Post Master

Privacy Policy

Effective Date: July 2, 2026  |  Domain: postmaster.ecomex.cloud
Summary (not a substitute for the full policy): Post Master stores your account credentials, the OAuth tokens you grant us to connect your social media accounts, and the media/captions you schedule for publishing. We do not sell your data. We share it only as needed to operate the service (cloud infrastructure, payment processor). You can delete your data at any time from the dashboard or by emailing us.

1. Who We Are

Post Master ("Post Master", "we", "our", "us") is a multi-tenant social-media scheduling and publishing platform operated by Post Master, located at Dhaka, Bangladesh, Bangladesh.

The service is accessible at https://postmaster.ecomex.cloud. Post Master is a hosted deployment of the open-source Postiz project.

This Privacy Policy describes what personal data we collect, why we collect it, how we use and protect it, and what rights you have with respect to it. It applies to all users of the Post Master platform, including free trial users and paying subscribers.

2. Data We Collect

2.1 Account Data

When you register for Post Master we collect:

2.2 Connected Social Account Data (OAuth Tokens)

When you connect a social media account (Facebook Page, Instagram Business account, YouTube channel, TikTok account, Telegram bot, LinkedIn page, Twitter/X account, Pinterest, or others we add), we receive and securely store:

We do not collect followers, friend lists, private messages, advertising data, or any personal data belonging to your social media audience.

2.3 Content You Upload

Any media files (images, videos), captions, hashtags, links, and scheduling metadata (publish date/time, target account) that you upload or compose within Post Master are stored on our servers until published, and thereafter for the retention period described in Section 8. This content is used solely to fulfil the scheduling and publishing function you requested.

2.4 Telegram Bot Content

If you use the Telegram bot integration, the media and caption text you send to the bot are received by our servers and treated as content data under Section 2.3. The Telegram user ID associated with your bot interaction is linked to your Post Master account.

2.5 Log and Technical Data

We automatically collect technical data when you use the service:

This data is used for security monitoring, debugging, capacity planning, and fraud prevention. It is not used for advertising or sold to third parties.

3. How We Use Your Data

Purpose Data Used Legal Basis
Provide and operate the scheduling and publishing service Account data, OAuth tokens, uploaded content Performance of contract
Authenticate you and maintain your session Email, hashed password, session cookies Performance of contract
Process subscription payments and send billing receipts Email, Stripe-tokenised payment data Performance of contract / Legal obligation
Send transactional notifications (post published, error alerts, password reset) Email, post metadata Performance of contract
Security, fraud prevention, and abuse detection IP address, log data, usage patterns Legitimate interests
Improve and debug the service Anonymised/aggregated log and usage data Legitimate interests
Comply with legal obligations Any data required by applicable law Legal obligation
Respond to support requests Email, account data, relevant post/channel data Legitimate interests / Performance of contract

We do not use your data for behavioural advertising, profiling for third-party marketing, or any purpose inconsistent with what is described in this policy.

4. Facebook/Instagram, Google/YouTube, and TikTok Data

Post Master's core function is to publish content to social media platforms on your behalf. The following sub-sections describe exactly which permissions we request from each platform, what data those permissions allow us to access, and how we use that data.

Connecting a third-party social platform means that platform's own Privacy Policy also applies to the data they hold about you. Post Master does not control, and is not responsible for, the data practices of Meta, Google, TikTok, or any other social network.

4.1 Facebook and Instagram (Meta)

We request the following Meta permissions:

Permission Scope Why We Request It
pages_show_list Retrieve the list of Facebook Pages you manage so you can select which page to schedule posts to.
pages_read_engagement Read basic page metrics needed to display connected page information in the dashboard.
pages_manage_posts Create, schedule, and publish posts (including images and videos) to your Facebook Pages.
instagram_basic Retrieve your Instagram Business account ID and display name for the dashboard.
instagram_content_publish Publish image and video posts (including Reels and carousel posts) to your Instagram Business account.
business_management (if applicable) Access Business Manager assets when your pages are managed through a Business Manager account.

Data retained from Meta: OAuth access token, OAuth refresh token (if applicable), Page/Account ID, Page/Account display name, and profile picture URL. We do not store post engagement data, audience data, ad account data, or any personal data of your Page followers.

User token vs. Page token: We exchange your user token for long-lived Page access tokens and store those tokens. User tokens are not retained after exchange.

Data deletion: When you disconnect a Facebook Page or Instagram account from Post Master, or when you delete your Post Master account, all stored tokens and associated platform identifiers for that connection are permanently deleted from our systems within 30 days. See our Data Deletion Instructions page.

Meta Platform Policy compliance: We use Meta platform data only to provide the features described above and in compliance with the Meta Platform Terms and Meta Developer Policies.

4.2 Google and YouTube

We request the following Google OAuth scopes:

OAuth Scope Why We Request It
https://www.googleapis.com/auth/youtube.upload Upload videos to your YouTube channel on your behalf at the time you have scheduled.
https://www.googleapis.com/auth/youtube.readonly Retrieve your channel name and channel ID so we can display the connected channel in your dashboard and confirm upload destination.
https://www.googleapis.com/auth/userinfo.profile (basic) Retrieve your Google account display name and profile picture for the dashboard connection card.
https://www.googleapis.com/auth/userinfo.email (basic) Retrieve the email address associated with your Google account to uniquely identify your channel connection.

Data retained from Google: OAuth access token, OAuth refresh token, Google user ID, channel ID, channel name, and profile picture URL. We do not access your Google Drive, Gmail, Google Ads, Analytics, or any other Google service.

Sensitive scope use: The youtube.upload scope is classified as a sensitive scope by Google. We use it solely to upload videos you have scheduled within Post Master to your own YouTube channel. We do not use this scope to read your existing videos, access subscriber data, manage channel settings, or perform any action other than the upload you explicitly scheduled.

Token handling: Google OAuth tokens are stored encrypted in our database. Refresh tokens are used to obtain new access tokens automatically when they expire, ensuring scheduled uploads succeed. Tokens are never shared with third parties outside the scope of operating the service.

Google API Services User Data Policy: Post Master's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we do not use Google user data to serve advertisements; we do not allow humans to read your Google user data unless you have given explicit permission or it is required for security purposes; we do not use or transfer Google user data for any purpose that is not directly related to improving the scheduling and publishing feature.

Data deletion: Disconnecting your YouTube channel from Post Master revokes and deletes all stored Google tokens. You can also revoke access independently via Google Account Permissions.

4.3 TikTok

We request the following TikTok permissions:

Permission Scope Why We Request It
video.publish Upload and publish video content to your TikTok account on your behalf.
user.info.basic Retrieve your TikTok username and avatar to display the connected account in the dashboard.

Data retained from TikTok: OAuth access token, OAuth refresh token, TikTok open ID, display name, and avatar URL. We do not access your TikTok followers, DMs, analytics, or any other data outside the scopes listed above.

TikTok Platform Policy compliance: We use TikTok user data only to deliver the video publishing function and in compliance with the TikTok API Terms of Service. Data is not shared with third parties for advertising or monetisation purposes.

Data deletion: Disconnecting your TikTok account from Post Master deletes all stored tokens for that connection. Full account deletion removes all TikTok-related data within 30 days.

4.4 Other Connected Platforms

For all other platforms we support (LinkedIn, Twitter/X, Pinterest, Telegram, Reddit, and others as added), we apply the same principle: we request the minimum permissions required to publish content on your behalf, store only the OAuth tokens and basic account identifiers needed to operate connections, and delete that data when you disconnect or delete your account.

5. Cookies and Session Data

Post Master uses a minimal set of cookies necessary to operate the service:

Cookie Type Purpose Duration
Session / auth token Strictly necessary Keeps you logged in to the dashboard between page loads Session / 30 days (remember me)
CSRF token Strictly necessary Protects against cross-site request forgery attacks Session
Preference cookies Functional Stores UI preferences (e.g., dark/light mode, timezone) 1 year

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies (such as Google Analytics). If we add optional analytics in the future, we will update this policy and obtain appropriate consent.

6. Payments (Stripe)

Subscription billing is handled by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. When you enter payment card details, you submit them directly to Stripe's servers using Stripe.js; Post Master never receives or stores raw card numbers, CVV codes, or full card data.

Post Master receives and stores from Stripe:

Stripe's privacy practices are governed by the Stripe Privacy Policy. Stripe acts as a data processor on our behalf for payment processing and as an independent controller for fraud prevention.

7. Third-Party Sharing

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

All sub-processors are bound by contractual obligations (Data Processing Agreements where required by law) to protect personal data and process it only on our documented instructions.

8. Data Retention

Data Category Retention Period
Account data (name, email, hashed password) Until you delete your account, then purged within 30 days
OAuth tokens for connected social accounts Until you disconnect the channel or delete your account, then purged immediately (within 30 days maximum)
Scheduled/draft content and uploaded media Until published and then retained for 90 days for audit/replay purposes, or until account deletion
Published post records (metadata, not the content copy) Until account deletion
Billing records and invoices 7 years (legal/tax obligation)
Server logs (IP addresses, request logs) 90 days rolling
Support correspondence 3 years from last interaction, or until account deletion, whichever is later

After the applicable retention period, data is securely deleted or irreversibly anonymised. Anonymised, aggregated statistics (e.g., total posts published per month) may be retained indefinitely as they cannot identify individuals.

9. Security

We implement industry-standard technical and organisational measures to protect your data:

No method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach affecting your personal data, we will notify you as required by applicable law.

10. International Transfers

Post Master is operated from Bangladesh. If you access the service from a different country, your data may be transferred to and processed in our hosting region. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that any cross-border transfers of your personal data are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) or other lawful mechanisms recognised under GDPR.

11. Children

Post Master is not directed at children under the age of 13 (or 16 where required by local law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at myecomexautomation@gmail.com and we will delete it promptly.

12. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data:

To exercise any right, contact us at myecomexautomation@gmail.com. We will respond within 30 days (or the period required by applicable law). We may ask you to verify your identity before processing the request.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the data protection authority in your jurisdiction.

13. Contact Us

For any privacy-related questions, requests, or complaints:

For data deletion requests specifically, please also see the Data Deletion Instructions page.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (sent to the address associated with your account) and by posting a notice within the Post Master dashboard at least 14 days before the changes take effect. The "Effective Date" at the top of this page will always reflect the date the current version took effect.

Your continued use of Post Master after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree to the revised policy, you must discontinue use of the service.