Legal
Last updated: March 29, 2026
PostPilot collects the minimum data needed to provide the service. When you sign up, we store your email address and name via Clerk, our authentication provider. When you connect your X account, we store your OAuth access tokens to post on your behalf. We store the content and scheduled time of posts you create. We store your billing information via Stripe — we never see or store your payment card details directly.
Your data is used solely to operate PostPilot. Your X OAuth tokens are used to publish posts at your scheduled times. Your email is used to send transactional emails (receipts, important notices). Your posts are stored so you can view and manage them in the calendar. We do not sell your data. We do not use your data for advertising. We do not train AI models on your content.
PostPilot uses the following third-party services: Clerk (authentication), Stripe (payments), MongoDB Atlas (database), Vercel (hosting and file storage), Upstash QStash (scheduled task delivery), and the X API (publishing posts). Each of these services has its own privacy policy. By using PostPilot, you acknowledge that data is processed by these providers as necessary to operate the service.
When you connect your X account, PostPilot receives OAuth 1.0a access tokens that allow us to post on your behalf. These tokens are stored in our database and are used only to publish posts you have explicitly scheduled. You can disconnect your X account at any time from Settings, which immediately removes our access. We do not read your feed, access your direct messages, or interact with any content beyond posting what you schedule.
Your post history is retained for as long as your account is active. When you delete your account, all associated data including posts, settings, and OAuth tokens is permanently deleted within 30 days. Stripe retains billing records as required by law.
PostPilot uses cookies only for authentication (managed by Clerk) and for OAuth flow security (temporary cookies during X account connection). We do not use tracking cookies or third-party advertising cookies.
You have the right to access, correct, or delete your personal data at any time. To request data deletion or export, contact us at the email below. If you are in the EU, you have additional rights under GDPR including the right to lodge a complaint with your local supervisory authority.
We use industry-standard security practices: HTTPS for all connections, encrypted storage of OAuth tokens, webhook signature verification for all external services, and authentication via Clerk. No system is completely secure — we recommend disconnecting your X account if you suspect unauthorized access.
We may update this Privacy Policy from time to time. When we do, we will update the date at the top and notify active subscribers by email if the changes are significant.
Questions about this policy? Contact us at: privacy@postpilot.app