This Privacy Policy explains how PostFactory handles information for sign-in, workspace, market, connected social accounts, analytics, device automation, proxy protection, and dashboard use.
Last updated: July 9, 2026
1. Controller and scope
PostFactory is operated by Matteo Laureti, VAT number 17723751008, Italy. PostFactory is the controller for personal information processed through the PostFactory dashboard and website. Privacy questions and requests can be sent to [email protected]. This Privacy Policy covers the current workflow: sign-in, workspace, market, social account records, connected account authorization, protected account credential records, stored analytics, device automation, proxy protection, billing, referrals, and dashboard use.
2. Information we collect now
Account information, such as name, email address, sign-in provider, authentication status, and user identifiers from our authentication providers.
Workspace and market information, such as workspace name, avatar URL, market name, country, language, timezone, and timestamps.
Social account information, such as platform, display name, public handle, market assignment, account status, connection status, analytics import readiness, and timestamps.
Connected platform authorization data for accounts you connect, such as authorization data, permissions, expiry information, and related account references used to maintain the connection.
Account credential information you choose to add for connected social accounts, such as login identifier, optional notes, encrypted password or recovery secret, and timestamps.
Stored analytics information, such as account and post analytics, imported social post metadata, aggregated analytics, freshness status, and readable performance summaries.
Device automation information, such as registered device records, device assignment status, run status, automation events, readable errors, and technical signals needed to operate device workflows.
Proxy protection information, such as device and workspace identifiers, assigned proxy country or region, connection status, protection status, expected and observed network exit IP, health-check timing, health-check results, latency, and operational security logs.
Technical and security information, such as logs, request metadata, IP address, browser/device information, error events, abuse signals, and authentication cookie state.
Referral information, such as referral partner profile, display name, email, referral code, terms version and acceptance time, attributed workspace, commission rate and amounts, currency, eligibility and payout status, refund or dispute adjustments, fraud/compliance review state, and manual payout audit records.
3. Sources of information
You provide information when you sign in, create workspaces, edit workspace profile details, create markets, and manage social account records.
Connected platforms, such as Instagram, Facebook, YouTube, and TikTok, provide authorization, account profile information, and available analytics data when you explicitly connect an account.
Registered Android devices generate device, proxy protection, and automation status information when you pair a device, assign a proxy, run workflows, or use device protection features.
Infrastructure, authentication, database, storage, and logging systems generate technical information needed to operate and secure the service.
Referral links and first-party cookies provide a referral code when a visitor follows a partner link. Stripe and our billing records provide subscription payment, refund, credit, and dispute status used to calculate and reconcile referral commission.
4. Purposes and legal bases
Provide the service: authenticate users, protect workspaces, manage markets, maintain social account records, manage connected account authorization, and display the dashboard. Legal basis: contract or steps requested before entering a contract.
Operate device and proxy protection features: pair devices, assign device network paths, verify connection health, reduce unintended routing outside the assigned network path, run requested automation workflows, and show device readiness. Legal basis: contract and legitimate interests.
Security and abuse prevention: detect misuse, investigate errors, enforce policies, and keep user-facing errors readable. Legal basis: legitimate interests and legal obligations.
Support and compliance: respond to requests, legal requests, deletion requests, and audits. Legal basis: legal obligations, legitimate interests, and contract.
Product improvement: understand reliability, usage patterns, and feature quality using product and technical signals. Legal basis: legitimate interests.
Operate the referral program: validate referral codes, prevent self-referral and fraud, attribute an eligible workspace, calculate and reconcile commissions, review payout eligibility, keep financial audit records, and handle partner requests. Legal basis: contract, steps requested before entering a contract, legitimate interests, and legal obligations where applicable.
5. Google data
PostFactory may use Google sign-in for authentication. Google processes data under its own policies, including the Google Privacy Policy.
For Google sign-in and YouTube connection features, PostFactory's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect YouTube, PostFactory requests read-only access so it can import your channel identity, uploaded-video metadata, and available channel or video statistics into your dashboard. PostFactory does not use YouTube access to publish, edit, delete, comment, like, subscribe, or perform other write actions.
PostFactory does not sell Google user data, use Google user data for advertising, transfer Google user data to data brokers, or allow humans to read Google user data except where necessary for security, support you request, legal compliance, or aggregated internal operations.
6. Connected platform data
Instagram: when you connect an Instagram account, PostFactory uses authorized platform access to read the account profile and available account or media insights for your dashboard.
Facebook: when you connect a Facebook Page, PostFactory uses authorized platform access to list the Pages you manage, store the selected Page connection, and import available Page or post metrics.
YouTube: when you connect YouTube, PostFactory uses authorized read-only platform access to identify the channel, list uploaded videos, and import available channel and video statistics.
TikTok: when you connect TikTok, PostFactory uses authorized platform access to read your basic profile, profile statistics, and accessible video metadata or video statistics for your dashboard.
PostFactory uses official platform APIs for connected-account analytics. Optional saved account credentials are separate from platform authorization and are stored only when you choose to add them for a connected account.
7. Device proxy protection
When proxy protection is enabled for a registered Android device, PostFactory may route that device's traffic through a dedicated network path managed by PostFactory.
On Android, this feature may require the operating system's VPN permission so PostFactory can route device traffic through the assigned path while the feature is active.
Proxy protection is designed for device consistency, proxy health verification, and reducing unintended routing outside the assigned network path. It is not an anonymity service.
We process limited technical metadata needed to provide, secure, troubleshoot, and verify the feature. This can include connection status, protection status, expected and observed exit IP, timing, health-check results, latency, and operational security logs.
We do not use proxy protection to create browsing profiles, and we do not intentionally store traffic contents, credentials transmitted through the device, browsing history, or full URLs as part of ordinary proxy protection operation.
Our service may process transient technical metadata needed to route traffic, resolve network requests, verify the assigned path, reduce unintended routing outside that path, diagnose errors, investigate abuse, and protect the service.
8. How we share information
Infrastructure providers and processors may host, store, process, secure, or monitor PostFactory on our behalf, including infrastructure, security, hosting, storage, logging, and network operations.
When you connect a social platform account, PostFactory communicates with that platform to complete authorization, read the account profile needed for setup, maintain the connection you requested, and retrieve available analytics data for connected accounts.
When device or proxy protection features are used, infrastructure and network providers may process technical information needed to operate, secure, monitor, and troubleshoot the assigned device network path.
Support, compliance, legal, or security recipients may receive information when needed to respond to your request, protect the service, comply with law, investigate abuse, or enforce these policies.
Stripe processes customer billing information used to determine eligible referral revenue. Referral payouts are currently handled through an external/manual process, so information reasonably necessary to verify and complete a payout may be shared with the selected payment, banking, accounting, tax, or compliance provider. Stripe Connect is not currently implemented for referral payouts.
We do not sell personal information or share it for cross-context behavioral advertising.
9. Cookies and similar technologies
PostFactory uses essential cookies and similar local storage mechanisms for authentication, session continuity, security, navigation, and referral attribution. When you follow a valid PostFactory referral link, a first-party referral cookie may store the partner's referral code for up to 90 days. Before conversion, the referral program uses a last-valid-click rule: a later code replaces the cookie and restarts the window only after PostFactory verifies that the referral profile is active; invalid or inactive codes do not replace a valid cookie. The cookie does not contain payment credentials, but the code can be linked to a referral partner and, if you subscribe, to your attributed workspace and billing status. You can remove the cookie through your browser settings before conversion, although doing so may prevent attribution. We do not currently use advertising cookies or third-party behavioral advertising pixels in the product.
10. Retention and deletion
Account, workspace, market, social account, connection metadata, and technical records are kept while needed to provide the service, maintain reliability, comply with law, resolve disputes, or protect security.
Stored platform authorization data is kept while needed to maintain the connection. Disconnecting a social account removes the stored authorization data while preserving the user-facing account record unless deletion is separately requested.
Proxy protection health checks are intended to be kept for a limited operational period, generally up to 90 days, unless a longer period is needed for security, abuse investigation, dispute resolution, legal compliance, or service integrity.
Proxy protection audit and security records are intended to be kept for a limited operational and compliance period, generally up to 12 months, unless a longer period is needed for security, abuse investigation, dispute resolution, legal compliance, or service integrity.
Referral attribution, commission, terms-acceptance, adjustment, and payout audit records may be retained after account or workspace deletion where reasonably needed for payment reconciliation, tax and accounting obligations, fraud prevention, legal compliance, or dispute resolution. Where appropriate, account details may be minimized or separated while the required financial record is retained.
Deletion requests can be sent to [email protected] or started through the data deletion instructions. We may need to verify your identity and may retain limited records where required for security, legal compliance, or dispute resolution.
You can also revoke platform authorization directly in the relevant Google, TikTok, Meta, Instagram, or Facebook account settings. Revoking platform authorization may stop future imports but does not automatically delete existing PostFactory records unless deletion is separately requested.
11. International transfers
PostFactory and infrastructure providers may process information in countries other than where you live. Where GDPR, UK GDPR, Swiss data protection law, or similar rules apply, we use appropriate safeguards such as data processing terms, standard contractual clauses, adequacy mechanisms, or other lawful transfer mechanisms where required.
12. Security
We use technical and administrative safeguards designed to protect PostFactory data, including authenticated dashboard access, workspace-scoped records, protected storage for account authorization and credential records, access controls, and error handling designed to avoid exposing sensitive operational details. No internet service can be guaranteed perfectly secure.
13. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information.
If processing is based on consent, you may withdraw consent at any time without affecting processing that occurred before withdrawal.
EEA, UK, and Swiss users may lodge a complaint with their local data protection authority, including the Italian Data Protection Authority where applicable.
California residents may have rights to know, access, correct, delete, portability, limit use of sensitive personal information, and opt out of sale or sharing where applicable. PostFactory does not sell personal information or share it for cross-context behavioral advertising.
To exercise rights, contact [email protected]. We may need to verify your identity and may decline requests where an exception or legal obligation applies.
14. Children
PostFactory is intended for business and creator operations and is not directed to children. Do not use PostFactory if you are not old enough to form a binding agreement.
15. Automated decisions
PostFactory does not currently make automated decisions that produce legal or similarly significant effects.
16. Changes and contact
We may update this Privacy Policy as PostFactory, applicable law, or platform requirements change. Privacy questions and requests can be sent to [email protected].