Privacy Policy
Last updated: 9 June 2026
This Privacy Policy explains how we process the personal data of visitors to postra.co.uk and users of the Postra service, in accordance with the UK GDPR and the Data Protection Act 2018.
1. Data controller
The data controller is B K Company, a partnership established in the United Kingdom, trading as Postra.
Address: 11 Bevington Close, Midsomer Norton, Radstock BA3 2FD, United Kingdom.
For any data protection enquiry, or to exercise your rights, contact hello@postra.co.uk.
2. What data we process
- Account data — email address, name/username, password (stored only as a salted hash),
- Connected social account data — profile name, identifier, profile picture and OAuth access tokens for the platforms you connect (Facebook, Instagram, LinkedIn, TikTok, YouTube and others),
- Content — posts, images, video, designs and schedules you create in the Service,
- AI feature inputs — prompts and content you submit to AI-assisted features,
- Analytics data retrieved from connected platforms (reach, engagement, statistics),
- Billing data — subscription plan, payment status and invoicing details (card details are handled by our payment processor, Stripe — we never store full card numbers),
- Support and correspondence data — messages you send us,
- Technical data — IP address, device/browser information, security and system logs.
3. Purposes and lawful bases
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Providing the Service: account, scheduling, publishing, Studio, analytics | Art. 6(1)(b) — performance of a contract |
| Processing payments and managing subscriptions | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (accounting/tax records) |
| AI-assisted features you choose to use | Art. 6(1)(b) — performance of a contract |
| Security, fraud and abuse prevention, service diagnostics | Art. 6(1)(f) — legitimate interests (keeping the Service safe and reliable) |
| Responding to enquiries and support requests | Art. 6(1)(f) — legitimate interests |
| Establishing, exercising or defending legal claims | Art. 6(1)(f) — legitimate interests |
| Service emails (e.g. account activation, billing notices) | Art. 6(1)(b) — contract |
| Marketing emails and non-essential cookies/analytics | Art. 6(1)(a) — consent (you can withdraw at any time) |
Where we rely on legitimate interests, we have balanced those interests against your rights. You can object at any time (section 9).
4. Social platform data
To provide the Service, Postra accesses data from the platforms you connect, under the OAuth authorisation you grant. Specifically, we:
- retrieve profile data (name, identifier, profile picture) to display your connected accounts,
- publish content on your behalf to the platforms you select,
- retrieve analytics data (reach, reactions, comments) to present statistics,
- store OAuth access tokens encrypted at rest — and delete them when you disconnect an account or delete your Postra account.
We do not sell social platform data, and we do not share it with third parties for advertising or marketing purposes. Each platform also processes your data as an independent controller under its own privacy policy (Meta, TikTok, LinkedIn, Google). You can remove Postra's access at any time in the platform's security settings or by disconnecting the account in Postra. To delete data we hold, see data deletion.
4a. YouTube API Services and Google user data
Postra's YouTube integration uses YouTube API Services. By connecting a YouTube channel you also agree to the YouTube Terms of Service. Google's handling of data accessed through these APIs is governed by the Google Privacy Policy.
Postra's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We only request the YouTube permissions needed to upload videos on your behalf and to display your channel and video analytics. We do not use Google user data for advertising, we do not sell it, and we do not allow humans to read it except with your consent, for security purposes, or as required by law. You can revoke Postra's access at any time via your Google security settings; disconnecting the channel in Postra deletes the stored tokens.
5. AI features
When you use AI-assisted features (e.g. generating post text, images or captions), the content and prompts you submit are sent to our AI provider, OpenAI (USA), to generate the output. Under our agreement with OpenAI, data submitted via the API is not used to train OpenAI's models. Avoid including unnecessary personal data in AI prompts.
6. Recipients of data
We share personal data only with providers that support the operation of the Service, under data processing agreements, and only to the extent necessary:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting and storage | United Kingdom (London region) |
| Amazon SES | Transactional email | EU/UK |
| Stripe | Payment processing | UK/USA |
| OpenAI | AI features (section 5) | USA |
| Sentry (Functional Software, Inc.) | Error monitoring | USA company; data hosted in the EU (Frankfurt) |
| Grafana Labs | Service performance monitoring (technical metrics) | United Kingdom |
Social platforms you connect (Meta, TikTok, LinkedIn, Google/YouTube) receive the content you instruct us to publish and act as independent controllers. We may also disclose data where required by law.
7. International transfers
We are established in the UK and Postra's infrastructure is hosted on AWS in the UK (London region). Where a provider processes data outside the UK (e.g. in the USA), we rely on appropriate safeguards: the UK Extension to the EU-US Data Privacy Framework ("UK-US Data Bridge") where the provider is certified (e.g. Stripe, Sentry), or the UK International Data Transfer Agreement (IDTA) / UK Addendum to the EU Standard Contractual Clauses (e.g. OpenAI), together with data processing agreements.
8. Data retention
| Data | Retention |
|---|---|
| Account data and Content | For the life of your account; deleted within 30 days of account deletion |
| OAuth tokens | Until you disconnect the account or delete your Postra account |
| Billing records | As required by UK tax law (generally 6 years) |
| Technical logs | Up to 90 days (security and diagnostics) |
| Support correspondence | Up to 24 months after resolution |
9. Your rights
Under the UK GDPR you have the right to: access your data, rectification, erasure, restriction of processing, data portability, and to object to processing based on legitimate interests. Where processing is based on consent, you can withdraw it at any time without affecting prior processing.
To exercise any right, email hello@postra.co.uk — we respond within one month. You can also delete your account and data directly in the app — see data deletion.
You have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk, helpline 0303 123 1113. We would appreciate the chance to address your concern first.
10. Security
- social account access tokens are encrypted at rest; passwords are stored only as salted hashes,
- data is encrypted in transit (TLS),
- infrastructure runs in AWS's London region with access controls and least-privilege roles,
- we monitor the Service for errors and abuse and apply rate limiting and account lockout protections.
11. Automated decision-making
We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. AI features only generate content drafts that you review and decide whether to publish.
12. Children
The Service is intended for adults. We do not knowingly process the personal data of anyone under 18. If you believe a child has created an account, contact us and we will delete it.
13. Cookies and similar technologies
We use cookies and local storage that are strictly necessary for the Service to function (session, authentication, security). These do not require consent under PECR. Any non-essential cookies (e.g. analytics or marketing) will only ever be set with your prior consent, with a clear way to refuse and withdraw.
14. Changes to this policy
We may update this policy as the Service or the law changes. The current version, with the date of the last update, is always published at postra.co.uk/privacy. For material changes we will notify you by email or in-app message.