Privacy Policy

Last Updated: 24 May 2026

1. Introduction

Welcome to CrossPoster. We are committed to protecting your privacy and handling your personal data lawfully, transparently, and securely.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web and mobile applications, our marketing website, and any other services we operate (together, the “Service”). It applies to all users of the Service worldwide.

2. Data Controller

The Service is operated by Blinov Tech Ltd, a company registered in England and Wales (Company Number 17089881), with its registered office at:

Blinov Tech Ltd
167-169 Great Portland Street, 5th Floor
London W1W 5PF
United Kingdom

Blinov Tech Ltd is the data controller of personal data processed through the Service. For any data protection enquiry, contact privacy@crossposter.tech.

3. Information We Collect

3.1 Account Information

When you create a CrossPoster account, we collect your email address, name (if provided), authentication identifiers from your sign-in provider (e.g., Google OAuth subject identifier or email one-time-passcode session), and the organization workspace information you set up.

3.2 Social Media Authentication

When you connect a social media account to CrossPoster (Instagram, TikTok, LinkedIn, YouTube, Pinterest, X (Twitter), Bluesky, Mastodon, or Facebook Page), we receive and store the following from the connected platform via OAuth:

  • OAuth tokens(access tokens and, where issued, refresh tokens) — encrypted at rest using AES-256-GCM before being written to our database
  • Public profile data (display name, username or handle, profile picture URL, platform-specific user identifier)
  • Page or channel data (where you connect a Company Page, channel, or business account): page name, logo, vanity URL, page identifier

See Section 5for LinkedIn-specific disclosures including additional data fields we receive from LinkedIn’s Community Management API.

3.3 Payment Information

When you subscribe to a paid plan, payment is processed by Stripe. We store:

  • Last 4 digits of your card, card brand, expiration month/year
  • Subscription details and billing history
  • Stripe customer and subscription identifiers

We do not store your full credit card number, CVV, or any other payment instrument data. All payment data is handled by Stripe under their PCI DSS compliance obligations.

3.4 User-Generated Content

When you create and publish posts through CrossPoster, we collect:

  • Post captions, text content, and formatting you create
  • Images, videos, and other media you upload
  • Selected publishing platforms, scheduling time, and target accounts
  • The published-post identifiers returned by each platform

3.5 Service Telemetry

We collect anonymized usage events (page views, feature usage, error rates) through PostHog to operate and improve the Service. Where required by law, we obtain your consent before collecting non-essential telemetry.

4. How We Use Your Information

  • Publishing: to authenticate with social platforms and publish your content on your instruction
  • Account management: to operate your account, workspace, and team collaboration features
  • Billing: to process subscriptions and payments via Stripe
  • Service improvement: to analyze usage patterns and develop the product
  • Security and fraud prevention: to detect, prevent, and address security incidents and abuse
  • Legal compliance: to comply with applicable law and respond to lawful requests from authorities

Legal Basis for Processing (UK GDPR)

Under the UK General Data Protection Regulation, we rely on the following legal bases for processing your personal data:

  • Contractual necessity(Art. 6(1)(b)) — processing OAuth tokens, user-generated content, and account information is necessary to provide the Service you have subscribed to.
  • Legitimate interests(Art. 6(1)(f)) — service improvement, security monitoring, and fraud prevention rely on our legitimate interests, balanced against your rights and freedoms.
  • Consent(Art. 6(1)(a)) — optional analytics, cookies that are not strictly necessary, and marketing communications rely on your explicit consent, which you can withdraw at any time.
  • Legal obligation(Art. 6(1)(c)) — retention of financial records for tax and accounting law.

5. LinkedIn-Specific Disclosures

When you connect a LinkedIn personal account or a LinkedIn Company Page via OAuth, CrossPoster receives and stores additional data from LinkedIn through the Sign In with LinkedIn product, the Share on LinkedIn product, and the LinkedIn Community Management API:

  • OAuth access token and refresh token (encrypted with AES-256-GCM)
  • Authenticated member’s person URN (urn:li:person:{id})
  • For connected Company Pages: organization URN (urn:li:organization:{id}), page localized name, vanity URL, and logo
  • Identifiers of posts you publish through CrossPoster to LinkedIn (post URNs returned by the Versioned Posts API)
  • Aggregate engagement statistics for posts you publish through CrossPoster: impressions, reactions, comments, shares — retrieved from LinkedIn’s organization share statistics endpoint (/rest/organizationalEntityShareStatistics)
  • Page-level statistics for Pages you administer: follower count over time, follower gains and losses — retrieved from LinkedIn’s follower statistics endpoint (/rest/organizationalEntityFollowerStatistics)

5.1 Data Storage Requirements

We adhere to LinkedIn’s data storage requirements:

  • Organization profile data (page name, logo, vanity URL) is refreshed via the LinkedIn API at least once every 8 weeks to stay current
  • We do not cache non-authenticated member profile data beyond 24 hours
  • We do not retrieve, store, or display data of LinkedIn members who are not administrators of the connected page

5.2 Token Revocation on Disconnect

When you disconnect a LinkedIn account or page from CrossPoster, we immediately:

  1. Call LinkedIn’s token revocation endpoint (/oauth/v2/revoke) for both the access token and refresh token
  2. Delete all stored data associated with that connection from our database, including tokens, cached page profile, published-post records, and cached engagement statistics

5.3 Restrictions on Use

Use of LinkedIn data is governed by LinkedIn’s API Terms of Use. We confirm that:

  • We do not use LinkedIn data for advertising, sales prospecting, lead generation, or building member directories
  • We do not sell, license, or otherwise transfer LinkedIn data to any third party
  • We do notaggregate, anonymize, or analyze LinkedIn data across CrossPoster customer accounts — each customer’s LinkedIn data is isolated at the organization level and is never accessible to other customers
  • We do not use LinkedIn data to train machine learning models or to develop derivative products

6. Sub-Processors and Third-Party Services

We use the following third-party services to operate CrossPoster, each acting as a sub-processor under our instructions and bound by contractual data protection terms equivalent to UK GDPR:

  • Amazon Web Services (AWS)— hosting, database, file storage. Region: US East (N. Virginia)us-east-1. AWS is certified under the EU-US Data Privacy Framework and the UK Extension.
  • Neon— managed PostgreSQL database hosting
  • Stripe Payments Europe Ltd— payment processing
  • Cloudinary Ltd— media storage and CDN
  • Liveblocks Inc.— real-time collaborative editing (in-memory; ephemeral)
  • PostHog Inc.— product analytics and feature flag management
  • Inngest Inc.— background job orchestration
  • Upstash Inc.— Redis for rate limiting and caching
  • Resend / AWS SES— transactional email delivery
  • Social media platforms(Instagram, TikTok, LinkedIn, YouTube, Pinterest, X, Bluesky, Mastodon, Facebook Pages) — only insofar as you connect them, and only to publish your content per your instruction

Each third-party service has its own privacy policy governing how they handle your data. We share with each sub-processor only the data necessary for the specific operational purpose noted above.

7. International Data Transfers

CrossPoster is operated from the United Kingdom but our primary infrastructure is hosted in the United States (AWS region us-east-1). When personal data of users in the United Kingdom or the European Economic Area is transferred to the United States or to a third-country sub-processor, we rely on one or more of the following safeguards required by UK GDPR and EU GDPR:

  • UK Adequacy Regulations / UK-US Data Bridge— for transfers to DPF-certified recipients (including AWS, Stripe US entities, and others)
  • Standard Contractual Clauses (SCCs)— executed with sub-processors not covered by adequacy decisions
  • Supplementary technical measures— encryption at rest (AES-256-GCM) and in transit (TLS 1.2+)

You may request a copy of the safeguards in place for any specific transfer by emailing privacy@crossposter.tech.

8. Data Retention and Deletion

8.1 Platform connection data

When you disconnect a social media platform from your Settings page, we immediately:

  • Revoke the OAuth tokens at the originating platform, where the platform exposes a revocation endpoint (LinkedIn: /oauth/v2/revoke)
  • Delete the stored tokens, cached profile data, and any cached engagement statistics from our database

8.2 Published content records

Records of posts you have published through CrossPoster (post text, media references, target platforms, publication timestamps, and platform-returned identifiers) are retained for as long as your account is active so you can view your posting history. You can delete individual published-post records from your dashboard at any time.

8.3 Account deletion

You can request full account deletion at any time by emailing privacy@crossposter.tech. Within 30 days of the request, we will:

  • Delete your account, all stored social media tokens (after revocation at each platform), uploaded media, and all personal data we hold about you
  • Instruct our sub-processors to delete derived copies, where applicable
  • Confirm completion via email

Where required by law or legitimate business interest (e.g., financial records for tax purposes, security incident records), some data may be retained in aggregate or anonymized form beyond account deletion. Such retained data is not personally identifiable.

9. Your Data Protection Rights

Under UK GDPR and equivalent data protection laws, you have the following rights regarding your personal data:

  • Access— request a copy of the data we hold about you
  • Rectification— request correction of inaccurate or incomplete data
  • Erasure(the “right to be forgotten”) — request deletion of your data (see Section 8)
  • Restriction— request that we limit processing of your data
  • Data portability— request your data in a structured, machine-readable format
  • Objection— object to processing based on our legitimate interests
  • Withdraw consent— for any processing based on your consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email privacy@crossposter.tech. We will respond within one month of receiving your request.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk if you believe we have not handled your data appropriately. Within the EEA, you may also complain to your local data protection supervisory authority.

10. Security

We protect personal data using technical and organizational measures appropriate to the risk, including:

  • Encryption at rest for OAuth tokens (AES-256-GCM) and at the storage layer for all customer data
  • Encryption in transit using TLS 1.2 or higher for all network traffic
  • Access controls— multi-tenant data isolation enforced at the database query layer through typed repository wrappers that prevent cross-tenant data access by design
  • Least-privilege access for engineering and operational staff
  • Audit logging for sensitive operations and access to personal data
  • Regular security review of dependencies and third-party services

11. Cookies and Tracking

We use a small number of strictly-necessary cookies to operate authentication, billing, and session management. Optional analytics (PostHog) and marketing technologies, where used, rely on your explicit consent obtained via our cookie banner. You can withdraw consent at any time through the cookie preferences control in the footer of the Service.

12. Children

CrossPoster is not directed to individuals under 16 years of age, and we do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, please contact us and we will delete the information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the “Last Updated” date at the top of this page and, where appropriate, notify you by email or through the Service. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

14. Contact Us

For questions about this Privacy Policy or to exercise any of your data protection rights:

Data Controller: Blinov Tech Ltd, 167-169 Great Portland Street, 5th Floor, London W1W 5PF, United Kingdom. Company Number 17089881.