Privacy Policy

Last updated: 2026-04-24

letmepost.dev ("we", "us", "the service") is an open-source social media publishing API operated by Rose Kamal Love (trading as letmepost.dev), based in India. This policy explains what we collect, why, and how you can have your data deleted.

1. What we collect

  • Account details: email, display name, organisation name. Used to identify you.
  • Connected social accounts: we receive OAuth access and refresh tokens (or, for Bluesky, app passwords) for each social platform you explicitly connect. These are stored encrypted at rest.
  • Post content: the text, media references, scheduled times, and metadata you submit to the API.
  • Usage logs: request timestamps, endpoints called, response codes, error codes, and upstream platform responses. Used for observability and debugging.
  • Billing details: when paid plans ship, Stripe will process payment; we store only the last 4 digits and a Stripe customer ID.

2. How we store it

  • OAuth tokens and passwords are encrypted using AES-256-GCM envelope encryption before being written to the database. A per-token data encryption key is itself encrypted by a master key held outside the database.
  • All traffic is TLS 1.2+ in transit.
  • Databases are hosted by Neon (Postgres); application servers by Railway. Both run in regions we can disclose on request.

3. How long we keep it

  • OAuth tokens: kept until you revoke the connected account or delete your letmepost.dev account.
  • Post records: kept for 90 days after publish (or failure).
  • Raw request/response logs: 30 days, then rotated out of hot storage.
  • Aggregated metrics (no personal data): kept indefinitely.

4. Who we share it with

We do not sell your data, and we do not share it for advertising. We share it with:

  • The social platforms you've connected, when you use letmepost.dev to publish to them.
  • Infrastructure providers (Neon, Railway, Upstash, Sentry, Axiom) under data-processing agreements, strictly to operate the service.
  • Law enforcement, only under a valid legal order.

5. Your rights

You can request export or deletion of your data at any time. See our data deletion page for how. If you're in a jurisdiction with specific data rights (GDPR, CCPA, India's DPDP Act), those rights apply.

6. Cookies

The marketing site uses no tracking cookies. The dashboard (when it ships) will use a single session cookie for authentication. No analytics that profile you across sites.

7. Contact

Privacy questions: support@letmepost.dev.