Privacy Policy
Effective date:
This Privacy Policy describes how [TODO(human): legal entity name](“Strew”, “we”, “us”) collects, uses, stores, and shares personal data when you use the Strew web application (the “Service”). Strew is a social-media broadcasting tool that publishes content you author to third-party social networks on your behalf.
1. Who we are
The data controller is [TODO(human): legal entity name and registered address] (company registration [TODO(human): registration number, if any]). You can contact us about this policy or about your personal data at [TODO(human): contact email, e.g. privacy@strew.app].
[TODO(human): if Strew has no establishment in the EU/UK and offers the Service to EU/UK residents, name an Art. 27 GDPR representative here. Delete this paragraph if not applicable.]
2. Data we collect
We try to collect as little as possible. The categories below are exhaustive — if it’s not listed here, we don’t store it.
2.1 Account data (when you sign in)
Strew uses third-party identity providers for sign-in. We do not see or store your password. From the identity provider we receive a stable provider account ID, your email address, your display name, and (where the provider supplies one) an avatar URL, plus a short-lived OAuth handshake token used only to complete sign-in.
Identity providers currently supported:
- GitHub — via GitHub OAuth.
- Google — via Google OAuth (when enabled for your deployment).
2.2 Connected social accounts
When you connect a social network so Strew can publish on your behalf, we store the provider name, the account’s public identifier, its display name, the OAuth tokens issued by that provider, the token expiry, refresh tokens (where supplied), and the scopes you granted. Tokens are encrypted at rest using AES-256-GCM with envelope encryption (per-row data-encryption keys wrapped by an application key-encryption key) and bound to the row they belong to via authenticated additional data so they cannot be reused if copied to a different row.
2.3 What each social-network permission gives us
When you connect a Connected Network, the network asks you to approve a specific list of permissions. Strew only uses each permission for the purpose stated below.
Meta (Facebook Pages and Instagram Business) — available from v1.0:
pages_show_list— to display the list of Facebook Pages you administer so you can pick which ones to connect to Strew. We do not store the full Page list; only the IDs of the Pages you actually connect.pages_read_engagement— to read the basic metadata of a connected Page (name, profile picture, ID) and to surface the publish results returned by Facebook after Strew posts on your behalf. We do not read inbound messages or comments.pages_manage_posts— to create, schedule, and delete posts on the Facebook Pages you connected, only when you explicitly publish through Strew.instagram_basic— to read the basic profile of the Instagram Business or Creator account linked to a connected Facebook Page (handle, profile picture, account ID) so we can display it in your Strew destinations list.instagram_content_publish— to publish images, videos, and captions to the connected Instagram Business or Creator account, only when you explicitly publish through Strew.
We do not use Meta permissions to retrieve your friends list, your private messages, ad performance, audience insights, or any other data outside the scope of publishing the content you authored in Strew. We do not use Meta data for advertising, profiling, or training machine-learning models.
LinkedIn (personal profile) — available from v1.2:
w_member_social— to publish posts to your LinkedIn personal profile, only when you explicitly publish through Strew.
We do not use LinkedIn data for analytics, profiling, advertising, or training machine-learning models. LinkedIn tokens and any cached LinkedIn account metadata are deleted when you disconnect the account or delete your Strew account.
2.4 Content you create
Posts you compose in Strew, including text, attached media (images, video), scheduling metadata, and the list of destinations you selected. Once a post has been published, we retain a record of the publish attempt (timestamp, target account, success/failure, the provider’s response) for support, debugging, and audit purposes.
2.5 Operational data
- Audit events — a record of security- and billing-relevant actions (sign-ins, account connections, publish attempts, permission changes) tied to your user ID, for fraud prevention and compliance.
- Error reports — when something goes wrong, we send a stack trace and limited request context (URL, user ID, browser type) to our error-tracking provider so we can fix the bug. Request bodies and headers are scrubbed before they leave the server.
We do not use third-party advertising trackers, analytics pixels, or cross-site cookies. The only cookies we set are first-party, essential session cookies required to keep you signed in.
3. Why we process this data (legal bases)
- Performance of a contract — to provide the Service you signed up for: authenticating you, storing connected accounts, publishing your content.
- Legitimate interests — to keep the Service secure (audit events, error reports, abuse prevention) and to improve it. You have the right to object to processing on this basis at any time (see §6).
- Legal obligation — to comply with tax, accounting, and lawful requests from authorities.
4. Sub-processors and third parties
We share data with the following sub-processors. Each one is bound by a data-processing agreement and processes data only on our instructions. Where personal data of EU/UK residents is transferred to the United States, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable). A copy of the relevant transfer mechanism is available on request from [TODO(human): contact email].
- Vercel Inc. (United States) — Application hosting and edge networking. Receives all request data necessary to serve the application.
- Neon, Inc. (United States) — Managed Postgres database. Stores account data, connected accounts (with tokens encrypted at rest), posts, and audit events.
- Functional Software, Inc. d/b/a Sentry (United States) — Error tracking. Receives error stack traces and limited request context (URL, user ID, browser type) with request bodies and headers scrubbed.
- GitHub, Inc. (United States) — Identity provider for sign-in via GitHub OAuth. Sees only the sign-in handshake, not your activity inside Strew.
- Google LLC (United States) — Identity provider for sign-in via Google OAuth (when enabled for the deployment). Sees only the sign-in handshake.
- Meta Platforms, Inc. (United States) — When you connect a Facebook Page or Instagram Business account, Strew calls the Meta Graph API on your behalf using the tokens you granted. Subject to Meta's own privacy policy. (Available from v1.0.)
- LinkedIn Corporation (United States) — When you connect your LinkedIn personal profile, Strew calls the LinkedIn API on your behalf using the tokens you granted. Subject to LinkedIn's own privacy policy. (Available from v1.2.)
5. How long we keep your data
- Account data — for as long as your account is active. Deleted within 30 days of account deletion.
- Connected social account tokens— marked revoked immediately when you disconnect the account or delete your Strew account, after which the tokens can no longer be used to publish. Where the provider supports it, Strew also calls the provider’s revoke endpoint so the token cannot be reused outside Strew. Revoked rows are then permanently purged within 30 days.
- Posts and publish history — retained for the life of the account. Deleted within 30 days of account deletion.
- Audit events — retained for 13 months for security and compliance.
- Error reports — retained for 90 days, then automatically purged by the error tracker.
6. Your rights
Depending on where you live, you may have the right to:
- access the personal data we hold about you;
- correct inaccurate or incomplete data;
- delete your data (the “right to be forgotten”);
- receive a copy of your data in a portable, machine-readable format;
- restrict or object to processing based on our legitimate interests;
- withdraw consent at any time where processing is based on consent (without affecting the lawfulness of processing carried out before withdrawal);
- lodge a complaint with your local data-protection supervisory authority. EU residents may complain to the supervisory authority in the member state where they live or where the alleged infringement occurred; UK residents may complain to the Information Commissioner’s Office (ico.org.uk).
California residents have additional rights under the CCPA/CPRA: the right to know what personal information we collect and why, the right to delete it, the right to correct it, the right to data portability, and the right to non-discrimination for exercising these rights.
We do not sell or share your personal informationas those terms are defined under the CCPA/CPRA. We do not use or disclose “sensitive personal information” for any purpose beyond what is necessary to provide the Service, so the “Right to Limit Use of Sensitive Personal Information” is satisfied by default.
Categories of personal information collected, mapped to CCPA categories: identifiers (name, email, provider account ID), internet or other electronic network activity (browser type, URLs of errors, timestamps in audit events), and professional or employment-related information (only the public profile data exposed by GitHub/Google/LinkedIn when you sign in or connect those accounts).
To exercise any of these rights, email [TODO(human): contact email]. We will respond within 30 days. You can also delete your account at any time from the account settings; deletion cascades through connected accounts, posts, and publish history within 30 days.
7. Security
Connected-account tokens are encrypted at rest using AES-256-GCM with per-row data-encryption keys, wrapped by an application key-encryption key (KEK) held only in the runtime environment. Tokens are bound to the row they belong to via authenticated additional data (AAD), so a token cannot be reused if copied to a different row. The KEK infrastructure supports periodic rotation.
Database connections use TLS. We follow the principle of least privilege for internal access and audit privileged actions.
8. Children
Strew is not intended for children. We do not knowingly collect personal data from anyone under the minimum digital-consent age in their country (16 in much of the EU; 13 in the UK and the United States). If you believe a child has provided us with personal data, contact us and we will delete it.
9. Changes to this policy
We may update this policy from time to time. Material changes will be announced in the application and, where required, by email. The “Effective date” at the top of this page reflects the latest version.
10. Contact
Questions about this policy or about your personal data: [TODO(human): contact email].
Postal address: [TODO(human): registered postal address].