Privacy Policy
TOPPOST PRIVACY POLICY
Last Updated: February 2026
WHO WE ARE
TopPost.ai (ABN / ACN 80 285 355 360), referred to as "TopPost", "we", "our", or "us", operates under the business name Rory Chockman. If you have any privacy-related questions or concerns, please contact us at privacy@toppost.ai.
THE QUICK VERSION
We collect only the data we need to let you research, draft, schedule, and publish social media content through our web application. We never sell your data. You can revoke access or delete everything at any time.
WHAT WE COLLECT, WHY, AND HOW LONG WE KEEP IT
TikTok Integration
When you connect your TikTok account using the video.upload scope, we store your OAuth token, account ID, queued media, captions, and basic analytics. This allows us to enable scheduling and posting functionality and show you the status of your posts. We retain this data until you disconnect your account or delete it, with automatic purging occurring within 30 days of disconnection.
Facebook and Instagram Integration
For Facebook and Instagram connections using the pages_manage_posts and instagram_basic scopes, we store your Page ID, Instagram business account ID, media files, captions, and scheduling metadata. This serves the same purpose as above. When you disconnect these services, we purge all related data within 24 hours through Meta's callback system.
LinkedIn Integration
When you connect LinkedIn through their Marketing API, we store your Organisation URN, post text, and analytics snapshots to enable the same scheduling and posting capabilities. We cache member profile data for up to 24 hours and activity data for up to 48 hours, while organisation data is retained until you disconnect the service.
YouTube and Google Integration
For YouTube and Google connections using the youtube.upload scope, we store your Channel ID, video files, titles, descriptions, and authentication tokens. Upon disconnection, all data is purged within 30 days.
AI Agent Functionality
Our AI agent functionality, powered by OpenAI, Anthropic, and other open-source large language models, processes the text you send including posts, captions, and analytics data, along with the model outputs. This enables us to generate content and provide recommendations. This data is transient and kept in memory only, with logs being redacted after 14 days. Your data is not used for model training unless you explicitly opt in.
TopPost Application Data
Within the TopPost application itself, we store your email address, name, billing information through Stripe, session ID with a 30-day refresh period, and support chat history through Discord. This information is necessary for account management, billing, and customer support. We keep this data while your account is active and erase it upon account deletion.
We run nightly jobs that tag stored objects with your user ID and expiry timestamp, automatically removing them when retention periods are triggered.
LEGAL BASES FOR PROCESSING
We process your data based on three legal grounds. First, we obtain your consent when you connect each social media account via OAuth. Second, we process data as necessary to fulfill our contract with you and provide our service. Third, we rely on our legitimate interests for security logging, service improvement, and fraud prevention.
For data transfers to and from the European Union and United Kingdom, we rely on Standard Contractual Clauses (SCCs) as approved by relevant regulatory authorities.
YOUR CONTROLS AND RIGHTS
You have full control over your data. You can disconnect any social network under Settings → Integrations in your TopPost account. To delete your account and all associated data, visit Settings → Account or email us at privacy@toppost.ai.
You can also revoke permissions directly through each platform:
Google services: Visit security.google.com/settings/security/permissions
Facebook and Instagram: Go to facebook.com/settings?tab=applications
TikTok: Visit tiktok.com/settings/manage-applications
LinkedIn: Access linkedin.com/psettings/permitted-services
COOKIES AND ANALYTICS
We use only one first-party session cookie called toppost_session. We also employ optional product analytics through a self-hosted instance of PostHog. We do not use any third-party advertising cookies.
SECURITY MEASURES
We implement robust security measures to protect your data. All data is encrypted using AES-256 encryption at rest and TLS 1.3 in transit. We host our services on AWS in the Sydney region (ap-southeast-2) and use Supabase for database and file storage (Postgres and S3). All secrets are managed through AWS Key Management Service (KMS), and we follow least-privilege principles for Identity and Access Management (IAM).
We conduct annual penetration tests and quarterly access reviews to maintain security standards. All backups are encrypted and retained for 30 days with cross-region redundancy.
DATA BREACH NOTIFICATION
In the event of a data breach, we will notify all affected users and the Office of the Australian Information Commissioner (OAIC) within 72 hours of becoming aware of a notifiable breach. If applicable, we will also notify relevant EU and UK regulatory authorities within the same timeframe.
CHILDREN'S PRIVACY
TopPost is not directed to anyone under 13 years of age, or under 16 years of age in the European Economic Area. We do not knowingly collect personal information from children.
DATA DELETION POLICY
Facebook and Instagram
When you remove TopPost under Facebook → Settings → Apps & Websites, Meta sends us a signed deletion request to https://toppost.ai/meta-delete. We purge all associated data within 24 hours. You will receive a JSON response containing a URL and confirmation code, followed by an email receipt.
TikTok
When you click Disconnect in your Integrations settings, we immediately delete all tokens and media files. Our nightly verification job confirms the deletion. You will receive email confirmation within 24 hours, and we maintain a 30-day audit log of the deletion.
LinkedIn
When you disconnect your LinkedIn account or delete your TopPost account, we immediately wipe all cached profile and activity data. You will receive email confirmation of the deletion.
YouTube and Google
When you disconnect your account or revoke access through the Google Security Center, we purge all tokens, drafts, and analytics data within 30 days. You will receive email confirmation of the deletion.
TopPost Account Deletion
When you delete your TopPost account, we purge all data and backups within 30 days. You will receive a final confirmation email once the process is complete.
For accountability purposes, we maintain an audit log containing the platform name, user ID, and timestamp for 30 days after deletion, after which the audit log itself is erased.
SUB-PROCESSORS
We work with carefully selected sub-processors to provide our services:
For cloud hosting, we use Amazon Web Services (AWS) in the Sydney region (ap-southeast-2). Our database and file storage are provided by Supabase, also located in Sydney.
For AI inference capabilities, we use OpenAI and Anthropic, with optional premium models that may be processed in the United States or other regions. Payment processing is handled by Stripe, operating in the US and Australia.
Customer support chat is provided through Discord, based in the United States. For product analytics, we use a self-hosted instance of PostHog in Sydney.
All sub-processors meet or exceed our security standards and have signed Data Processing Agreements (DPAs) with Standard Contractual Clauses where required for international data transfers.
CHANGES TO THIS POLICY
If we make material changes to this privacy policy, we will email all registered users and post the changes here at least 7 days before they take effect.
CONTACT AND COMPLAINTS
For any questions, access requests, deletion requests, or complaints regarding your privacy and data protection, please email us at privacy@toppost.ai.
If you are not satisfied with our response, you have the right to contact the Office of the Australian Information Commissioner at oaic.gov.au, or reach out to your local data protection authority if you are located outside Australia.