LogoPublano

Privacy Policy

Last updated: July 8, 2026

1. Introduction

Publano is a social media management platform operated by Koya Labs, Stockholm, Sweden ("we", "us", "our"). Koya Labs is a registered business name of our company; our full registered entity, company number, and address are set out on our Company Details page. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use the Publano platform at https://app.publano.comand any related services (collectively, the "Service").

Controller and processor roles. We are the data controller for information we determine the purposes of — for example your account and authentication data, billing data, and security logs. For the content and data you and your team put into the Service on behalf of your clients — workspace and client records, post content and media, connected-account data, and audience interactions — you (or your client) are the controller and we act as your processor. That processing is governed by our Data Processing Agreement.

By using the Service you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account information

When you create an account we collect your email address and optional display name and profile picture. You can sign in with a passwordless magic link or by setting a password. If you set a password it is stored only as a salted bcrypt hash — never in plaintext. If you enable two-factor authentication, your authenticator secret is encrypted at rest (AES-256-GCM) and your backup codes are stored only as hashes.

2.2 Workspace and client data

We store the content you create inside Publano: workspace names, client profiles, post captions, media files, calendar plans, campaign configurations, comments, tasks, approval records, and audit logs.

2.3 Connected platform account data

When you connect a third-party platform (such as Instagram, Facebook, LinkedIn, TikTok, YouTube, or Google services) via OAuth, we receive and store:

  • OAuth access tokens and refresh tokens (encrypted at rest using AES-256-GCM)
  • Platform account identifiers and account names
  • Profile picture URLs
  • Page, channel, or location identifiers required for publishing
  • Token expiry timestamps and permission scopes granted

Tokens are never returned to the browser, never logged in plaintext, and never shared with third parties outside of the platform they were issued by.

2.4 Usage and technical data

We collect standard server logs including IP addresses, browser user agents, request paths, and timestamps for security, debugging, and operational purposes. We also store audit logs of significant actions taken inside the Service (platform connections, post state changes, member role changes, and similar events).

2.5 Media files

Images and videos you upload for social media posts are stored in Cloudflare R2 object storage. Files are retained through the publish lifecycle and subject to our storage lifecycle policy described in Section 5.

2.6 Analytics and audience data

When you connect analytics or social platforms, we store aggregated daily metrics (such as impressions, reach, clicks, and engagement) to power reporting. We do not build profiles of your audience. Social comments and reviews (for example Instagram or Facebook comments and Google Business Profile reviews) are fetched from the platform and shown to you on demand; we do not store them in our database. To help match your brand voice, we may store a small sample of your own most recent published captions per connected account.

2.7 AI features

Publano offers optional AI features that draft captions, calendar plans, and campaign briefs. When you use these, the relevant inputs — such as your draft caption, selected media frames, client name, and tone samples — are sent to Google's Gemini API to generate a suggestion. This data is processed under Google API terms that do not permit using it to train Google's models. AI output is a draft for your review; you decide whether to edit, use, or discard it before anything is published.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your session
  • Schedule and publish content to connected social media platforms on your behalf
  • Refresh OAuth tokens and maintain platform connections
  • Send transactional emails (sign-in links, approval notifications, publish confirmations)
  • Display reporting and analytics data from connected platforms
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not use your content or connected platform data for advertising, profiling, or any purpose beyond operating the Service as described.

Legal bases (GDPR)

Where the GDPR applies, we rely on the following legal bases: performance of a contract (to provide the Service you sign up for); legitimate interests(to secure, maintain, and improve the Service, prevent abuse, and communicate about it), balanced against your rights; consent (for optional marketing-site analytics cookies, which you can withdraw at any time); and compliance with legal obligations.

4. Third-Party Platform Integrations

Publano integrates with the following third-party platforms. When you connect these platforms, their respective privacy policies also apply to the data they provide to us.

Meta (Instagram and Facebook)

We request access to publish content to Instagram Business accounts and Facebook Pages you manage. We access page tokens, page identifiers, and Instagram business account identifiers. We do not access personal profile data beyond what is required to identify the page. Meta's privacy policy: facebook.com/policy.php

LinkedIn

We request access to publish posts on behalf of LinkedIn member profiles and organization pages you manage. LinkedIn's privacy policy: linkedin.com/legal/privacy-policy

TikTok

We request access to upload and publish videos to TikTok accounts you connect. TikTok's privacy policy: tiktok.com/legal/privacy-policy

Google (YouTube, Google Business Profile, Google Analytics, Google Search Console)

We request access to publish videos to YouTube channels, post updates to Google Business Profile locations, and read analytics data from Google Analytics 4 and Google Search Console. Google's privacy policy: policies.google.com/privacy

You can disconnect any platform integration at any time from within the Service. Upon disconnection, we revoke the stored tokens and remove the connection record. This does not delete content already published to those platforms — such content is managed directly through the respective platform.

5. Data Retention

We retain your account data for as long as your account is active or as needed to provide the Service. When you delete your account (see Section 10), we anonymise your personal data — your name, email, and credentials are removed — while retaining a minimal, non-identifying record where required for audit integrity and legal obligations.

Media files uploaded for posts are subject to a storage lifecycle policy: files for deleted posts are removed after a short grace period, and media for published posts on platforms that support embeds is pruned from our storage after a retention window while the live post remains on the platform. Immutable publish receipts and metadata are retained for audit and reporting purposes.

Audit logs are retained for a minimum of 12 months. Consent records for cookie choices are retained for up to 3 years to evidence consent, and store only a hashed IP address and a truncated browser identifier — never your raw IP.

6. Data Sharing

We do not sell your data. We share data only in these circumstances:

  • Third-party platforms: When you instruct us to publish content or connect an account, we transmit the necessary data (caption, media, tokens) to the target platform API. Those platforms act as independent controllers under their own policies.
  • Subprocessors: We use a small set of vetted subprocessors to run the Service — including Hetzner Cloud (EU hosting), Cloudflare (CDN and media storage), Resend (email), Sentry (error monitoring), Google (the Gemini AI features and, on the marketing site only, consent-based analytics), and Infisical (secrets). Each processes data only as needed to deliver its function under a data processing agreement. The current list, with locations and safeguards, is at publano.com/subprocessors.
  • Business transfers: If we are involved in a merger, acquisition, or sale of assets, data may be transferred as part of that transaction, subject to this policy.
  • Legal requirements: We may disclose data if required by law, court order, or governmental authority.

7. Data Security

We apply industry-standard security controls including:

  • AES-256-GCM encryption for all stored OAuth tokens
  • TLS encryption for all data in transit
  • Role-based access control with tenant isolation
  • SSH access restricted by IP allowlist and public-key authentication only
  • Administrative interfaces protected by Cloudflare Zero Trust Access
  • Audit logging of all privileged actions

No method of transmission or storage is 100% secure. In the event of a data breach that affects your rights or freedoms, we will notify affected users and relevant authorities as required by applicable law.

8. Cookies and Local Storage

The signed-in application uses only strictly necessary and functional cookies and browser storage — for example a secure, HttpOnly session cookie to keep you signed in, your language preference, and your appearance settings.

On our public marketing website only, and only if you consent through the cookie banner, we use Google Analytics to understand aggregate usage. These analytics are loaded through Google Consent Mode, which defaults to denied until you accept, and are never loaded inside the application. We do not use advertising cookies and we do not sell data collected through cookies.

A full list of every cookie and storage key, by category, is in our Cookie Policy.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data.
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Restriction: Request that we restrict processing of your data.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. Data Deletion Requests

You can delete your account from your account settings or by contacting us at [email protected]. When you do, we anonymise your personal data — your name, email, password, and two-factor credentials are removed and all your sessions are revoked. A minimal, non-identifying record may be retained where necessary for audit integrity or legal obligations. Where you are the sole owner of a workspace that still contains client work, that workspace is preserved so that shared content and published history are not destroyed; contact us if you also want the workspace removed.

If you connected Publano via Facebook or Instagram and revoke access, Meta sends us a signed data deletion request. If you revoke access from TikTok, TikTok notifies us likewise. In each case we disconnect the connection and erase the stored access tokens. Our callback endpoints are:

https://app.publano.com/api/privacy/data-deletion
https://app.publano.com/api/privacy/tiktok-deauthorize

For a Meta-initiated request we provide a confirmation code you can use to verify completion. We complete verified deletion requests within 30 days.

11. International Data Transfers

Koya Labsis based in Sweden and operates within the European Union. Your data is hosted on servers located in the EU (Hetzner Cloud, Germany). Some subprocessors are based in the United States (such as Cloudflare, Resend, Sentry, and Google). Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework, together with any supplementary measures required under GDPR Chapter V. Details are in our subprocessor list.

12. Children's Privacy

The Service is not directed at or intended for use by children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

14. Contact

For privacy-related questions, requests, or complaints, contact us at:

Koya Labs

Stockholm, Sweden

Privacy contact: Alexander Amsenius

[email protected]

Registered company details: publano.com/company

You also have the right to lodge a complaint with your local data protection authority. In Sweden this is the Swedish Authority for Privacy Protection (IMY).

© 2026 Koya Labs. All rights reserved.Back to Publano