Privacy Policy
This Privacy Policy explains how Wicflow Oy ("we", "us", "Wicflow") collects, uses, and protects information when you use Postiz, our social media scheduling platform available at postiz.wicflow.com (the "Service"). By using Postiz, you agree to this Policy.
1. Data Controller
Wicflow Oy (Y-tunnus: 3590597-7)
Helsinki, Finland
Email: info@wicflow.com
2. Information We Collect
a) Account Information
- Name and email address
- Password (stored in hashed form; we never see your plaintext password)
- Organization or company name
- Profile picture (optional)
b) Connected Social Media Accounts
When you connect a Facebook Page, Instagram Business account, LinkedIn profile or Company Page, X (Twitter) account, TikTok account, YouTube channel, or any other supported platform, we collect and store:
- OAuth access tokens and refresh tokens (encrypted at rest)
- Account / page / channel IDs and usernames
- Display name and profile picture
- The specific permissions you granted
- Account or page metadata required to publish content (e.g., available post types, posting limits)
We never collect or store the passwords of your social media accounts.
c) Content You Submit
- Posts, captions, hashtags, images, videos, and other media you upload or schedule
- Scheduling metadata (publish times, target accounts, draft and published status)
- Comments and replies you choose to manage through Postiz
d) Usage Data
- Login timestamps and IP address
- Browser type and device information
- Service interaction logs used for security, debugging, and abuse prevention
3. How We Use Your Data
We use your data exclusively to:
- Authenticate you and operate the Service
- Publish content you have scheduled to the social media accounts you have connected
- Display engagement data (comments, replies, basic insights) inside your dashboard
- Provide customer support
- Detect abuse, fraud, and security incidents
- Comply with legal obligations
We never use your data for advertising, profiling, resale, or training of AI/ML models.
4. Meta Platform Data (Facebook & Instagram)
When you connect a Facebook Page or Instagram Business account, Postiz uses the following permissions only to provide the scheduling, publishing, and engagement features you have explicitly enabled:
pages_show_list— list your Facebook Pages so you can choose which to connectpages_read_engagement— read basic Page metadata (name, profile picture) to display the connected Pagepages_manage_posts— publish posts you have scheduled in Postizpages_manage_engagement— read and reply to comments on your posts from inside Postizbusiness_management— list Pages managed under your Business Managerinstagram_basic— display your connected Instagram Business accountinstagram_content_publish— publish posts and reels you have scheduled to your Instagram Business account
We comply with Meta's Platform Terms and Developer Policies.
We do not share, sell, lease, or transfer Meta Platform Data to any third party except as strictly necessary to provide the Service to you (e.g., transmitting your scheduled post to Facebook so it can be published).
You can revoke our access to your Meta accounts at any time:
- Facebook: facebook.com/settings → Apps and Websites
- Instagram: Settings → Apps and Websites → Active
When you disconnect a Meta account in Postiz, or delete your Postiz account entirely, all associated tokens and Meta Platform Data are deleted from our systems within 30 days.
5. LinkedIn, X, TikTok, YouTube and Other Platforms
The same principles apply to every platform Postiz supports. Data from each connected platform is used only to operate the features you have enabled, is not shared with any third party, and is deleted when you disconnect the account or delete your Postiz account.
6. Data Sharing
We do not sell your data. We share data only with:
- The social media platforms you have connected (in order to publish your content there)
- Hosting and infrastructure providers located within the European Union (Hostinger)
- Email delivery providers, used solely for transactional emails (account confirmation, password reset, etc.)
All processors are bound by GDPR-compliant data processing agreements.
7. Legal Basis (GDPR)
- Performance of contract — operating the Service for you
- Legitimate interest — security, fraud prevention, and service improvement
- Consent — for any optional features or marketing communications
Under the GDPR (EU 2016/679), you have the right to access, correct, or delete your personal data at any time.
8. Data Storage and Security
- Servers located within the European Union (Hostinger)
- All access tokens and sensitive credentials encrypted at rest
- HTTPS/TLS enforced for all connections
- Industry-standard security practices (least-privilege access, regular updates, audit logging)
9. Data Retention
- Account data: kept while your account is active
- Connected accounts and tokens: kept until you disconnect them or delete your account
- Published post records: kept for 12 months for your reference
- Backups: rotated and deleted within 30 days
On account deletion, all personal data and connected platform data is permanently deleted within 30 days.
10. Your Rights (GDPR)
You have the right to:
- Access your personal data
- Request correction or deletion
- Object to or restrict processing
- Data portability (receive your data in a machine-readable format)
- Withdraw consent at any time
- File a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi)
To exercise any of these rights, email info@wicflow.com or follow the steps at /data-deletion.
11. Children
Postiz is not intended for users under 13 years old. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
12. Changes to This Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be communicated to active users by email.
13. Contact
For privacy questions or requests:
Wicflow Oy
Helsinki, Finland
Email: info@wicflow.com