CaelpostPrivacy Policy

Legal

Privacy Policy

Effective date:

Caelpost (“we”, “us”, “our”) operates https://caelpost.com. This policy describes what personal data we collect, why we collect it, how we use it, and your rights over it. We keep this plain and specific — no boilerplate walls of text.

1. Data We Collect

Account & Identity

  • Name, email address, and profile photo — provided when you sign up via Clerk.
  • Organisation name and team member emails if you create a workspace.
  • Authentication tokens (access & refresh) for social platforms you connect.

Content You Create

  • Post drafts, captions, scheduled dates, and platform-specific overrides.
  • Media files (images, videos) you upload — stored in Vercel Blob Storage.
  • Templates, queue settings, and calendar preferences.

Social Platform Data

When you connect a social account (Instagram, X, LinkedIn, etc.) we receive and store only what is needed to publish on your behalf:

  • Account handle, display name, avatar URL, and follower count.
  • OAuth access tokens and (where applicable) refresh tokens. These are encrypted at rest in our database.
  • Published post IDs returned by the platform after a successful publish.

We do not read your social media inboxes, followers lists, or any content beyond what is explicitly required for scheduling and publishing.

Usage & Telemetry

  • Anonymous page views and feature interaction events via Vercel Analytics — no personally identifiable information is attached.
  • Error and performance logs collected server-side. These include request paths and timestamps but not request bodies.
  • IP address and user-agent string — logged by our infrastructure provider for security purposes and retained for 30 days.

Billing

Payment processing is handled entirely by Stripe. We never see or store your full card number. We store your Stripe Customer ID and subscription status to manage your plan.

2. How We Use Your Data

Providing the serviceScheduling and publishing posts to connected social accounts on your behalf.Contract performance
AuthenticationVerifying your identity through Clerk on every request.Contract performance
Token refreshAutomatically refreshing expiring OAuth tokens so your connected accounts stay active.Contract performance
NotificationsEmailing you about publish failures, approaching token expiry, or account activity.Legitimate interest
Product improvementAggregated, anonymised analytics to understand which features are used.Legitimate interest
Security & abuse preventionDetecting unusual access patterns, rate-limiting, and blocking malicious actors.Legitimate interest / Legal obligation
Legal complianceResponding to lawful requests from regulators or courts.Legal obligation

We do not sell, rent, or trade your personal data to third parties. We do not use your content to train AI/ML models.

3. Third-Party Services We Use

ClerkAuthentication & session managementclerk.com/privacy
Neon (PostgreSQL)Database hosting — all data stored in US Eastneon.tech/privacy
VercelHosting, edge functions, blob storage, analyticsvercel.com/legal/privacy-policy
StripeSubscription billingstripe.com/privacy
Meta (Instagram, Facebook)Publishing via Graph APIfacebook.com/privacy
X (Twitter)Publishing via API v2x.com/privacy
LinkedIn, Reddit, YouTube, etc.Publishing via respective APIsEach platform's privacy policy applies

Each sub-processor is contractually required to protect data in accordance with applicable law. We perform due diligence before adding any new sub-processor.

4. Data Retention

  • Active accounts: All data is retained while your account is active.
  • Deleted posts: Removed from our database within 30 days of deletion.
  • Disconnected channels: OAuth tokens are deleted immediately when you disconnect a channel. Profile metadata is removed within 7 days.
  • Closed accounts: All personal data is deleted within 30 days of account closure, except where we are required by law to retain it (e.g. billing records for 7 years in some jurisdictions).
  • Backups: Database backups are retained for up to 30 days, after which deleted data is fully purged.

5. Security

  • All data in transit is encrypted with TLS 1.2 or higher.
  • OAuth tokens are stored encrypted at rest in our database.
  • Access to production databases is restricted to authorised engineers only, over VPN, with MFA enforced.
  • We use short-lived session tokens (managed by Clerk) and rotate OAuth tokens before expiry.
  • Security incidents are disclosed to affected users within 72 hours of confirmation.

If you discover a security vulnerability, please report it to security@caelpost.com. We do not take legal action against good-faith security researchers.

6. Your Rights

Depending on your location you may have the following rights. To exercise any of them, email privacy@caelpost.com. We respond within 30 days.

AccessRequest a copy of all personal data we hold about you.
RectificationAsk us to correct inaccurate or incomplete data.
Erasure ("right to be forgotten")Request deletion of your personal data.
PortabilityReceive your data in a structured, machine-readable format (JSON).
RestrictionAsk us to restrict processing while a complaint is resolved.
ObjectObject to processing based on legitimate interests.
Withdraw consentDisconnect any social account at any time from the Channels page.

7. Cookies & Local Storage

__clerk_*SessionAuthentication state (set by Clerk, essential)
pkce_verifierSession (10 min)Temporary OAuth PKCE code verifier — deleted after connect
themePersistentYour light/dark mode preference — stored locally, never sent to our servers

We do not use advertising cookies, fingerprinting, or cross-site tracking. Vercel Analytics uses no cookies — it is privacy-first and GDPR-compliant by design.

8. Children

Caelpost is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child, contact us immediately at privacy@caelpost.com and we will delete it promptly.

9. International Transfers

Our infrastructure is primarily located in the United States (Vercel, Neon). If you are located in the EU/EEA or UK, your data is transferred to the US under the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable. We only use sub-processors who provide adequate data-transfer safeguards.

10. Changes to This Policy

We may update this policy from time to time. For material changes we will notify you by email and/or a banner in the dashboard at least 14 days before the change takes effect. Continued use of Caelpost after that date constitutes acceptance of the updated policy. The current effective date is always shown at the top of this page.

11. Contact

For privacy questions, data requests, or complaints:

Caelpost Privacy Team

Email: privacy@caelpost.com

You also have the right to lodge a complaint with your local data protection authority (e.g. ICO in the UK, or your EU supervisory authority).

© 2026 Caelpost. All rights reserved.

HomeTermsContact