Last updated: July 8, 2026
Publano is a social media management platform operated by Koya Labs, Stockholm, Sweden ("we", "us", "our"). Koya Labs is a registered business name of our company; our full registered entity, company number, and address are set out on our Company Details page. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use the Publano platform at https://app.publano.comand any related services (collectively, the "Service").
Controller and processor roles. We are the data controller for information we determine the purposes of — for example your account and authentication data, billing data, and security logs. For the content and data you and your team put into the Service on behalf of your clients — workspace and client records, post content and media, connected-account data, and audience interactions — you (or your client) are the controller and we act as your processor. That processing is governed by our Data Processing Agreement.
By using the Service you agree to the practices described in this policy. If you do not agree, please do not use the Service.
When you create an account we collect your email address and optional display name and profile picture. You can sign in with a passwordless magic link or by setting a password. If you set a password it is stored only as a salted bcrypt hash — never in plaintext. If you enable two-factor authentication, your authenticator secret is encrypted at rest (AES-256-GCM) and your backup codes are stored only as hashes.
We store the content you create inside Publano: workspace names, client profiles, post captions, media files, calendar plans, campaign configurations, comments, tasks, approval records, and audit logs.
When you connect a third-party platform (such as Instagram, Facebook, LinkedIn, TikTok, YouTube, or Google services) via OAuth, we receive and store:
Tokens are never returned to the browser, never logged in plaintext, and never shared with third parties outside of the platform they were issued by.
We collect standard server logs including IP addresses, browser user agents, request paths, and timestamps for security, debugging, and operational purposes. We also store audit logs of significant actions taken inside the Service (platform connections, post state changes, member role changes, and similar events).
Images and videos you upload for social media posts are stored in Cloudflare R2 object storage. Files are retained through the publish lifecycle and subject to our storage lifecycle policy described in Section 5.
When you connect analytics or social platforms, we store aggregated daily metrics (such as impressions, reach, clicks, and engagement) to power reporting. We do not build profiles of your audience. Social comments and reviews (for example Instagram or Facebook comments and Google Business Profile reviews) are fetched from the platform and shown to you on demand; we do not store them in our database. To help match your brand voice, we may store a small sample of your own most recent published captions per connected account.
Publano offers optional AI features that draft captions, calendar plans, and campaign briefs. When you use these, the relevant inputs — such as your draft caption, selected media frames, client name, and tone samples — are sent to Google's Gemini API to generate a suggestion. This data is processed under Google API terms that do not permit using it to train Google's models. AI output is a draft for your review; you decide whether to edit, use, or discard it before anything is published.
We use the information we collect to:
We do not use your content or connected platform data for advertising, profiling, or any purpose beyond operating the Service as described.
Where the GDPR applies, we rely on the following legal bases: performance of a contract (to provide the Service you sign up for); legitimate interests(to secure, maintain, and improve the Service, prevent abuse, and communicate about it), balanced against your rights; consent (for optional marketing-site analytics cookies, which you can withdraw at any time); and compliance with legal obligations.
Publano integrates with the following third-party platforms. When you connect these platforms, their respective privacy policies also apply to the data they provide to us.
We request access to publish content to Instagram Business accounts and Facebook Pages you manage. We access page tokens, page identifiers, and Instagram business account identifiers. We do not access personal profile data beyond what is required to identify the page. Meta's privacy policy: facebook.com/policy.php
We request access to publish posts on behalf of LinkedIn member profiles and organization pages you manage. LinkedIn's privacy policy: linkedin.com/legal/privacy-policy
We request access to upload and publish videos to TikTok accounts you connect. TikTok's privacy policy: tiktok.com/legal/privacy-policy
We request access to publish videos to YouTube channels, post updates to Google Business Profile locations, and read analytics data from Google Analytics 4 and Google Search Console. Google's privacy policy: policies.google.com/privacy
You can disconnect any platform integration at any time from within the Service. Upon disconnection, we revoke the stored tokens and remove the connection record. This does not delete content already published to those platforms — such content is managed directly through the respective platform.
We retain your account data for as long as your account is active or as needed to provide the Service. When you delete your account (see Section 10), we anonymise your personal data — your name, email, and credentials are removed — while retaining a minimal, non-identifying record where required for audit integrity and legal obligations.
Media files uploaded for posts are subject to a storage lifecycle policy: files for deleted posts are removed after a short grace period, and media for published posts on platforms that support embeds is pruned from our storage after a retention window while the live post remains on the platform. Immutable publish receipts and metadata are retained for audit and reporting purposes.
Audit logs are retained for a minimum of 12 months. Consent records for cookie choices are retained for up to 3 years to evidence consent, and store only a hashed IP address and a truncated browser identifier — never your raw IP.
We do not sell your data. We share data only in these circumstances:
We apply industry-standard security controls including:
No method of transmission or storage is 100% secure. In the event of a data breach that affects your rights or freedoms, we will notify affected users and relevant authorities as required by applicable law.
The signed-in application uses only strictly necessary and functional cookies and browser storage — for example a secure, HttpOnly session cookie to keep you signed in, your language preference, and your appearance settings.
On our public marketing website only, and only if you consent through the cookie banner, we use Google Analytics to understand aggregate usage. These analytics are loaded through Google Consent Mode, which defaults to denied until you accept, and are never loaded inside the application. We do not use advertising cookies and we do not sell data collected through cookies.
A full list of every cookie and storage key, by category, is in our Cookie Policy.
Depending on your location, you may have the following rights regarding your personal data:
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
You can delete your account from your account settings or by contacting us at [email protected]. When you do, we anonymise your personal data — your name, email, password, and two-factor credentials are removed and all your sessions are revoked. A minimal, non-identifying record may be retained where necessary for audit integrity or legal obligations. Where you are the sole owner of a workspace that still contains client work, that workspace is preserved so that shared content and published history are not destroyed; contact us if you also want the workspace removed.
If you connected Publano via Facebook or Instagram and revoke access, Meta sends us a signed data deletion request. If you revoke access from TikTok, TikTok notifies us likewise. In each case we disconnect the connection and erase the stored access tokens. Our callback endpoints are:
For a Meta-initiated request we provide a confirmation code you can use to verify completion. We complete verified deletion requests within 30 days.
Koya Labsis based in Sweden and operates within the European Union. Your data is hosted on servers located in the EU (Hetzner Cloud, Germany). Some subprocessors are based in the United States (such as Cloudflare, Resend, Sentry, and Google). Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework, together with any supplementary measures required under GDPR Chapter V. Details are in our subprocessor list.
The Service is not directed at or intended for use by children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Your continued use of the Service after any changes constitutes acceptance of the updated policy.
For privacy-related questions, requests, or complaints, contact us at:
Koya Labs
Stockholm, Sweden
Privacy contact: Alexander Amsenius
Registered company details: publano.com/company
You also have the right to lodge a complaint with your local data protection authority. In Sweden this is the Swedish Authority for Privacy Protection (IMY).