Postra logo Postra Back

Privacy Policy

Last updated: 9 June 2026

This Privacy Policy explains how we process the personal data of visitors to postra.co.uk and users of the Postra service, in accordance with the UK GDPR and the Data Protection Act 2018.

1. Data controller

The data controller is B K Company, a partnership established in the United Kingdom, trading as Postra.

Address: 11 Bevington Close, Midsomer Norton, Radstock BA3 2FD, United Kingdom.

For any data protection enquiry, or to exercise your rights, contact hello@postra.co.uk.

2. What data we process

3. Purposes and lawful bases

PurposeLawful basis (UK GDPR)
Providing the Service: account, scheduling, publishing, Studio, analyticsArt. 6(1)(b) — performance of a contract
Processing payments and managing subscriptionsArt. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (accounting/tax records)
AI-assisted features you choose to useArt. 6(1)(b) — performance of a contract
Security, fraud and abuse prevention, service diagnosticsArt. 6(1)(f) — legitimate interests (keeping the Service safe and reliable)
Responding to enquiries and support requestsArt. 6(1)(f) — legitimate interests
Establishing, exercising or defending legal claimsArt. 6(1)(f) — legitimate interests
Service emails (e.g. account activation, billing notices)Art. 6(1)(b) — contract
Marketing emails and non-essential cookies/analyticsArt. 6(1)(a) — consent (you can withdraw at any time)

Where we rely on legitimate interests, we have balanced those interests against your rights. You can object at any time (section 9).

4. Social platform data

To provide the Service, Postra accesses data from the platforms you connect, under the OAuth authorisation you grant. Specifically, we:

We do not sell social platform data, and we do not share it with third parties for advertising or marketing purposes. Each platform also processes your data as an independent controller under its own privacy policy (Meta, TikTok, LinkedIn, Google). You can remove Postra's access at any time in the platform's security settings or by disconnecting the account in Postra. To delete data we hold, see data deletion.

4a. YouTube API Services and Google user data

Postra's YouTube integration uses YouTube API Services. By connecting a YouTube channel you also agree to the YouTube Terms of Service. Google's handling of data accessed through these APIs is governed by the Google Privacy Policy.

Postra's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We only request the YouTube permissions needed to upload videos on your behalf and to display your channel and video analytics. We do not use Google user data for advertising, we do not sell it, and we do not allow humans to read it except with your consent, for security purposes, or as required by law. You can revoke Postra's access at any time via your Google security settings; disconnecting the channel in Postra deletes the stored tokens.

5. AI features

When you use AI-assisted features (e.g. generating post text, images or captions), the content and prompts you submit are sent to our AI provider, OpenAI (USA), to generate the output. Under our agreement with OpenAI, data submitted via the API is not used to train OpenAI's models. Avoid including unnecessary personal data in AI prompts.

6. Recipients of data

We share personal data only with providers that support the operation of the Service, under data processing agreements, and only to the extent necessary:

ProviderPurposeLocation
Amazon Web Services (AWS)Hosting and storageUnited Kingdom (London region)
Amazon SESTransactional emailEU/UK
StripePayment processingUK/USA
OpenAIAI features (section 5)USA
Sentry (Functional Software, Inc.)Error monitoringUSA company; data hosted in the EU (Frankfurt)
Grafana LabsService performance monitoring (technical metrics)United Kingdom

Social platforms you connect (Meta, TikTok, LinkedIn, Google/YouTube) receive the content you instruct us to publish and act as independent controllers. We may also disclose data where required by law.

7. International transfers

We are established in the UK and Postra's infrastructure is hosted on AWS in the UK (London region). Where a provider processes data outside the UK (e.g. in the USA), we rely on appropriate safeguards: the UK Extension to the EU-US Data Privacy Framework ("UK-US Data Bridge") where the provider is certified (e.g. Stripe, Sentry), or the UK International Data Transfer Agreement (IDTA) / UK Addendum to the EU Standard Contractual Clauses (e.g. OpenAI), together with data processing agreements.

8. Data retention

DataRetention
Account data and ContentFor the life of your account; deleted within 30 days of account deletion
OAuth tokensUntil you disconnect the account or delete your Postra account
Billing recordsAs required by UK tax law (generally 6 years)
Technical logsUp to 90 days (security and diagnostics)
Support correspondenceUp to 24 months after resolution

9. Your rights

Under the UK GDPR you have the right to: access your data, rectification, erasure, restriction of processing, data portability, and to object to processing based on legitimate interests. Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

To exercise any right, email hello@postra.co.uk — we respond within one month. You can also delete your account and data directly in the app — see data deletion.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk, helpline 0303 123 1113. We would appreciate the chance to address your concern first.

10. Security

11. Automated decision-making

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. AI features only generate content drafts that you review and decide whether to publish.

12. Children

The Service is intended for adults. We do not knowingly process the personal data of anyone under 18. If you believe a child has created an account, contact us and we will delete it.

13. Cookies and similar technologies

We use cookies and local storage that are strictly necessary for the Service to function (session, authentication, security). These do not require consent under PECR. Any non-essential cookies (e.g. analytics or marketing) will only ever be set with your prior consent, with a clear way to refuse and withdraw.

14. Changes to this policy

We may update this policy as the Service or the law changes. The current version, with the date of the last update, is always published at postra.co.uk/privacy. For material changes we will notify you by email or in-app message.