PostPlanify is built and run by a small team based in Delaware, USA (Tumunuham LLC). We connect to your social accounts using official platform APIs and protect your data with the practices below. This page is written in plain English so you can forward it to your team or client if you need to.
How we connect to your social accounts
We use OAuth 2.0 for every platform — the same login flow each platform uses for its own apps:
We never see your password, and we never ask for it.
You can revoke our access at any time from each platform's settings.
We request only the permissions needed to schedule posts, pull analytics, and manage your inbox — nothing more.
Verified apps on every platform we publish to
To use these official APIs, our developer apps go through each platform's review process. Our apps are approved and live on:
Meta
Facebook, Instagram, Threads
LinkedIn
Marketing & Community Management APIs
TikTok
Content Posting & Insights API
X (Twitter)
Paid API tier
Google
YouTube, Google Business Profile (OAuth-verified)
Pinterest
Content & Analytics API
When a platform updates its API rules or scopes, we update our app and re-submit for review. Bluesky uses the open AT Protocol and does not require a verification step.
How your data is stored
All connections are encrypted in transit (TLS 1.3 / HTTPS).
Access tokens are encrypted at rest in our database.
Daily encrypted backups with retention policies.
Hosted on enterprise-grade cloud infrastructure with isolated production environments and least-privilege access for engineers.
Your data is yours
Export your scheduled posts and analytics anytime from the dashboard.
Cancel anytime — your data is fully deleted within 30 days of cancellation.
We never sell your data, never use your content to train third-party AI models, and never post anything on your behalf without explicit action from you or a scheduled time you set.
Built for teams handling client accounts
If you manage social accounts for clients, these features are designed to keep things safe and reviewable:
Approval workflows — every post can require sign-off before going live.
Multi-approver per post — assign multiple reviewers to a single post.
Role-based access — limit team members to specific brands and actions.
Per-brand workspace isolation — separate workspaces per client; team members only see what you grant them.
GDPR & legal
We comply with the GDPR and applicable data-protection laws. The following pages are the source of truth for our legal commitments:
A Data Processing Agreement (DPA) is available on request for paying customers — email us at [email protected].
Reporting a security issue
If you believe you've found a security vulnerability or have a question about how we handle data, email [email protected]. It goes directly to the founder.