Privacy Policy

We collect only what we need to operate the service:

• Account info — your email address and a stable user ID from our authentication provider (Clerk). We use this to identify you across sessions.
• Connected social accounts — when you authorize publishez to post on your behalf, we store the access and refresh tokens returned by each platform (YouTube, Facebook, Bluesky, Mastodon, LinkedIn, etc.). Tokens are encrypted at rest using AES-GCM with a key that never leaves our infrastructure.
• Post content you create — the text bodies, scheduling information, per-platform overrides, and references to attached media for every post you draft, schedule, or publish.
• Media you upload or generate — images and videos you upload or generate via our AI tools are stored in our object storage (Cloudflare R2) and served back to you and the platforms you publish to.
• Publishing logs — for each publish attempt we keep the remote post ID, the target URL, and an error message if it failed, so you can debug. We don't retain the post body in logs beyond the row itself.

We do not collect device fingerprints, browsing history outside the publishez app, ad-tracking identifiers, or precise location.

Strictly to run the service you asked us to run:

• Authenticate you across sessions.
• Publish content to the social platforms you have explicitly connected, at the times you have explicitly scheduled.
• Store your draft and scheduled posts and media for later use.
• Send you the AI-generation results you request (from fal.ai for images/video, from OpenAI for per-platform text rewrites).
• Debug and investigate publish failures.

We do not sell your data, share it with advertisers, or use it to train AI models.

We use a handful of vendors to operate publishez. Each receives only the data they need for their function.

• Clerk — authentication. Receives your email and login activity.
• Cloudflare — hosting (Workers), object storage (R2), and queues for publish jobs. All your stored data lives in Cloudflare.
• Neon — managed Postgres database holding your posts, accounts, and metadata (tokens are encrypted before they reach the DB).
• fal.ai — AI image / video generation. The prompts you type in the AI panel, plus any reference image you upload, are sent to fal.ai for inference.
• OpenAI — AI per-platform rewrites. The post text you send to the "Rewrite for X" feature is sent to OpenAI's Chat Completions API.
• Each social platform you connect — YouTube, Facebook, Bluesky, Mastodon, LinkedIn, etc. We send the post content you ticked them for, plus authentication tokens, to publish on your behalf.

We don't share data with anyone else. If that ever changes we'll update this policy and notify you.

• While your account is active — we retain your posts, media, and connected-account records so the service works.
• When you delete a post or media item — the database row is removed immediately; the underlying R2 object is removed within minutes (cleanup runs detached).
• When you disconnect a social account — we delete the encrypted tokens. The remote platform still keeps any record of past posts unless you delete them on that platform.
• When you delete your account — all of your data is removed from our systems within 30 days, except where we are required to retain something by law.

You can at any time:

• Disconnect a social account from the Accounts page, or revoke our access directly from the platform (Facebook → Settings → Business Integrations; YouTube → Google Account → Third-party apps; etc.).
• Delete individual posts and media from the Calendar and Media pages.
• Export or delete your account entirely — email rpdforlifex@gmail.com and we'll process within 30 days.
• Request a copy of your data in machine-readable form.

Depending on where you live (EU, UK, California, etc.) you may have additional rights under GDPR / CCPA / similar laws. Email us and we'll honor those.

OAuth tokens are encrypted with AES-GCM before being written to the database. Media is stored in private object-storage buckets and served via signed or public URLs as appropriate. We use HTTPS everywhere. No system is perfectly secure, but we follow standard practices and respond to disclosed vulnerabilities promptly. Report security issues to rpdforlifex@gmail.com.

publishez is not directed at children under 13 (or 16 in some jurisdictions). We don't knowingly collect data from minors. If you believe a minor has signed up, contact us and we'll remove the account.

If we make material changes we'll update the "Effective" date at the top of this page and email anyone with an active account at least 14 days before the change takes effect.

Questions, requests, complaints — email rpdforlifex@gmail.com.