Privacy Policy

1. Introduction

BunnyPost ("we," "our," or "us") operates the BunnyPost social media scheduling platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using BunnyPost, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you register for BunnyPost, we collect:

• Email address
• Display name
• Password (stored securely using industry-standard hashing)
• Team and organization information

2.2 Connected Social Media Accounts

When you connect Instagram or other social media accounts, we collect:

• Social media user IDs and usernames
• Profile pictures
• OAuth access tokens (encrypted at rest using AES-256 encryption)
• Account type and status information

2.3 Content and Media

When you use our scheduling features, we store:

• Post captions, hashtags, and scheduling preferences
• Media files (images and videos) uploaded for publishing
• Comment templates and engagement content
• Google Drive connection data for media imports

2.4 Usage and Analytics Data

We automatically collect:

• API usage logs (endpoints called, response times, error rates)
• Instagram analytics snapshots (followers, reach, impressions, engagement)
• Post performance metrics (likes, comments, saves, shares)
• Feature usage patterns within the platform

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Schedule and publish content to your connected social media accounts
• Auto-post first comments, CTAs, and hashtag comments on your behalf
• Display analytics and performance insights for your accounts
• Monitor API rate limits to prevent account restrictions
• Send notifications about post status, token expiration, and account health
• Enforce rate limiting and circuit-breaking to protect your accounts
• Provide customer support and respond to inquiries

4. Data Storage and Security

We take the security of your data seriously:

• Database: All data is stored in Supabase with Row Level Security (RLS) policies ensuring team-based data isolation
• Token encryption: Social media access tokens are encrypted using AES-256-GCM before storage
• Authentication: User authentication is handled by Supabase Auth with secure session management
• HTTPS: All data in transit is encrypted using TLS/SSL
• CSRF protection: OAuth flows use cryptographically random state parameters

5. Third-Party Services

BunnyPost integrates with the following third-party services:

• Meta/Instagram API: To publish content, fetch analytics, and manage comments on your Instagram accounts. Subject to Meta's Privacy Policy.
• Google Drive API: To import media files from your connected Google Drive folders. Subject to Google's Privacy Policy.
• Supabase: For database, authentication, and file storage. Subject to Supabase's Privacy Policy.
• Netlify: For hosting and deployment. Subject to Netlify's Privacy Policy.

We do not sell your data to any third party. Data shared with these services is limited to what is necessary to provide the Service.

6. Data Sharing and Disclosure

We may share your information only in the following circumstances:

• With your team members: Data within your BunnyPost team is shared among all team members based on their assigned roles (admin, manager, poster, viewer)
• Service providers: With third-party services that help us operate the platform (as listed above)
• Legal requirements: When required by law, court order, or governmental regulation
• Business transfers: In connection with a merger, acquisition, or sale of assets

7. Data Retention

We retain your data as follows:

• Account data: Retained for as long as your account is active
• Post and media data: Retained until you delete it or close your account
• API call logs: Retained for 90 days for rate limiting and debugging purposes
• Analytics snapshots: Retained for up to 12 months for trend analysis
• Access tokens: Automatically refreshed and old tokens are overwritten

When you delete your account, we delete all associated data within 30 days, except where retention is required by law.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to certain processing of your personal data
• Withdraw consent: Withdraw consent at any time by disconnecting accounts or deleting your account

To exercise any of these rights, contact us at the email address provided below.

9. Cookies

BunnyPost uses essential cookies only, specifically for authentication session management and OAuth CSRF protection. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Children's Privacy

BunnyPost is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

11. International Data Transfers

Your data may be processed and stored in locations outside your country of residence. By using BunnyPost, you consent to the transfer of your information to countries that may have different data protection laws than your jurisdiction.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@bunny-agency.com
Company: Bunny Agency