This Privacy Policy applies to Postiz, the Source Code Original social publishing app available at https://postiz.sourcecodeoriginal.com. Postiz is used by authorized Source Code Original team members and approved operators to manage and publish social media content to Source Code Original owned or managed accounts that an authorized operator chooses to connect, including Pinterest, YouTube, TikTok, and other supported platforms. This page explains, in simple terms, what information may be collected and how it may be used.
Information we may collect
- Basic account and login information used to access Postiz.
- Connected-platform authorization information, such as OAuth access tokens, refresh tokens, account identifiers, usernames, profile images, available boards, selected boards, published post identifiers, and published post URLs when needed to connect, schedule, publish, display, troubleshoot, or disconnect an authorized account.
- Content, media, captions, links, titles, scheduling information, drafts, and publishing settings that authorized operators choose to upload, create, schedule, or publish.
- Technical information needed to operate the website and connected social media integrations, including logs used for security, troubleshooting, and service reliability.
How information may be used
- To connect and manage linked social media accounts, including Pinterest accounts when an authorized operator chooses to connect Pinterest through OAuth.
- To let authorized operators choose boards, prepare Pins, schedule Pins, publish Pins, display publishing status, and show links to published Pins.
- To create, schedule, publish, and manage operator-directed content on supported platforms.
- To maintain security, troubleshoot issues, and improve service reliability.
Sharing
Information is only shared with third-party platforms, including Pinterest, YouTube, and TikTok when connected by an authorized operator, and service providers when needed to support authentication, scheduling, publishing, storage, security, or related social media features. Postiz does not sell connected-platform account information.
Retention
Information is retained only as long as needed to operate the service, maintain records, and support connected publishing workflows. OAuth tokens and connected-account records are retained while the account remains connected. Drafts, scheduled posts, uploaded media, and publishing records are retained as needed to provide the service unless removed by the user or deleted as part of account cleanup.
TikTok
TikTok reviewer section. Postiz uses TikTok only as a user-directed publishing, upload, scheduling, status, and analytics integration for TikTok accounts that a user chooses to connect. Postiz does not present itself as TikTok, is not affiliated with TikTok, and does not use TikTok data for any purpose outside the TikTok features requested by the connected user.
A user connects TikTok through TikTok OAuth. Postiz requests TikTok permissions only for the features available in the product: user.info.basic to identify and display the connected TikTok account, user.info.profile to support account/profile context where available, user.info.stats to show account-level analytics, video.list to list the user's public TikTok videos for analytics and post-status workflows, video.publish to publish user-approved content directly to the user's TikTok profile, and video.upload to upload user-approved content as a draft or inbox item for later review in TikTok.
When a user connects TikTok, Postiz may process TikTok OAuth access and refresh tokens, TikTok open ID or account identifier, username, display name, profile image, profile or account statistics returned by TikTok, public video identifiers returned by TikTok, engagement metrics returned by TikTok for the user's videos, media files selected by the user, captions, titles, scheduling details, post status, publish IDs, and published TikTok URLs or identifiers.
For TikTok publishing and upload workflows, Postiz may also process the user-selected posting method, privacy level, comment setting, duet setting, stitch setting, AI-generated-content indicator, commercial-content disclosure choices, Your Brand or Branded Content toggles, photo auto-add-music preference, creator information needed to validate posting limits, and TikTok publishing status returned by TikTok. For TikTok Direct Post, Postiz calls TikTok's creator information endpoint and uses the returned privacy level options, comment setting, duet setting, stitch setting, and posting-limit information to render and validate the available TikTok posting controls. These settings are used only to prepare, upload, publish, schedule, check, and display the result of TikTok content chosen by the user.
Postiz does not collect TikTok passwords, session cookies, or non-OAuth credentials. Postiz does not scrape TikTok, bypass TikTok access controls, remove watermarks, modify TikTok metrics, impersonate TikTok, or take TikTok actions unless the connected user chooses the account, content, timing, posting method, and relevant settings. Postiz does not use TikTok data to build a separate data product, benchmark TikTok against competitors, create cross-user profiles, train advertising audiences, target ads outside TikTok, or perform research unrelated to the user's own Postiz account.
Postiz does not sell, rent, lease, disclose, or otherwise make TikTok Developer Services Data available to unrelated third parties. TikTok data is shared only with TikTok when the user uses the TikTok integration, with hosting and technical service providers needed to operate Postiz, or when required for security, legal compliance, abuse prevention, or user support. Service providers are used only as needed to operate Postiz and are not permitted to use TikTok data for their own independent purposes.
Postiz retains TikTok OAuth tokens and connected-account records while the authorized operator keeps TikTok connected. Drafts, scheduled posts, uploaded media, publishing records, status information, and analytics records are retained only as long as needed to provide the service, maintain security, troubleshoot issues, comply with law, or support account records. Operators may disconnect TikTok in Postiz, revoke Postiz access in TikTok account settings, or request deletion of Postiz account information and TikTok integration data by contacting Source Code Original at courtneybostdorff@gmail.com.
Pinterest reviewer section. Postiz uses Pinterest only as an authorized content publishing, scheduling, status, and analytics integration for Source Code Original owned or managed Pinterest accounts. An authorized operator connects Pinterest through Pinterest's OAuth authorization flow. Postiz does not ask for, collect, store, or use Pinterest passwords, Pinterest session cookies, or any non-OAuth login credentials.
Postiz requests Pinterest permissions only for the features available in the product: user_accounts:read to identify and display the connected Pinterest account, boards:read to let the operator select a destination board, pins:write to create operator-approved Pins, and pins:read to support published-Pin lookup, publishing status, and analytics for Pins created or managed through Postiz.
When an authorized operator connects Pinterest, Postiz may process the minimum information needed to provide the integration: OAuth access and refresh tokens, the connected Pinterest account context needed to maintain the connection, board names and identifiers while selecting a destination, Pin content supplied by the operator, Pin media supplied by the operator, Pin titles, descriptions, links, scheduling details, publishing status, analytics returned by Pinterest for the connected account or relevant Pins, and published Pin identifiers or URLs needed to confirm and display publishing results.
Postiz calls the Pinterest API when needed to provide account connection, board selection, media upload, Pin creation, publishing status, and analytics features. Postiz does not build a separate Pinterest data product, Pinterest benchmarking product, competitor-research product, audience resale product, advertising-targeting dataset, cross-user profile, or platform-comparison product from Pinterest API data.
Postiz does not scrape Pinterest, does not use automated extraction outside the Pinterest API, does not sell Pinterest account information, does not share Pinterest API information with advertising networks, data brokers, or unrelated third parties, and does not use Pinterest account information to target advertising outside Pinterest. Postiz does not combine one Pinterest account's information with another account's information or with other services to create cross-user profiles, benchmarks, or targeting audiences.
Postiz takes Pinterest actions only after an authorized operator chooses or approves the relevant Pinterest action, content, timing, and destination board. Operators may disconnect Pinterest in Postiz or revoke access through Pinterest account settings. After disconnect or deletion request, Postiz removes or deactivates stored Pinterest authorization records and connected-platform data unless limited retention is required for security, legal, abuse-prevention, troubleshooting, or accounting reasons.
YouTube
YouTube reviewer section. Postiz uses YouTube API Services only as an authorized YouTube channel connection, video upload, scheduling, publishing-status, thumbnail, channel-selection, and analytics integration for Source Code Original owned or managed YouTube channels. An authorized operator connects YouTube through Google's OAuth authorization flow. Postiz does not ask for, collect, store, or use Google or YouTube passwords, YouTube session cookies, or any non-OAuth Google credentials. Use of YouTube through Postiz is also subject to the Google Privacy Policy at https://policies.google.com/privacy.
This installation requests Google and YouTube OAuth scopes only for the features available in Postiz: userinfo.profile to identify and display the connected Google account, userinfo.email to support account identification and review/debug context, youtube.readonly to list and confirm the YouTube channels the operator can select and to read video/channel status needed for publishing and analytics, youtube.upload to upload operator-approved video files and thumbnails to the selected channel, and yt-analytics.readonly to display YouTube Analytics reports for the connected channel. Postiz does not request the YouTube Partner scope for content-owner or CMS workflows on this installation.
When an authorized operator connects YouTube, Postiz may process Google OAuth access and refresh tokens, token expiry metadata, Google user ID, Google profile name, Google profile image, Google email address, YouTube channel IDs, channel names, channel custom URLs, channel thumbnails, subscriber counts returned by YouTube, video files selected by the operator, thumbnails selected by the operator, video titles, descriptions, tags, made-for-kids selection, visibility selection, scheduling details, upload status, published video IDs, published video URLs, video statistics, and YouTube Analytics metrics such as views, estimated minutes watched, average view duration, average view percentage, subscribers gained, subscribers lost, likes, and comments.
Postiz uses YouTube API data only to connect the operator's selected channel, prepare operator-selected video content, upload or schedule operator-approved videos, set the operator-selected visibility value of public, private, or unlisted, set an operator-selected custom thumbnail when supplied, display publishing status, show analytics for the connected channel or published videos, troubleshoot connection or publishing issues, and disconnect the account when requested. Postiz does not use YouTube API data for advertising, ad targeting, custom audience creation, data brokerage, unrelated research, competitor intelligence, platform benchmarking, cross-user profiling, or any separate YouTube data product.
Postiz does not scrape YouTube, download or store copies of YouTube audiovisual content from YouTube, make YouTube content available for offline playback, bypass YouTube access controls, modify YouTube metrics, manipulate YouTube engagement, spam YouTube, impersonate YouTube or Google, or publish YouTube content unless an authorized operator chooses or approves the channel, video file, title, description, tags, made-for-kids value, visibility setting, thumbnail, timing, and upload or scheduling action. Postiz does not collect or store YouTube login credentials.
Postiz retains YouTube OAuth tokens and connected-channel records while the authorized operator keeps YouTube connected. Drafts, scheduled posts, uploaded media records, publishing records, status information, and analytics records are retained only as long as needed to provide the service, maintain security, troubleshoot issues, comply with law, or support account records. Operators may disconnect YouTube in Postiz, revoke Postiz access through Google's security permissions page at https://security.google.com/settings/security/permissions, or request deletion of Postiz account information and YouTube integration data through https://postiz.sourcecodeoriginal.com/data-deletion or by contacting Source Code Original at courtneybostdorff@gmail.com.
Facebook reviewer section. Postiz uses Facebook only as an authorized Facebook Page connection, publishing, scheduling, engagement-management, publishing-status, and analytics integration for Source Code Original owned or managed Pages. An authorized operator connects Facebook through Meta OAuth/Facebook Login. Postiz does not ask for, collect, store, or use Facebook passwords, Facebook session cookies, or any non-OAuth Meta credentials.
Postiz requests Facebook permissions only for the features available in the product: pages_show_list to list Pages the operator can select, business_management to discover Pages owned by or shared with the connected business portfolio, pages_manage_posts to publish operator-approved Page posts, photos, videos, Reels, and links, pages_manage_engagement to add operator-approved comments or replies where Postiz comment workflows are used, pages_read_engagement to read Page context, Page post information, and engagement information needed for status and analytics, and read_insights to retrieve Page and post insights shown inside Postiz.
When an authorized operator connects Facebook, Postiz may process Meta OAuth access tokens, token expiry metadata, the connected Meta user identifier returned by Meta, Page identifiers, Page names, Page usernames, Page profile images, Page access tokens, business portfolio and owned/client Page relationships needed to select the correct Page, operator-supplied post text, media, links, scheduling details, comment text, publishing status, published post identifiers or URLs, and Page or post insights returned by Meta.
Postiz calls Meta APIs only to support account connection, Page discovery and selection, content upload, Page publishing, comments or replies requested by the operator, publish-status display, troubleshooting, and analytics. Postiz does not request or use Meta ads permissions, does not manage ads, does not create custom audiences, does not use Meta data for advertising targeting, does not sell Meta data, does not build a separate Meta data product, and does not combine Meta data across accounts for cross-user profiling or benchmarking.
Postiz does not scrape Facebook, bypass Meta access controls, impersonate Meta, modify Meta metrics, manipulate engagement, spam Facebook, require or incentivize engagement, or publish Facebook content unless an authorized operator chooses or approves the Page, content, media, link, timing, and publishing action. Operators may disconnect Facebook in Postiz, remove the app in Meta account settings, or request deletion through the User Data Deletion page at https://postiz.sourcecodeoriginal.com/data-deletion.
Instagram reviewer section. Postiz uses Instagram only as an authorized Instagram Business or professional-account connection, publishing, scheduling, comment, publishing-status, and analytics integration for Source Code Original owned or managed Instagram accounts. Operators may connect Instagram through the Meta/Facebook Business flow for Instagram accounts connected to Facebook Pages, and may use Instagram Standalone only if that provider is configured for this installation. Postiz does not ask for, collect, store, or use Instagram passwords, Instagram session cookies, or any non-OAuth Instagram credentials.
For Instagram through Facebook Login, Postiz requests instagram_basic to identify and display the Instagram Business account, pages_show_list, pages_read_engagement, and business_management to discover Facebook Pages and their connected Instagram Business accounts, instagram_content_publish to publish operator-approved Instagram media, Reels, Stories, and carousels, instagram_manage_comments to add operator-approved comments or replies, and instagram_manage_insights to retrieve account and media insights shown inside Postiz.
For Instagram Standalone, if enabled, Postiz requests instagram_business_basic, instagram_business_content_publish, instagram_business_manage_comments, and instagram_business_manage_insights for the same account display, publishing, comment, and analytics workflows without requiring a Facebook Page connection. These permissions are not used for advertising, audience building, or unrelated data collection.
When an authorized operator connects Instagram, Postiz may process OAuth access tokens, token expiry metadata, Instagram account identifiers, usernames, display names, profile images, connected Facebook Page identifiers when applicable, operator-supplied media, captions, collaborator handles, story/reel/carousel settings, thumbnail offsets, scheduling details, comments, publishing status, media container identifiers, published media identifiers or permalinks, and account or media insights returned by Meta or Instagram APIs.
Postiz calls Meta or Instagram APIs only to support account connection, connected-account discovery, media upload, content publishing, comments or replies requested by the operator, publish-status display, troubleshooting, and analytics. Postiz does not scrape Instagram, bypass access controls, impersonate Meta or Instagram, modify metrics, manipulate engagement, spam Instagram, sell Instagram data, use Instagram data for advertising targeting, create custom audiences, or publish Instagram content unless an authorized operator chooses or approves the account, media, caption, timing, and publishing action. Operators may disconnect Instagram in Postiz, remove the app in Meta or Instagram account settings, or request deletion through https://postiz.sourcecodeoriginal.com/data-deletion.
Your choices
Authorized operators may choose whether to connect third-party platforms, including Pinterest, Facebook, Instagram, TikTok, and YouTube, and what content to upload, schedule, publish, or remove. Operators may disconnect connected accounts in Postiz or through the connected platform account settings. To request deletion of Postiz account information or connected-platform data held by Postiz, visit https://postiz.sourcecodeoriginal.com/data-deletion or contact Source Code Original at courtneybostdorff@gmail.com.