Privacy Policy

Postlift (“Postlift”, “we”, “us”) operates the application at postlift.co. Postlift helps you grow on X (formerly Twitter) by learning your writing voice from your own posts, drafting new posts in that voice, and scoring each draft before you choose to publish it. We are the data controller for the personal data described in this policy.

We only collect what the product needs to function. Specifically:

Your X account, via OAuth (read-only)

When you connect your X account, you authorise Postlift using X’s OAuth 2.0 with read-only scopes (tweet.read, users.read, offline.access). Postlift cannot post, delete, like, or follow on your behalf — the API access we hold is incapable of writing. From this connection we store:

• Your public profile: X user ID, username, display name, avatar URL, and your public follower / following / post counts.
• Your public posts: the text and public engagement metrics (likes, replies, reposts, quotes, bookmarks, and impressions where X exposes them) of up to your most recent few thousand posts, used to build your voice profile and reach scores.
• Your OAuth access and refresh tokens, stored encrypted at rest (AES-256-GCM) — never in plaintext — so we can refresh your public data without you re-authorising each time.

Account & contact

Your email address and name, used for sign-in, your account record, and transactional email (e.g. a nudge when a post you scheduled is due to publish).

Billing

When you subscribe, payment is handled by Stripe. We do notstore your card number. We retain Stripe’s customer and subscription identifiers and your subscription state (status, plan interval, trial end date, current period end, and whether you’ve cancelled) so we can grant access and show your billing status.

Content you create in Postlift

Drafts, threads, scheduled posts, repurposed outputs (e.g. LinkedIn or newsletter versions), your generated voice profile, and the predicted reach scores attached to your drafts. Where you tell us a draft was published, we may also store the resulting post URL and its later public metrics to compare predicted versus actual performance.

Usage events

An append-only log of your use of generation and other metered features (the type of action, a count, an optional cost estimate, and minimal metadata), used for fair-use limits, abuse prevention, and cost control.

Session & technical data

A session cookie to keep you signed in, and standard server and error logs (including, where enabled, error-monitoring data) needed to operate and secure the service.

• Build your voice profile — analyse your own past posts to model your tone, structure, and cadence.
• Generate content — draft new posts and repurposed formats in your voice, on your request.
• Score drafts — predict the likely reach of a draft (0–100) before you decide to publish.
• Analytics for you — show follower trends and compare predicted versus actual performance of posts you publish.
• Run your account — authentication, billing, transactional notifications, fair-use limits, and security.

You always remain in control of publishing. Postlift only drafts; posting to X happens when you click through to X’s own composer (Web Intent) and publish it yourself.

Where GDPR applies, we process your data on these bases: performance of our contract with you (providing the service you signed up for); our legitimate interests (securing the service, preventing abuse, controlling costs); and your consent, which you give by connecting your X account and which you can withdraw at any time by disconnecting or deleting your account.

We use a small set of trusted sub-processors. We share only what each needs to perform its function:

• Vercel — application hosting and serverless execution.
• Neon — managed PostgreSQL database where your account, content, and (encrypted) tokens are stored.
• Stripe — subscription payments and billing.
• Resend — delivery of transactional email.
• OpenRouter — routes your generation requests to the large-language-model provider that produces drafts and voice analysis. Prompts derived from your posts are sent to this provider to generate content you request.
• X (X Corp.)— the source of your profile and public posts, accessed read-only under X’s API terms.
• Sentry — error monitoring (only active once configured), used to detect and fix faults.

Some processors operate outside your country; where that involves an international transfer, it is covered by the safeguards those providers offer (such as standard contractual clauses).

We keep your data for as long as your account is active. If you delete your account, we delete your personal data — your profile, ingested posts, voice profile, drafts, and stored OAuth tokens — except where we must retain limited records to meet legal, tax, or accounting obligations (for example, Stripe billing records). Append-only usage logs may be retained in aggregated or minimised form for abuse and cost analysis.

• Disconnect X at any time to stop further data collection from your account.
• Access, correct, export, or delete your personal data. Where GDPR or similar laws apply, you also have rights to restrict or object to processing, and to data portability.
• Withdraw consent by disconnecting your X account or deleting your account.

To exercise any of these, or to request deletion, email hello@postlift.co. You also have the right to complain to your local data protection authority.

Postlift uses a single essential cookie to keep you signed in. We do not use advertising or third-party tracking cookies, so there is no cookie consent banner to click through. If we ever introduce non-essential cookies, we will ask for your consent first and update this policy.

OAuth tokens are encrypted at rest with AES-256-GCM. Access to data is limited to what the service needs to operate. No system is perfectly secure, but we take reasonable technical and organisational measures to protect your data and will notify you of a breach where the law requires it.

We may update this policy as the product evolves. When we make material changes we will update the “last updated” date above (11 June 2026) and, where appropriate, notify you.

Questions, requests, or complaints about your privacy: hello@postlift.co.