Post Master ("Post Master", "we", "our", "us") is a multi-tenant social-media scheduling and publishing platform operated by Post Master, located at Dhaka, Bangladesh, Bangladesh.
The service is accessible at https://postmaster.ecomex.cloud. Post Master is a hosted deployment of the open-source Postiz project.
This Privacy Policy describes what personal data we collect, why we collect it, how we use and protect it, and what rights you have with respect to it. It applies to all users of the Post Master platform, including free trial users and paying subscribers.
When you register for Post Master we collect:
When you connect a social media account (Facebook Page, Instagram Business account, YouTube channel, TikTok account, Telegram bot, LinkedIn page, Twitter/X account, Pinterest, or others we add), we receive and securely store:
We do not collect followers, friend lists, private messages, advertising data, or any personal data belonging to your social media audience.
Any media files (images, videos), captions, hashtags, links, and scheduling metadata (publish date/time, target account) that you upload or compose within Post Master are stored on our servers until published, and thereafter for the retention period described in Section 8. This content is used solely to fulfil the scheduling and publishing function you requested.
If you use the Telegram bot integration, the media and caption text you send to the bot are received by our servers and treated as content data under Section 2.3. The Telegram user ID associated with your bot interaction is linked to your Post Master account.
We automatically collect technical data when you use the service:
This data is used for security monitoring, debugging, capacity planning, and fraud prevention. It is not used for advertising or sold to third parties.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide and operate the scheduling and publishing service | Account data, OAuth tokens, uploaded content | Performance of contract |
| Authenticate you and maintain your session | Email, hashed password, session cookies | Performance of contract |
| Process subscription payments and send billing receipts | Email, Stripe-tokenised payment data | Performance of contract / Legal obligation |
| Send transactional notifications (post published, error alerts, password reset) | Email, post metadata | Performance of contract |
| Security, fraud prevention, and abuse detection | IP address, log data, usage patterns | Legitimate interests |
| Improve and debug the service | Anonymised/aggregated log and usage data | Legitimate interests |
| Comply with legal obligations | Any data required by applicable law | Legal obligation |
| Respond to support requests | Email, account data, relevant post/channel data | Legitimate interests / Performance of contract |
We do not use your data for behavioural advertising, profiling for third-party marketing, or any purpose inconsistent with what is described in this policy.
Post Master's core function is to publish content to social media platforms on your behalf. The following sub-sections describe exactly which permissions we request from each platform, what data those permissions allow us to access, and how we use that data.
We request the following Meta permissions:
| Permission Scope | Why We Request It |
|---|---|
pages_show_list |
Retrieve the list of Facebook Pages you manage so you can select which page to schedule posts to. |
pages_read_engagement |
Read basic page metrics needed to display connected page information in the dashboard. |
pages_manage_posts |
Create, schedule, and publish posts (including images and videos) to your Facebook Pages. |
instagram_basic |
Retrieve your Instagram Business account ID and display name for the dashboard. |
instagram_content_publish |
Publish image and video posts (including Reels and carousel posts) to your Instagram Business account. |
business_management (if applicable) |
Access Business Manager assets when your pages are managed through a Business Manager account. |
Data retained from Meta: OAuth access token, OAuth refresh token (if applicable), Page/Account ID, Page/Account display name, and profile picture URL. We do not store post engagement data, audience data, ad account data, or any personal data of your Page followers.
User token vs. Page token: We exchange your user token for long-lived Page access tokens and store those tokens. User tokens are not retained after exchange.
Data deletion: When you disconnect a Facebook Page or Instagram account from Post Master, or when you delete your Post Master account, all stored tokens and associated platform identifiers for that connection are permanently deleted from our systems within 30 days. See our Data Deletion Instructions page.
Meta Platform Policy compliance: We use Meta platform data only to provide the features described above and in compliance with the Meta Platform Terms and Meta Developer Policies.
We request the following Google OAuth scopes:
| OAuth Scope | Why We Request It |
|---|---|
https://www.googleapis.com/auth/youtube.upload |
Upload videos to your YouTube channel on your behalf at the time you have scheduled. |
https://www.googleapis.com/auth/youtube.readonly |
Retrieve your channel name and channel ID so we can display the connected channel in your dashboard and confirm upload destination. |
https://www.googleapis.com/auth/userinfo.profile (basic) |
Retrieve your Google account display name and profile picture for the dashboard connection card. |
https://www.googleapis.com/auth/userinfo.email (basic) |
Retrieve the email address associated with your Google account to uniquely identify your channel connection. |
Data retained from Google: OAuth access token, OAuth refresh token, Google user ID, channel ID, channel name, and profile picture URL. We do not access your Google Drive, Gmail, Google Ads, Analytics, or any other Google service.
Sensitive scope use: The youtube.upload scope is classified as a sensitive scope by Google. We use it solely to upload videos you have scheduled within Post Master to your own YouTube channel. We do not use this scope to read your existing videos, access subscriber data, manage channel settings, or perform any action other than the upload you explicitly scheduled.
Token handling: Google OAuth tokens are stored encrypted in our database. Refresh tokens are used to obtain new access tokens automatically when they expire, ensuring scheduled uploads succeed. Tokens are never shared with third parties outside the scope of operating the service.
Google API Services User Data Policy: Post Master's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we do not use Google user data to serve advertisements; we do not allow humans to read your Google user data unless you have given explicit permission or it is required for security purposes; we do not use or transfer Google user data for any purpose that is not directly related to improving the scheduling and publishing feature.
Data deletion: Disconnecting your YouTube channel from Post Master revokes and deletes all stored Google tokens. You can also revoke access independently via Google Account Permissions.
We request the following TikTok permissions:
| Permission Scope | Why We Request It |
|---|---|
video.publish |
Upload and publish video content to your TikTok account on your behalf. |
user.info.basic |
Retrieve your TikTok username and avatar to display the connected account in the dashboard. |
Data retained from TikTok: OAuth access token, OAuth refresh token, TikTok open ID, display name, and avatar URL. We do not access your TikTok followers, DMs, analytics, or any other data outside the scopes listed above.
TikTok Platform Policy compliance: We use TikTok user data only to deliver the video publishing function and in compliance with the TikTok API Terms of Service. Data is not shared with third parties for advertising or monetisation purposes.
Data deletion: Disconnecting your TikTok account from Post Master deletes all stored tokens for that connection. Full account deletion removes all TikTok-related data within 30 days.
For all other platforms we support (LinkedIn, Twitter/X, Pinterest, Telegram, Reddit, and others as added), we apply the same principle: we request the minimum permissions required to publish content on your behalf, store only the OAuth tokens and basic account identifiers needed to operate connections, and delete that data when you disconnect or delete your account.
Subscription billing is handled by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. When you enter payment card details, you submit them directly to Stripe's servers using Stripe.js; Post Master never receives or stores raw card numbers, CVV codes, or full card data.
Post Master receives and stores from Stripe:
Stripe's privacy practices are governed by the Stripe Privacy Policy. Stripe acts as a data processor on our behalf for payment processing and as an independent controller for fraud prevention.
| Data Category | Retention Period |
|---|---|
| Account data (name, email, hashed password) | Until you delete your account, then purged within 30 days |
| OAuth tokens for connected social accounts | Until you disconnect the channel or delete your account, then purged immediately (within 30 days maximum) |
| Scheduled/draft content and uploaded media | Until published and then retained for 90 days for audit/replay purposes, or until account deletion |
| Published post records (metadata, not the content copy) | Until account deletion |
| Billing records and invoices | 7 years (legal/tax obligation) |
| Server logs (IP addresses, request logs) | 90 days rolling |
| Support correspondence | 3 years from last interaction, or until account deletion, whichever is later |
After the applicable retention period, data is securely deleted or irreversibly anonymised. Anonymised, aggregated statistics (e.g., total posts published per month) may be retained indefinitely as they cannot identify individuals.
We implement industry-standard technical and organisational measures to protect your data:
No method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach affecting your personal data, we will notify you as required by applicable law.
Post Master is operated from Bangladesh. If you access the service from a different country, your data may be transferred to and processed in our hosting region. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that any cross-border transfers of your personal data are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) or other lawful mechanisms recognised under GDPR.
Post Master is not directed at children under the age of 13 (or 16 where required by local law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at myecomexautomation@gmail.com and we will delete it promptly.
Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data:
To exercise any right, contact us at myecomexautomation@gmail.com. We will respond within 30 days (or the period required by applicable law). We may ask you to verify your identity before processing the request.
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the data protection authority in your jurisdiction.
For any privacy-related questions, requests, or complaints:
For data deletion requests specifically, please also see the Data Deletion Instructions page.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (sent to the address associated with your account) and by posting a notice within the Post Master dashboard at least 14 days before the changes take effect. The "Effective Date" at the top of this page will always reflect the date the current version took effect.
Your continued use of Post Master after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree to the revised policy, you must discontinue use of the service.