Privacy Policy

Last updated: March 12, 2026

cross-post ("we", "us", "our") operates the cross-post.app website and service. This Privacy Policy explains how we collect, use, and protect your information when you use our service.

1. Information We Collect

Account Information: When you sign up, we collect your name, email address, and password (stored as a bcrypt hash). If you sign in with Google, we receive your Google profile information (name, email, profile picture).

Social Account Data: When you connect social media accounts, we store platform usernames, display names, and profile pictures. We do not store your social media passwords. OAuth tokens are managed by our third-party provider (Late API).

Content Data: We store the posts you create, including captions, media URLs, scheduling information, and publishing status.

Usage Data: We collect basic usage information such as post counts, login timestamps, and IP addresses for rate limiting and security purposes.

2. How We Use Your Information

• To provide and maintain the cross-post service
• To publish and schedule your content to connected social media platforms
• To manage your account and subscription
• To send transactional emails (password resets, account notifications)
• To enforce rate limits and prevent abuse
• To improve our service

3. Third-Party Services

We use the following third-party services to operate cross-post:

• Late API (getlate.dev) — Social media account connection and content publishing. Your social account tokens are stored and managed by Late.
• Polar.sh — Payment processing for subscriptions. We do not store credit card information; all payment data is handled by Polar.
• Google OAuth — Optional sign-in method. We receive only your basic profile information.
• SendGrid — Transactional email delivery.
• Hetzner — Server hosting located in Europe.

4. Data Storage and Security

Your data is stored on secure servers hosted by Hetzner in Europe. We use HTTPS encryption for all data in transit, bcrypt hashing for passwords, and prepared SQL statements to prevent injection attacks. Access to production systems is restricted to authorized personnel.

5. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days. Post data and media references may be retained in backups for up to 90 days.

6. Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and data
• Export your data
• Disconnect any social media account at any time

7. Cookies

We use a single session cookie (smp_session) to keep you signed in. This cookie expires after 30 days. We also store your theme preference in localStorage. We do not use tracking cookies or third-party analytics.

8. Children's Privacy

cross-post is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date.

10. Contact

If you have questions about this Privacy Policy, contact us at support@cross-post.app.