This Privacy Policy explains how UniPost ("UniPost," "we," "us," or "our") collects, uses, discloses, and safeguards information when you access or use the UniPost platform, website, API, and related services (collectively, the "Service").
If you do not agree with the practices described in this Privacy Policy, please do not use the Service.
Summary of Key Points
- We collect only the data necessary to operate a social media API platform.
- Social media access tokens are encrypted at rest using AES-256-GCM.
- We do not store social media passwords — only encrypted OAuth tokens.
- Payment information is handled entirely by Stripe.
- We do not sell personal data and do not use advertising trackers.
- Content is published to third-party platforms on your behalf; we do not host published content.
1. Information We Collect
1.1 Information You Provide
When you register for or use the Service, we may collect:
- Name and email address (via Clerk authentication)
- Account preferences and project settings
- Communications you send to us
1.2 Social Media Account Data
When you connect social media accounts, we collect and store:
- OAuth access tokens and refresh tokens (encrypted with AES-256-GCM)
- Platform account identifiers (e.g., Bluesky DID, LinkedIn person URN)
- Account display name and avatar URL
- Platform-specific metadata needed for posting
We never store social media passwords or app passwords. For Bluesky, the app password is used only to create a session and is immediately discarded.
1.3 API Usage Data
- API request logs (method, path, status, duration)
- Post content and media URLs you submit via the API
- Post results and platform response data
- Monthly usage counts for billing purposes
1.4 Billing Information
All payment processing is handled by Stripe. We store only:
- Stripe customer ID and subscription ID
- Subscription plan and billing status
We do not store credit card numbers or payment instrument details. See Stripe's Privacy Policy.
2. How We Use Your Information
- Provide, operate, and maintain the Service
- Authenticate users and manage accounts
- Connect and manage social media accounts on your behalf
- Publish content to social platforms via their APIs
- Process subscriptions and enforce usage limits
- Deliver webhook notifications
- Refresh expiring OAuth tokens automatically
- Send service-related notifications
- Detect and prevent fraud, abuse, or security incidents
- Comply with legal obligations
3. Sharing of Information
We share information only in the following limited circumstances:
Service Providers
- Clerk — authentication and user identity
- Stripe — subscription billing and payments
- Railway — API server hosting
- Vercel — dashboard and website hosting
- Social platforms — content is published to platforms you connect (Bluesky, LinkedIn, Instagram, Threads, TikTok, YouTube)
Legal Requirements
We may disclose information if required by law, subpoena, court order, or governmental request.
We do not sell personal information and do not share data with advertisers.
4. Cookies and Tracking
We use essential cookies only, primarily for authentication and session management via Clerk.
We do not use:
- Advertising cookies
- Cross-site tracking
- Behavioral profiling
5. Data Retention
- Account and project data: retained while your account is active
- Social media tokens: retained while the account is connected; deleted on disconnect
- Post records and results: retained while your account is active
- API request logs: retained for up to 90 days
Upon account deletion, personal data and tokens are removed within 30 days, unless retention is required by law.
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access your personal information
- Correct inaccurate information
- Request deletion of your personal data
- Export your data
- Disconnect social media accounts at any time
Requests may be submitted to support@unipost.dev.
7. Security
We implement industry-standard safeguards, including:
- Encrypted data transmission (HTTPS)
- AES-256-GCM encryption for social media tokens at rest
- SHA-256 hashing for API keys (plaintext never stored)
- Secure authentication via Clerk
- Payment data handled exclusively by Stripe (PCI-compliant)
- Structured JSON logging for security monitoring
8. Children's Privacy
The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children.
9. International Data Transfers
UniPost is hosted in the United States. By using the Service, you acknowledge that your data will be processed and stored in the United States.
10. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be posted on this page with an updated "Last updated" date.