Privacy Policy

This Privacy Policy explains how Postwave ("Postwave", "we", "us") collects, uses, shares, and protects personal data when you use our website, applications, and services (the "Service"). It is written to align with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA). If you do not agree with this Policy, please do not use the Service.

Postwave is the data controller for the personal data processed through the Service. You can contact us at hello@webtek.lv for any privacy-related request.

We collect only the data we need to provide the Service:

• Account data: email address, hashed password (if signing in with email/password), display name, and profile picture or full name returned by Google when you sign in with Google.
• Workspace data: the workspaces you create or join, your role within each workspace, and the other members.
• Connected accounts: Instagram Business / Creator account identifiers and OAuth access and refresh tokens, and Google Drive identifiers needed to read files you select.
• Content you schedule: media references, captions, scheduling time, and publishing status of posts.
• Post insights: aggregate Instagram metrics (impressions, reach, likes, comments, saves) for posts published through Postwave.
• Technical data: IP address, browser type, device information, and basic log data needed for security, debugging, and abuse prevention.
• Cookies and similar technologies: a session cookie to keep you signed in, and a small functional cookie to remember your active workspace. We do not use third-party advertising cookies.

We do not knowingly collect data from children under 16.

We process personal data to:

• Provide, maintain, and secure the Service.
• Authenticate you, manage workspace membership, and enforce access control.
• Publish your scheduled posts to Instagram on your behalf at the time you choose.
• Display analytics for posts you published through Postwave.
• Send transactional emails (account confirmation, password reset, important service notices).
• Detect, prevent, and address abuse, fraud, and security issues.
• Comply with legal obligations.

• Performance of a contract — to deliver the Service to you.
• Legitimate interests — to keep the Service secure, prevent abuse, and improve features. We balance these interests against your rights.
• Consent — when you connect an Instagram or Google Drive account, you grant consent for the specific scopes requested at connect time. You can revoke this consent at any time by disconnecting the integration.
• Legal obligation — when required by law.

We do not sell your personal data and do not share it for cross-context behavioral advertising. We share data only with:

• Service sub-processors that host and operate the Service on our behalf, including our cloud hosting provider (Cloudflare), our managed database and authentication provider (Supabase), and email delivery providers. They process data under written agreements and only on our instructions.
• Meta / Instagram and Google when you connect those accounts and when we publish, read, or fetch data on your behalf. These exchanges are governed by their respective policies.
• Other members of your workspace can see content you create within that workspace.
• Authorities when required by law, court order, or to protect rights, property, or safety.
• A successor in the event of a merger, acquisition, or sale of assets, subject to equivalent protections.

Your data may be processed in countries outside your own, including the United States and the European Union. Where data is transferred outside the European Economic Area or the UK, we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

We keep personal data only as long as needed for the purposes described above:

• Account and workspace data: until you delete your account.
• Instagram and Google OAuth tokens: until you disconnect the integration or the token is revoked.
• Scheduled and published post records: while your account is active, plus a short period for backups and audit logs.
• Security and abuse-prevention logs: typically 90 days, longer if needed to investigate an incident.

When you delete your account, we erase or anonymize your data within 30 days, except where retention is required by law.

We use industry-standard safeguards including TLS in transit, encryption at rest for OAuth tokens and credentials, row-level security in our database to isolate workspaces, and least-privilege access for our team. No system is perfectly secure; please use a strong, unique password and notify us of any suspected breach.

Depending on where you live, you have the right to access, correct, delete, or receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent at any time. California residents have additional rights under the CCPA/CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of sale or sharing (we do not sell or share for cross-context behavioral advertising).

To exercise any right, email us at hello@webtek.lv. We will respond within the time required by applicable law. You also have the right to lodge a complaint with your local data protection authority.

You can request deletion of your personal data at any time. We offer two ways to do this:

• Self-service: Sign in to Postwave, go to Settings → Account, and click Delete my account. This immediately removes your account, workspace memberships, posts, and connected tokens. Before using this option, you must delete any workspaces you own from Settings → Workspace.
• By email: Send a request to hello@webtek.lv with your registered email address. We will verify your identity and complete the deletion within 30 days.

When your account is deleted, we remove your authentication profile, workspace memberships, posts you created, and Instagram / Google Drive tokens. Anonymous analytics and security logs may be retained for up to 90 days as required by law.

When you connect an Instagram Business or Creator account, we request only the permissions needed to publish posts and read insights for those posts. When you connect Google Drive, we request read-only access to the files you explicitly select. We do not use this data for advertising, do not transfer it to data brokers, and do not use it to build user profiles. You can revoke access at any time from the Connections page in the app or from your Meta or Google account settings.

We use a small number of strictly necessary cookies: a session cookie for authentication and a functional cookie that remembers your active workspace. We do not use cookies for advertising or cross-site tracking. You can clear cookies in your browser at any time, but doing so will sign you out.

We may update this Policy from time to time. The "Last updated" date at the top reflects the latest revision. If we make material changes, we will notify you by email or in-app notice before they take effect.

Questions or requests about this Policy? Email hello@webtek.lv.