Privacy Policy

Posttar.com

The Privacy Policy of Posttar.com (“Posttar” or “Company”) was last updated in March 2026.

In order to protect fundamental rights of freedom, privacy and the free development of the natural person's personality, Posttar has prepared this Privacy Policy, in compliance with Brazil's General Data Protection Law (LGPD) – Law No. 13,709/2018, and international best practices including the GDPR.

It is important to take a moment to familiarize yourself with our privacy practices and contact us if you have questions.

For us, it is important to be transparent about the processing of personal data of Users who use the services offered by Posttar, pursuant to Article 9 of the LGPD. This Policy applies when the User uses the website posttar.com and/or the Posttar application (collectively, “Services”).

Additionally, this Policy has been structured to comply with Google's requirements regarding the use of Google User data obtained through Google APIs (such as YouTube Data API and YouTube Analytics API), as well as Meta's requirements regarding the use of Instagram User data obtained through the Instagram Graph API.

1. Policy Availability

This Privacy Policy:

• is made available on a dedicated page, in HTML text format, on a domain owned by Posttar;
• is accessible from the homepage and prominent locations within the application;
• will be updated whenever there are relevant changes to personal data processing practices, especially regarding the use of Google User data and Instagram User data.

2. Accuracy of Information

All information provided by the User to Posttar, especially personal data, must be truthful and cannot violate Brazilian legislation, particularly the LGPD.

If Posttar verifies that the information provided is untruthful, it may delete such personal data and terminate the User's account, without prejudice to other applicable measures.

3. What are Personal Data and Sensitive Data?

For purposes of this Policy:

• Personal Data is information that can be used to identify a natural person, directly or indirectly.
• Sensitive Personal Data, according to the LGPD, consists of information about racial or ethnic origin, religious conviction, political opinion, union membership, health or sex life data, genetic or biometric data, among others.

As a rule, Posttar does not require Sensitive Personal Data for use of the Services.

4. Company as Controller

Posttar acts as the Controller of the collected Personal Data, meaning the Company is responsible for decisions regarding the processing of its Users' Personal Data, under the terms of the LGPD.

5. What Types of Personal Data are Collected?

5.1. Data provided directly by the User (Registration)

To use the Services, the User must complete a registration, providing at minimum:

• full name;
• email;
• WhatsApp number (optional, for reports and summaries).

Depending on the plan or features, additional data may be collected, such as billing information, usage preferences, and brand/company profile information.

5.2. Browsing and usage data

We may automatically collect technical and usage information such as:

• IP address, browser type, operating system;
• pages accessed, date and time of access;
• device identifiers;
• activity logs within the platform.

5.3. Instagram User Data (Instagram Graph API)

For Instagram integration, Posttar requests authorization to access your Instagram account data through the Instagram Graph API. This may include: profile information, follower count, posts (captions, media, metadata), post metrics (views, likes, comments, shares, saves), and access tokens.

Instagram User Data is used exclusively to:

• connect your Instagram account to Posttar;
• retrieve your content and metrics for display, analysis and organization;
• create, publish or schedule content on your Instagram when requested;
• generate reports, dashboards and content performance insights;
• maintain and improve integration-related functionalities.

5.4. Google User Data (Google APIs, including YouTube)

For Google integration (such as YouTube), Posttar may request authorization to access your Google account data through Google APIs. This may include: basic profile information, YouTube channel data, video metadata, analytics metrics, and access/refresh tokens.

Google User Data is used exclusively for the same purposes described in section 5.3.

6. Legal Bases and Purposes of Processing

The User's registration and use of Posttar's main features are subject to the legal basis of contract execution (Art. 7, V, VI, LGPD). For accessing Google and Instagram User Data, Posttar relies on your express consent given through the respective platforms' OAuth authorization screens, which can be revoked at any time.

7. How Does Posttar Store Personal Data?

Posttar uses Supabase (database and authentication) and Vercel (application hosting) services, which utilize Amazon AWS infrastructure. Any international transfer of personal data complies with Article 33 of the LGPD.

8. Automated Processing and Recommendations

Posttar may use User-provided information to recommend content, suggest publishing strategies, and generate or adapt content using artificial intelligence, always based on data and instructions provided by the User themselves.

9. Who Do We Share Data With?

Posttar does not sell Users' personal data. We may share data with infrastructure providers, analytics tools, AI providers (for content features), and contracted partners — all acting as data processors under contractual obligations. We do not sell, transfer for advertising, marketing profiling, data brokering, credit analysis, or AI model training any Google or Instagram User Data.

10. Permitted and Prohibited Uses of Third-Party Platform Data

Posttar uses Google and Instagram User Data only to provide and maintain application features dependent on those integrations. Posttar does NOT use such data for targeted advertising, retargeting, data brokering, credit determination, or training AI models.

11. How Does Posttar Ensure Information Security?

Measures include: TLS/SSL encryption, Row Level Security (RLS), encrypted access tokens with automatic renewal, restricted access controls, security monitoring, and internal information security policies.

12. Browsers and Google Analytics

Google Analytics collects anonymized information about site trends without identifying individual visitors. No names, emails, or phone numbers are collected by Google Analytics.

13. Data Retention and Deletion

Personal Data is processed during the provision of Services. After termination, data may be retained for up to 3 years per Brazilian Civil Code prescriptive periods, or longer when required by law. Google and Instagram User Data is retained only as long as necessary; upon disconnection or permission revocation, Posttar will make reasonable efforts to delete or anonymize stored data.

14. User Rights (Data Subject)

Under Article 18 of the LGPD, the User may request at any time via contato@posttar.com: confirmation of processing, access, correction, anonymization/blocking/ deletion, portability, information about shared entities, consent revocation, and more. Posttar will respond within 5 business days.

15. Changes to this Privacy Policy

Posttar commits to updating this Policy and informing Users of relevant changes via the website, application, or email. Significant changes in Google or Instagram User Data usage may require new consent.

16. Data Protection Officer (DPO)

• Name: Tiago Fonseca Costa
• Email: tiago@posttar.com

Last updated: March 2026