PostClaw Privacy Policy

1. Introduction

Cassau, LLC ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform PostClaw at postclaw.fun ("the Service").

This policy complies with the General Data Protection Regulation (GDPR) and other applicable privacy laws. If you are located in the European Economic Area, you have additional rights described in Section 8.

2. Data We Collect

We collect information you provide directly, data generated by your use of the Service, and information from third-party integrations.

Information you provide

• Account information: name, email address, password (hashed).
• Profile data: company name, profile photo, timezone.
• Payment information: processed by Stripe; we store only the last 4 digits and billing address.
• Content you create: posts, captions, media, and workflow configurations.

Automatically collected data

• Usage data: pages visited, features used, click patterns.
• Device data: IP address, browser type, operating system.
• Cookies and similar tracking technologies (see our Cookie Policy).

Third-party integrations

• OAuth tokens for connected social media accounts (stored encrypted with AES-256-GCM).
• Analytics data from social platforms you connect.

3. How We Use Your Data

We use collected data to:

• Provide, operate, and improve the Service.
• Process transactions and send related information such as purchase confirmations.
• Send administrative communications (service updates, security alerts).
• Send marketing communications where you have opted in.
• Analyze usage patterns to improve user experience.
• Comply with legal obligations and enforce our Terms of Service.

Our legal basis for processing under GDPR is: contract performance (account and subscription), legitimate interests (product improvement and security), legal obligation, and consent (marketing emails).

4. Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

• Service providers: Stripe (payments), AWS (infrastructure), Resend (email), and similar vendors who process data on our behalf under data processing agreements.
• Social platforms: Content you publish is shared with the social media platforms you choose.
• Legal requirements: We may disclose data if required by law, court order, or government request.
• Business transfers: In the event of a merger or acquisition, your data may be transferred as a business asset.

5. Data Retention

We retain personal data for as long as necessary to provide the Service and comply with legal obligations:

• Account data: retained for the duration of your account plus 90 days after deletion.
• Published posts and analytics: retained for 24 months after publication.
• Billing records: retained for 7 years as required by financial regulations.
• Server logs: retained for 30 days.

6. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256-GCM encryption at rest for sensitive credentials, regular security audits, and access controls. However, no method of transmission over the internet is 100% secure.

7. International Transfers

Your data may be transferred to and processed in countries outside your own, including the United States. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

8. Your Rights (GDPR & Others)

Depending on your location, you may have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request that we limit processing of your data.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Withdraw consent for marketing at any time.

To exercise these rights, contact us at contact@postclaw.fun. We will respond within 30 days.

9. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.

10. Contact

For privacy-related inquiries, contact us at contact@postclaw.fun or through our contact page.

Mailing address:
Cassau, LLC
131 Continental Dr, Suite 305
Newark, DE 19713, USA

11. Google API Services User Data Policy

PostClaw's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google user data we access

When you connect a YouTube account, PostClaw requests the following OAuth scopes:

• openid, userinfo.email, userinfo.profile — to identify your account and display your name, email, and avatar within PostClaw.
• youtube.upload — to upload and publish new videos to your YouTube channel on your behalf, according to the schedule you set in PostClaw.
• youtube.force-ssl — to list your existing videos, update video metadata (title, description, thumbnail), delete videos you scheduled through PostClaw, and moderate comments on those videos.

How we use Google user data

Google user data is used exclusively to provide the social media scheduling and publishing features you explicitly configure in PostClaw. We do not use Google user data for any other purpose.

Limited Use disclosure

PostClaw complies with Google's Limited Use requirements:

• We do not use Google user data to serve advertisements.
• We do not allow humans to read Google user data, except (a) with your explicit consent for support purposes, (b) when necessary for security, to comply with applicable law, or (c) when the data has been aggregated and anonymized.
• We do not transfer or sell Google user data to third parties, data brokers, or information resellers.
• We do not use Google user data to train, fine-tune, or develop any generalized AI or machine learning models.

Data storage and deletion

OAuth refresh tokens for Google accounts are stored encrypted with AES-256-GCM. When you disconnect a YouTube account or delete your PostClaw account, all associated Google tokens and cached YouTube data are permanently deleted within 7 days.

You can revoke PostClaw's access to your Google Account at any time by visiting myaccount.google.com/permissions.

12. Third-Party Social Platforms

PostClaw is a social media scheduling service. When you connect accounts from third-party social platforms, we access, process, and transmit data to those platforms on your behalf. Your use of each platform's data remains subject to that platform's own terms and privacy policy.

Platforms we integrate with

PostClaw supports publishing to the following platforms. Each integration uses the minimum OAuth scopes required to deliver the scheduling and analytics features you enable:

• Meta (Facebook, Instagram, Threads) — publish posts, stories, reels, and first comments to Pages and Business Instagram accounts you manage. Governed by the Meta Platform Terms and Developer Policies.
• X (Twitter) — publish tweets, threads, and media. Governed by the X Developer Agreement and Policy.
• LinkedIn — publish personal and company page posts. Governed by the LinkedIn API Terms of Use.
• TikTok — publish videos via the Content Posting API. Governed by the TikTok Developer Terms of Service.
• YouTube — see Section 11 for Google-specific disclosures.
• Pinterest — publish Pins to boards. Governed by the Pinterest Developer Terms.
• Bluesky, Mastodon, Dribbble — publish posts via each platform's public API under their respective terms.

Data we access and use

For every connected platform we access only what is needed to deliver features you enable:

• Identity data — profile name, profile photo, account ID, and list of pages or channels you manage, to let you select a destination for your posts.
• Publishing permissions — the ability to create posts, videos, stories, comments, and media uploads on accounts you explicitly connect.
• Post results — the platform-assigned post ID and basic success/failure status returned after publication.
• Engagement metadata — where enabled by you, high-level metrics (likes, comments, reach) used to display analytics inside PostClaw.

How we handle platform data

• Access and refresh tokens are stored encrypted at rest with AES-256-GCM and are never shared with third parties.
• We do not sell platform data, transfer it to data brokers, or use it for advertising.
• We do not use content or engagement data retrieved from connected social platforms to train, fine-tune, or develop generalized AI or machine learning models.
• We access platform data only while the account is connected and only to perform actions you have explicitly configured.
• When you disconnect an account or delete your PostClaw account, we revoke tokens and delete associated cached platform data within 7 days, except where retention is required by law (for example, financial records).
• You may revoke PostClaw's access at any time from the connected platform's own authorized-apps settings (for example, Meta Business Integrations, X Connected Apps).

13. AI and Machine Learning

PostClaw offers optional AI-assisted features such as caption suggestions, image generation, and content repurposing. When you use these features, your inputs are sent to the AI model provider(s) configured for your account.

• We do not use your content, connected social platform data, or Google user data to train, fine-tune, or develop any generalized AI or machine learning models operated by PostClaw.
• Inputs you submit to AI features are processed by upstream providers solely to return a result to you. We select providers that offer a "no-training" commitment for API data or operate under equivalent enterprise agreements.
• You are solely responsible for reviewing AI-generated content before publishing it to any social platform.
• If you "bring your own key" (BYOK) for an AI provider, data handling is additionally governed by that provider's terms.

14. Subprocessors

We engage the following third-party subprocessors to operate the Service. All subprocessors are bound by written data processing agreements:

• Amazon Web Services (AWS) — cloud infrastructure, database, and file storage (United States, European Union regions).
• Cloudflare — content delivery network, DDoS protection, DNS (global).
• Stripe — payment processing and subscription billing (United States).
• Resend — transactional email delivery (United States).
• AI model providers — Google Gemini, OpenAI, Anthropic, DeepSeek, Together AI, ElevenLabs, Fish Audio, MiniMax, Kling, and similar services, used only when you invoke an AI-assisted feature.

We update this list when subprocessors change. Subscribe to product updates or contact privacy@postclaw.fun to be notified of material changes.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act provide you with additional rights regarding personal information we collect about you.

Categories of personal information we collect

In the preceding twelve months, we have collected the categories of personal information described in Section 2 of this policy, including identifiers, commercial information, internet activity, and inferences used to provide and improve the Service.

Your California rights

• Right to know — request disclosure of the personal information we have collected, used, and shared about you.
• Right to delete — request deletion of personal information we have collected from you, subject to legal exceptions.
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell your personal information and do not share it for cross-context behavioral advertising.
• Right to limit use of sensitive personal information — where applicable.
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email privacy@postclaw.fun. We will respond within the timeframes required by law.

16. Data Breach Notification

We maintain incident response procedures to detect, contain, and investigate security incidents. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify affected users and applicable supervisory authorities without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33–34 and other applicable laws.