Legal
Privacy Policy
Effective date: July 3, 2026
This Privacy Policy explains how Multipost ("Multipost," "we," "us," or "our") collects, uses, discloses, and safeguards your information when you use the Multipost social media scheduling and management service (the "Service"). We are committed to protecting your privacy and handling your data transparently and in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Meta Platform Terms and Developer Policies.
1. Who we are
Multipost is a tool that lets creators and businesses schedule, publish, and analyze content on their own Instagram professional accounts. For the purposes of the GDPR, Multipost acts as a data controller for the account and usage data we collect, and as a data processor when publishing content on your behalf to Instagram. You can contact us about privacy at privacy@multipost.app.
2. Information we collect
2.1 Instagram data accessed through the Instagram API
When you connect an Instagram professional account using Instagram Login, you authorize Multipost to access a limited set of data through the official Instagram API. Specifically, we access:
- Basic profile information — your Instagram account ID, username, account type, profile picture, and follower/media counts (via the
instagram_business_basicpermission). We use this to identify the connected account and display it in your dashboard. - Content publishing access — the ability to create and publish media (photos, carousels, and reels) and their captions to your account at the time you schedule (via the
instagram_business_content_publishpermission). We only publish content you have uploaded and scheduled. - Media and insights — information about media you publish through Multipost and aggregated performance metrics (such as reach, impressions, and engagement) so we can show you analytics.
We do not collect your Instagram password. Access is granted through Meta's OAuth flow and secured with access tokens. We do not access private direct messages, and we do not access data from accounts you have not explicitly connected.
2.2 Account and contact data
- Your name and email address when you create a Multipost account.
- Billing information processed by our third-party payment processor (we do not store full card numbers).
2.3 Content you provide
- Media files, captions, hashtags, and scheduling details you upload to plan and publish posts.
2.4 Usage and technical data
- Log data such as IP address, browser type, device information, and pages viewed.
- Cookies and similar technologies used to keep you signed in and to understand product usage.
3. How we use your information
We use the information we collect to:
- Provide the core Service — scheduling and publishing your content to your connected Instagram accounts.
- Display your connected accounts, calendar, and published-post analytics.
- Authenticate you and keep your account secure.
- Process payments and manage subscriptions.
- Provide customer support and respond to your requests.
- Improve, troubleshoot, and develop the Service.
- Comply with legal obligations and enforce our Terms of Service.
We do not sell your personal information, and we do not use your Instagram data for advertising or share it with data brokers.
4. Legal bases for processing (GDPR)
- Performance of a contract — to provide the Service you signed up for.
- Consent — for connecting your Instagram account and for optional communications; you may withdraw consent at any time.
- Legitimate interests — to secure, maintain, and improve the Service.
- Legal obligation — to comply with applicable laws.
5. How we store and protect your data
Data is stored on secured, access-controlled cloud infrastructure. Access tokens are encrypted at rest and in transit (TLS). We apply the principle of least privilege, restrict internal access to authorized personnel, and monitor for unauthorized activity. No method of transmission or storage is completely secure, but we work to protect your information using industry-standard safeguards.
6. Third parties we share data with
We share data only with service providers that help us operate the Service, and only to the extent necessary. These include:
- Meta Platforms, Inc. — via the Instagram API, to publish your content and retrieve profile and insights data.
- Cloud hosting and database providers — to host the application and store your data.
- Payment processors — to handle subscription billing.
- Analytics and error-monitoring providers — to keep the Service reliable.
These providers are bound by contractual obligations to keep your data confidential and to use it only for the services they provide to us. We may also disclose information if required by law or to protect our rights and users.
7. Data retention
We retain your personal data for as long as your account is active or as needed to provide the Service. When you disconnect an Instagram account, we delete the associated access tokens promptly. When you delete your Multipost account, we delete or anonymize your personal data within 30 days, except where we are required to retain it to comply with legal, tax, or accounting obligations. You may request deletion at any time — see our Data Deletion page.
8. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data ("right to be forgotten").
- Restrict or object to certain processing.
- Data portability — receive your data in a machine-readable format.
- Withdraw consent at any time.
- For California residents: know what personal information is collected and request its deletion; we do not sell personal information.
To exercise any of these rights, email privacy@multipost.app. You also have the right to lodge a complaint with your local data protection authority.
9. Revoking Instagram access
You can disconnect Multipost from within the app, or revoke access directly on Instagram at any time via Settings → Apps and Websites. When access is revoked, Meta notifies us through our deauthorization callback and we delete the associated tokens.
10. International data transfers
Your data may be processed in countries other than your own. Where data is transferred out of the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses.
11. Children's privacy
The Service is not directed to individuals under 18, and we do not knowingly collect data from children.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version here with an updated effective date and, where appropriate, notify you.
13. Contact us
Questions about this policy or your data? Email privacy@multipost.app or visit our contact page.