthropic's data retention policies apply to API calls — refer to Anthropic's privacy policy for details.
7. Data Retention
We retain your data for as long as your account is active. Upon cancellation:
- Your account remains accessible for 30 days (grace period)
- Blog redirects to your new URL remain active for 120 days (to preserve SEO)
- After 120 days, all data is permanently deleted
- You may export all your data at any time from the dashboard
When you disconnect a social account, we revoke the access token with the platform and delete the credential record from our database.
8. Your Rights
- Disconnect any social account at any time from the dashboard
- Export all your data (posts, media, configuration) at any time
- Request transfer of platform-managed social accounts
- Request deletion of all your data by contacting us
- Revoke TracPost's access via each platform's app settings
9. Data Deletion
To request deletion of your data, visit our data deletion page or contact us at the email below. We will process deletion requests within 30 days.