Privacy Policy

1. Introduction

Publano is a social media management platform operated by Zero Folks AB, Stockholm, Sweden("we", "us", "our"). This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use the Publano platform at https://app.publano.comand any related services (collectively, the "Service").

By using the Service you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account information

When you create an account we collect your email address. We use a passwordless magic-link flow — we do not store passwords.

2.2 Workspace and client data

We store the content you create inside Publano: workspace names, client profiles, post captions, media files, calendar plans, campaign configurations, comments, tasks, approval records, and audit logs.

2.3 Connected platform account data

When you connect a third-party platform (such as Instagram, Facebook, LinkedIn, TikTok, YouTube, or Google services) via OAuth, we receive and store:

• OAuth access tokens and refresh tokens (encrypted at rest using AES-256-GCM)
• Platform account identifiers and account names
• Profile picture URLs
• Page, channel, or location identifiers required for publishing
• Token expiry timestamps and permission scopes granted

Tokens are never returned to the browser, never logged in plaintext, and never shared with third parties outside of the platform they were issued by.

2.4 Usage and technical data

We collect standard server logs including IP addresses, browser user agents, request paths, and timestamps for security, debugging, and operational purposes. We also store audit logs of significant actions taken inside the Service (platform connections, post state changes, member role changes, and similar events).

2.5 Media files

Images and videos you upload for social media posts are stored in Cloudflare R2 object storage. Files are retained through the publish lifecycle and subject to our storage lifecycle policy described in Section 5.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate your identity and manage your session
• Schedule and publish content to connected social media platforms on your behalf
• Refresh OAuth tokens and maintain platform connections
• Send transactional emails (sign-in links, approval notifications, publish confirmations)
• Display reporting and analytics data from connected platforms
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

We do not use your content or connected platform data for advertising, profiling, or any purpose beyond operating the Service as described.

4. Third-Party Platform Integrations

Publano integrates with the following third-party platforms. When you connect these platforms, their respective privacy policies also apply to the data they provide to us.

You can disconnect any platform integration at any time from within the Service. Upon disconnection, we revoke the stored tokens and remove the connection record. This does not delete content already published to those platforms — such content is managed directly through the respective platform.

5. Data Retention

We retain your account data for as long as your account is active or as needed to provide the Service. If you request account deletion, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or regulatory obligations.

Media files uploaded for published posts are subject to a storage lifecycle policy: files are kept through the publish and reconciliation lifecycle, after which non-essential derivatives are pruned and originals may be moved to cold storage. Immutable publish receipts and metadata are retained for audit and reporting purposes.

Audit logs are retained for a minimum of 12 months for security and compliance purposes.

6. Data Sharing

We do not sell your data. We share data only in these circumstances:

• Third-party platforms: When you instruct us to publish content, we transmit the necessary data (caption, media, tokens) to the target platform API.
• Infrastructure providers: We use Cloudflare (CDN and object storage), Hetzner Cloud (server infrastructure), and Resend (transactional email) as sub-processors. These providers process data only as necessary to deliver the Service.
• Legal requirements: We may disclose data if required by law, court order, or governmental authority.

7. Data Security

We apply industry-standard security controls including:

• AES-256-GCM encryption for all stored OAuth tokens
• TLS encryption for all data in transit
• Role-based access control with tenant isolation
• SSH access restricted by IP allowlist and public-key authentication only
• Administrative interfaces protected by Cloudflare Zero Trust Access
• Audit logging of all privileged actions

No method of transmission or storage is 100% secure. In the event of a data breach that affects your rights or freedoms, we will notify affected users and relevant authorities as required by applicable law.

8. Cookies and Local Storage

We use a small number of cookies and browser storage mechanisms strictly necessary to operate the Service:

• Session cookie: A secure, HttpOnly session cookie issued by our authentication system to keep you signed in.
• Locale cookie: A cookie storing your preferred display language.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your personal data.
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Restriction: Request that we restrict processing of your data.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. Data Deletion Requests

You can delete your account and all associated data by contacting us at [email protected]. We will process the request within 30 days.

If you connected Publano via Facebook or Instagram and wish to revoke access and request deletion of your data, you can use the Facebook data deletion request mechanism. Our data deletion callback endpoint is:

Upon receiving a verified deletion request, we will delete all data associated with your Facebook or Instagram connection within 30 days and provide a confirmation code you can use to verify completion.

11. International Data Transfers

Zero Folks AB is based in Sweden and operates within the European Union. Your data is processed on servers located in the EU (Hetzner Cloud, Germany). Where data is transferred to infrastructure providers outside the EU (such as Cloudflare, which operates globally), such transfers are subject to standard contractual clauses or equivalent safeguards in accordance with GDPR Chapter V.

12. Children's Privacy

The Service is not directed at or intended for use by children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

14. Contact

For privacy-related questions, requests, or complaints, contact us at: