1. Who we are
Feedrevo is operated by Feedrevo (“Feedrevo”, “we”, “us”, “our”). For any privacy, data protection, or data subject rights matter, contact:
- Privacy / DPO contact: admin@feedrevo.com
- Security disclosures: dev@feedrevo.com
- General support: support@feedrevo.com
Until a Data Protection Officer is formally appointed, admin@feedrevo.com is the single inbox for all data-subject requests and supervisory authority correspondence under the GDPR, UK GDPR, LGPD, PIPEDA, and CCPA/CPRA.
2. The data we collect
2.1 Account data (we are Controller)
When you sign up, the Service collects:
- Identifiers: name, email address, password hash (via Clerk), profile photo if you supply one.
- Workspace metadata: organisation name, team member roles, billing address, tax identifier.
- Payment data: processed by our payment provider; we receive truncated card details, last-four digits, and billing reference IDs. We do not store full payment card numbers.
- Communications: messages you send to support@feedrevo.com, ticket history, demo or sales call notes.
- Device and connection metadata: IP address, user-agent string, timezone, locale, request timestamps. Used for security, abuse detection, and to render the correct language and date format.
2.2 Platform Data from Meta (we are Processor)
When you authorise a Facebook or Instagram Page, the Service requests Graph API permissions necessary for the features you use. Each permission is requested only with your active consent, is scoped to the Pages you select, and may be revoked at any time from Meta’s Business Integrations dashboard. Permissions Feedrevo requests:
| Meta permission | What we read or write | Feature it powers |
|---|---|---|
| pages_show_list | List of Pages you administer | Page picker during onboarding |
| pages_read_engagement | Page-level insights, post-level reach, impressions, reactions | Reporting and performance analytics |
| pages_manage_posts | Create, edit, schedule, and delete posts on your behalf | Bulk scheduling, queue, retry on failure |
| pages_manage_metadata | Read and update Page metadata such as category and contact info | Page settings sync |
| pages_messaging | Send and receive Page messages | Unified inbox (when enabled) |
| instagram_basic | Connected Instagram Business Account profile and media | Cross-posting and IG reporting |
| instagram_content_publish | Publish photo, video, Reels, and carousel content | Bulk scheduling for Instagram |
| instagram_manage_comments | Read, hide, and reply to comments on your IG posts | Comment moderation |
| business_management | Read Business Manager assets and Page roles | Multi-Page portfolio management |
Through the permissions above the Service handles the following categories of Platform Data: Page identifiers and metadata, scheduled and published post content (text, images, video, hashtags, link previews), comment and reply text, follower-aggregate counts, engagement metrics (impressions, reach, reactions, saves, shares), and audience demographics in aggregated form. We also store the OAuth tokens issued by Meta and refresh them as required.
2.3 Usage and analytics data
We collect product analytics (page views, click events, feature usage) using Plausible Analytics, which is cookieless. When PostHog is enabled for product experimentation, it is operated in cookieless mode for unauthenticated visitors. Aggregated, non-identifying telemetry helps us improve the Service. See our Cookie Policy for the full inventory.
3. How we use the data
We use Personal Data for the following purposes:
- Service delivery. Authenticate you; render the dashboard; schedule, publish, retry, and report on posts; surface analytics; route comment replies; provide audit trails.
- Account administration. Send service notifications, security alerts, billing receipts, password resets, and Page connection status updates.
- Support. Diagnose issues you report, reproduce bugs, and respond to your enquiries.
- Security and integrity. Detect abuse, prevent unauthorised access, comply with Meta’s rate limits, and investigate incidents.
- Product improvement. Aggregated, de-identified metrics on feature adoption and performance regressions.
- Legal compliance. Tax records, fraud prevention, dispute resolution, response to lawful requests.
3.1 Limited use of Platform Data
Platform Data obtained from Meta is used solely to operate the Service for the authenticated user and the Pages they administer. We do not sell, license, or transfer Platform Data to third parties, use it for advertising, use it to train artificial-intelligence models, or repurpose it for anything unrelated to the user-requested feature. This restriction applies even to anonymised or aggregated forms of Platform Data unless Meta has expressly authorised the use.
4. Legal bases (EU / UK / Brazil)
For visitors covered by the GDPR, UK GDPR, or LGPD, we rely on the following legal bases:
| Purpose | Legal basis | Reference |
|---|---|---|
| Provide the Service to a paying account | Performance of a contract | GDPR Art 6(1)(b); LGPD Art 7(V) |
| Send security and service notifications | Legitimate interest in maintaining a secure Service | GDPR Art 6(1)(f); LGPD Art 7(IX) |
| Process Platform Data on your behalf | Performance of a contract with you, on your instructions | GDPR Art 6(1)(b) + Art 28 |
| Marketing email to existing customers | Legitimate interest with opt-out in every message | GDPR Art 6(1)(f); LGPD Art 7(IX) |
| Marketing email to non-customers | Consent | GDPR Art 6(1)(a); LGPD Art 7(I) |
| Cookies that are not strictly necessary | Consent | ePrivacy Art 5(3); LGPD Art 7(I) |
| Compliance with law | Legal obligation | GDPR Art 6(1)(c); LGPD Art 7(II) |
| Defence of legal claims | Legitimate interest | GDPR Art 6(1)(f); LGPD Art 7(IX) |
5. Who we share data with
We do not sell Personal Data. We share Personal Data only with sub-processors strictly necessary to deliver the Service, with your authorised users (e.g., team members in your workspace), with Meta when required to fulfil your instruction, with your Page audiences when you publish content, and with public authorities when legally required.
Our current sub-processors are listed on our Sub-processors page. Each is contractually bound to equivalent confidentiality, use-limitation, and deletion obligations.
6. How long we keep data
| Data category | Retention | Trigger to delete |
|---|---|---|
| Account record and workspace metadata | Lifetime of the account + 30 days | Account deletion (manual or inactivity) |
| OAuth tokens for Meta Pages | While the Page is connected | Disconnect, account closure, or Meta revocation |
| Scheduled post payloads (pre-publish) | Until published, cancelled, or 30 days post-failure | Publish, cancel, or expiry |
| Published post records (text + media URL) | Up to 90 days post-publish for retry / dispute, then deleted from active systems | 90-day timer |
| Engagement aggregates (impressions, reach) | Up to 24 months | Rolling window |
| Comment text accessed via instagram_manage_comments | Cached for the active session; not persisted after sign-out | Session end |
| Audit logs | 12 months | Rolling window |
| Support correspondence | 36 months from last reply | Rolling window |
| Billing records (invoices, tax) | As required by applicable tax law (typically 7-10 years) | Statutory minimum |
Backups are encrypted and purged within 90 days of the corresponding primary-system deletion. If Meta terminates Feedrevo’s Platform access, or if a Page’s authorisation is revoked, the related Platform Data is deleted from active systems within 30 days and from backups within 90 days.
7. Your rights
Subject to applicable law, you have the right to:
- Access the Personal Data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data (“right to be forgotten”).
- Restrict processing while a dispute is resolved.
- Object to processing based on legitimate interest, including direct marketing.
- Receive your data in a portable, machine-readable format.
- Withdraw consent at any time, without retroactive effect.
- Lodge a complaint with your supervisory authority. EU residents may complain to their national DPA; UK residents to the ICO; Brazilian residents to the ANPD; Canadians to the OPC; Californians to the CPPA or the California Attorney General.
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Feedrevo does not currently use such processing.
To exercise any of these rights, email admin@feedrevo.com. We will respond within 30 days (45 days if the request is complex, with notice of the extension). We may need to verify your identity before acting on a request.
7.1 Additional California rights
California residents have the right to know what categories of Personal Information we have collected in the prior 12 months, the categories of sources, the business purpose, and the categories of recipients. You also have the right to delete, the right to correct, the right to limit use of sensitive Personal Information, the right to opt out of sale or sharing, and the right not to be discriminated against for exercising these rights. We do not sell Personal Information and we do not share Personal Information for cross-context behavioural advertising. We honour Global Privacy Control signals; when we receive one, we display a confirmation in the Service.
To make a CCPA / CPRA request, email admin@feedrevo.com with the subject line “California Privacy Request”. You may also designate an authorised agent to make a request on your behalf, subject to verification.
7.2 Brazilian residents (LGPD)
Brazilian residents may exercise all rights under Article 18 of the LGPD, including confirmation of processing, access, correction, anonymisation, blocking or deletion of unnecessary or excessive data, portability, information about sharing, the option to refuse consent, and revocation of consent. Until a Brazilian DPO (Encarregado) is formally appointed, requests should be sent to admin@feedrevo.com.
8. Data deletion
Meta requires every Graph API app to give users a clearly-marked way to ask for their Platform Data to be deleted. Feedrevo’s deletion flow is documented at feedrevo.com/data-deletion. In summary, you may:
- Disconnect a Page from the Pages settings inside the Service. The OAuth token is revoked immediately; Platform Data tied to that Page is purged from active systems within 30 days and from backups within 90 days.
- Delete your account from Account Settings. All Customer Data is queued for deletion within 30 days.
- Email admin@feedrevo.com with the subject “Data Deletion Request”. We will acknowledge within 7 days and complete deletion within 30 days, then confirm.
9. International data transfers
Feedrevo’s primary infrastructure is hosted in the United States (Railway). When we transfer Personal Data of EU, UK, or Swiss residents outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor or Module Three: Processor-to-Processor as applicable), supplemented by the UK Information Commissioner’s International Data Transfer Addendum and, for Switzerland, the FADP addendum. Where the recipient is in an adequacy-decision country, we rely on that decision.
For Brazilian residents, transfers outside Brazil rely on the LGPD’s adequacy or specific-clause mechanisms. Copies of the relevant clauses are available on request to admin@feedrevo.com.
10. Security
We implement the following technical and organisational measures, consistent with Article 32 GDPR:
- TLS 1.2+ for all data in transit; encrypted storage for data at rest (AES-256 or equivalent).
- Authentication via Clerk; mandatory multi-factor authentication available; SSO supported on Business plans.
- Role-based access control with least-privilege defaults for both customer users and Feedrevo personnel.
- Production credentials managed in encrypted secret stores with rotation policies.
- Continuous logging and monitoring; suspicious-activity alerting; defined incident response runbook.
- Business continuity and backup procedures with point-in-time recovery.
- Employee security training; background checks; access revoked on role change or departure.
- Sub-processor due diligence including review of certifications (SOC 2 or ISO 27001 where available).
If you believe you have discovered a security vulnerability, please report it to dev@feedrevo.com. We will acknowledge within 72 hours and follow our published responsible-disclosure process.
11. Breach notification
In the event of a Personal Data breach likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority within 72 hours of becoming aware, and affected individuals without undue delay where the breach is high risk. As a Processor, we will notify Customer Controllers without undue delay so they may meet their own notification obligations.
12. Children
The Service is not directed to children under 13, and we do not knowingly collect Personal Data from children under 13. If you believe a child under 13 has provided Personal Data to us, contact admin@feedrevo.com and we will delete it. The Service is intended for use by adults acting in a business or commercial capacity.
13. Automated decision-making
Feedrevo does not make decisions that produce legal or similarly significant effects about you using solely automated processing. Where the Service surfaces suggestions (for example, recommended posting times based on past engagement), they are advisory only and you remain in control of the publishing decision.
14. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by email to active account holders at least 30 days before they take effect, and the “Last updated” date above will reflect the latest revision. Continued use of the Service after a change becomes effective is acceptance of the updated Policy.
15. How to reach us
For privacy questions, data subject rights requests, or to designate an authorised agent under the CCPA:
- Email: admin@feedrevo.com
- Security: dev@feedrevo.com
- Support: support@feedrevo.com
- General: contact@feedrevo.com