Privacy Policy
Last updated: 11 July 2026 · Effective: 11 July 2026
This Privacy Policy explains how PostAirport ("PostAirport", "we", "us", or "our") collects, uses, stores, shares, and deletes information when you use our website at postairport.com and our application at app.postairport.com (together, the "Service"). PostAirport is a scheduling and analytics tool that publishes organic Instagram content (feed photo and video posts, and Reels) and reads analytics for Instagram professional accounts on behalf of the account owner who connects them.
PostAirport accesses Instagram data through Meta's official APIs and handles that data in accordance with the Meta Platform Terms, the Meta Developer Policies, and applicable data-protection law. By using the Service, you agree to this Policy.
- 1. Information we collect
- 2. Instagram / Meta Platform Data
- 3. How and why we use data
- 4. Legal bases
- 5. How we store & secure data
- 6. Data retention
- 7. Third parties & sub-processors
- 8. Your rights & data deletion
- 9. What we never do
- 10. Children
- 11. International transfers
- 12. Changes
- 13. Contact us
1. Information we collect
We collect only what we need to run the Service:
Account information
- Email address — used to create your account and sign you in with a passwordless magic link.
- Authentication & session data — a signed, HTTP-only session cookie and a session record so you stay logged in.
Billing information
- Subscription & plan data — your cabin plan, status, and account/post limits.
- Payment details are collected and processed by Stripe. We do not store your full card number; we retain only a Stripe customer/subscription identifier.
Content you provide
- Media you upload — the photos, video files and cover images for the posts and Reels you schedule.
- Post details — captions, cover selections, scheduled ("departure") times, and share settings.
Instagram account data
When you connect an Instagram professional account, we access the data described in Section 2 below.
Technical & operational data
- Logs — event type, timestamp, success/failure, and the relevant Instagram user ID, used to operate, secure, and debug the Service. Access tokens are never written to logs in cleartext.
- Standard request metadata (e.g., IP address, user agent) handled by our infrastructure provider for security and abuse prevention.
2. Instagram / Meta Platform Data
PostAirport uses the Instagram API with Instagram Login. When you connect an Instagram professional (Business or Creator) account, you grant PostAirport a limited set of permissions and we access the following "Platform Data" strictly to provide the Service to you:
| Data | Why we access it |
|---|---|
| Instagram user ID, username & account type | Identify the connected account ("terminal") and show it in your dashboard. |
| Access tokens (short- and long-lived) | Authenticate API requests to publish posts and read insights on your behalf. Stored encrypted; refreshed automatically before expiry. |
| Media you publish (photo, video, cover, caption) | Create the media container and publish the post or Reel to your account at its scheduled time. |
| Media & account insights (views, reach, watch time, likes, comments, saves, shares, engagement, follower metrics/demographics) | Render your Control Tower analytics for the connected account and its posts. |
| Content publishing limit / usage | Respect Instagram's publishing rate limit so your account stays in good standing. |
We request only the minimum permissions required: instagram_business_basic, instagram_business_content_publish, and instagram_business_manage_insights. We do not request any permission we don't use.
3. How and why we use data
We use the information above to:
- Create and secure your account and keep you signed in.
- Schedule and publish your feed photos, videos and Reels to the Instagram accounts you connect, at the times you choose.
- Provide analytics — read and display account and per-post insights in your Control Tower dashboard.
- Enforce plan limits and process your subscription and payments.
- Operate, secure, monitor, and troubleshoot the Service, and prevent abuse.
- Communicate with you about your account, security, and service changes.
- Comply with legal obligations and the Meta Platform Terms.
4. Legal bases
Where data-protection law (such as the GDPR or the Australian Privacy Act) applies, we rely on: performance of a contract (to deliver the Service you sign up for), consent (which you give when you connect an Instagram account, and can withdraw at any time by disconnecting), legitimate interests (to secure and improve the Service), and legal obligation (to meet our compliance duties).
5. How we store & secure data
- Encryption at rest. All Instagram access tokens and secrets are encrypted at rest using authenticated encryption (AES-GCM). Tokens are never stored or logged in cleartext.
- Encryption in transit. All traffic uses TLS 1.2 or higher.
- Per-account segregation. Every connected account, post, and insight is scoped to the owning user. We never mix or cross-use one customer's data with another's.
- Transient media. Uploaded photos, videos and covers are staged only as long as needed to publish, then deleted from our storage automatically after the post is published (or the schedule is canceled). We do not keep a long-term library of your media.
- Access controls. Administrative, deployment, and code access is protected with multi-factor authentication and is reviewed periodically. Operational logs are monitored for security events.
6. Data retention
- Uploaded media — deleted automatically shortly after the post is published or the scheduled post is canceled.
- Access tokens — kept only while an account remains connected; deleted immediately when you disconnect the account, when Instagram/Meta notifies us that access was revoked, or when you delete your account.
- Insights — cached to power your dashboard and refreshed periodically; cleared when you disconnect the account or delete your data.
- Account & billing records — retained while your account is active and, where required, for a limited period afterward to meet legal, tax, and accounting obligations.
- When you request deletion, or when we receive a deauthorization or data-deletion signal from Meta, we delete the associated Platform Data promptly (see Section 8).
7. Third parties & sub-processors
We do not sell your data. We share it only with the service providers we rely on to run PostAirport, each acting under contract and only as needed:
| Provider | Purpose |
|---|---|
| Cloudflare | Hosting, application infrastructure, database, media storage, and network security. |
| Stripe | Subscription billing and payment processing. |
| Resend | Sending transactional email (magic-link sign-in and account notices). |
| Meta Platforms, Inc. (Instagram) | The Instagram APIs we call to publish your posts and read your insights. |
We may also disclose information if required by law, to protect our rights or users' safety, or in connection with a business transfer, subject to this Policy.
8. Your rights & data deletion
You are always in control of your data. Depending on where you live, you may have rights to access, correct, export, restrict, or delete your personal data, and to withdraw consent. To exercise any of these, contact us at privacy@postairport.com.
You can delete your data at any time using any of these paths:
- Disconnect in-app. Open PostAirport, go to your Terminals, and choose Disconnect Instagram to revoke access and delete that account's tokens and cached insights. Use Delete my data to remove your account entirely.
- Email us. Write to privacy@postairport.com and we will delete your data.
- Data deletion page. Follow the instructions at postairport.com/data-deletion.
If you remove PostAirport from your Instagram/Meta settings, Meta sends us a deauthorization and/or data-deletion request. We honor these automatically: we delete the relevant tokens and Platform Data and, for data-deletion requests, return a confirmation code and a status URL where you can check the outcome. This mechanism satisfies Meta's Data Deletion Request requirement.
9. What we never do
- We never sell your data or Platform Data.
- We never use your data for advertising, or to build cross-user profiles.
- We never use Platform Data to train machine-learning models or for analytics across customers.
- We never repurpose one account's data for another account or share your insights with anyone but you, the account owner.
10. Children
PostAirport is not directed to children under 13 (or the minimum age required in your country), and we do not knowingly collect their data. Instagram professional accounts are intended for creators and businesses.
11. International transfers
PostAirport is operated from Australia and our providers may process data in other countries. Where required, we rely on appropriate safeguards for cross-border transfers. By using the Service you understand your data may be processed in these locations.
12. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Continued use of the Service after changes take effect means you accept the updated Policy.
13. Contact us
Questions or privacy requests? Reach us at:
- Privacy: privacy@postairport.com
- General: hello@postairport.com
- Data deletion: postairport.com/data-deletion
PostAirport is not affiliated with, endorsed, or sponsored by Instagram or Meta Platforms, Inc. Instagram is a trademark of Meta Platforms, Inc.