TopPost Legal Hub
1 · Privacy Policy
1.1 Who we are
TopPost Pty Ltd (ABN / ACN 80 285 355 360) — "TopPost", "we", "our", "us"
Contact: [email protected]
1.2 The quick version
We collect only the data we need to let you research, draft, schedule, and publish social‑media content through our web application. We never sell it. You can revoke access or delete everything at any time.
1.3 What we collect, why, and how long we keep it
| Source & Scopes | Data Items Stored | Purpose | Maximum Retention* |
|---|---|---|---|
TikTok (video.upload) | OAuth token, account ID, queued media, captions, basic analytics | Enable scheduling & posting; show status | Until disconnect or account deletion (auto‑purge ≤ 30 days) |
Facebook & Instagram (pages_manage_posts, instagram_basic) | Page/IG business‑account ID, media, captions, scheduling metadata | Same | Disconnect → purge ≤ 24 h (callback) |
| LinkedIn (Marketing API) | Organisation URN, post text, analytics snapshots | Same | Cached member data ≤ 24 h (profile) / 48 h (activity); org data until disconnect |
YouTube / Google (youtube.upload) | Channel ID, video file, title, description, token | Same | Disconnect → purge ≤ 30 days |
| AI agent (OpenAI, Anthropic, OSS LLMs) | Text you send (posts, captions, analytics), model outputs | Generate content & recommendations | Transient in memory; logs redacted after 14 days. Not used for training unless you opt‑in. |
| TopPost app | Email, name, billing info (Stripe), session ID (30‑day refresh), support chat history (Discord) | Account management, billing, support | Kept while account active; erased on deletion |
Nightly job tags stored objects with user_id + expiry_ts and removes them when retention triggers.
1.4 Legal bases
- Consent — you connect each social account via OAuth.
- Contract — processing needed to provide our service.
- Legitimate interests — security logging, service improvement, fraud prevention.
EU/UK data transfers rely on Standard Contractual Clauses (SCCs).
1.5 Your controls
- Disconnect any network under Settings → Integrations.
- Delete account & data under Settings → Account or email [email protected].
- Revoke permissions directly:
- Google — security.google.com/settings/security/permissions
- Facebook/Instagram — facebook.com/settings?tab=applications
- TikTok — tiktok.com/settings/manage-applications
- LinkedIn — linkedin.com/psettings/permitted-services
1.6 Cookies & analytics
One first‑party session cookie (toppost_session). Optional product analytics via self‑hosted PostHog. No third‑party ad cookies.
1.7 Security snapshot
- AES‑256 encryption at rest, TLS 1.3 in transit.
- AWS ap‑southeast‑2; Supabase (Postgres + S3).
- Secrets in AWS KMS; least‑privilege IAM.
- Annual penetration test, quarterly access review.
- Encrypted backups retained 30 days, cross‑region.
1.8 Data breaches
We will notify affected users and the OAIC (and EU/UK regulators, if applicable) within 72 hours of becoming aware of a notifiable breach.
1.9 Children
TopPost is not directed to anyone under 13 (or 16 in the EEA). We do not knowingly collect children's data.
1.10 Changes
Material changes will be emailed to registered users and posted here at least 7 days before taking effect.
2 · Terms of Service
- Service — TopPost lets you research, draft, schedule, and publish social‑media content; beta features may change without notice.
- Eligibility — 18 + only; you must have authority to post to any connected account.
- Your content licence — you grant us a worldwide, revocable, royalty‑free licence to store, process, and transmit your content solely to provide the service.
- Paid plans — fees billed monthly via Stripe; cancel anytime; no refunds for partial periods.
- Prohibited use — illegal content, harassment, reverse‑engineering, scraping, exceeding platform limits.
- Uptime — beta service "as‑is"; target 99 % monthly availability; no SLA.
- Termination — we may suspend or close accounts that breach these terms; you may close your account at any time.
- Liability cap — limited to fees paid in the previous 12 months.
- Indemnity — you indemnify us against claims arising from your content or actions.
- Governing law — NSW, Australia; disputes under NSW courts.
- Changes — we will notify you 7 days in advance; continued use = acceptance.
3 · Data‑Deletion Policy
| Platform | Trigger | Action | Confirmation |
|---|---|---|---|
| Facebook / Instagram | Remove TopPost under Facebook → Settings → Apps & Websites | Meta sends signed request to https://toppost.ai/meta-delete; we purge within 24 h | JSON {url, confirmation_code} returned; email receipt |
| TikTok | Click Disconnect in Integrations | Tokens & media deleted; nightly verification job | Email confirmation ≤ 24 h; 30‑day audit log |
| Disconnect or delete account | Cached profile/activity wiped immediately | Email confirmation | |
| YouTube / Google | Disconnect or revoke in Google Security Center | Tokens, drafts, analytics purged ≤ 30 days | Email confirmation |
| TopPost | Delete account | All data & backups purged within 30 days | Final email |
Audit log (platform, user_id, timestamp) retained 30 days, then erased.
4 · Sub‑processors
| Purpose | Provider | Region |
|---|---|---|
| Cloud hosting | AWS | Sydney (ap‑southeast‑2) |
| Database & file storage | Supabase | Sydney |
| AI inference | OpenAI / Anthropic / opt‑in premium models | US / varies |
| Payments | Stripe | US/AU |
| Support chat | Discord | US |
| Product analytics | PostHog (self‑hosted) | Sydney |
All sub‑processors meet or exceed our security standards and sign DPAs with SCCs where required.
5 · Contact & complaints
Questions, access or deletion requests, complaints:
Email [email protected]
If you’re not satisfied with our response, you can contact the Office of the Australian Information Commissioner at oaic.gov.au, or reach out to your local data protection authority.
