Legal
Privacy Policy
Last updated 1 July 2026
PostLake is a product of CrumbleLake ("CrumbleLake", "we", "us", "our"), based in the United Kingdom. This policy explains what personal data we collect when you use PostLake, why we use it, who we share it with, and the rights you have under the UK GDPR and the Data Protection Act 2018.
1. Who we are
PostLake is a unified social media API operated by CrumbleLake. For the personal data described in this policy, CrumbleLake is the data controller. You can reach us about anything in this policy at crumblelake@gmail.com.
When you connect your own social accounts and publish content through PostLake, we act as a data processor on your behalf for that content — you decide what is posted and where. A Data Processing Agreement (DPA) is available on request.
2. What we collect
Information you give us
- Account details — your email address, and (optionally) your name. If you sign up with a password we store it only as a salted hash, never in plain text. If you sign in with GitHub or Google we store your provider ID and email.
- Connected social accounts — when you link a network (e.g. X, LinkedIn, Instagram), we store the access tokens needed to act on your behalf. These are encrypted at rest and used only to perform the actions you request.
- Content — the posts, captions, media, and schedules you create to publish to your networks.
- Support & correspondence — anything you send us by email.
Information we collect automatically
- Technical & usage data — IP address, request logs, timestamps, and basic device/browser information, used to run and secure the service.
- Cookies — a strictly-necessary session cookie and a functional theme-preference cookie. See our Cookie Policy. We do not use advertising or third-party tracking cookies.
Billing data
Payments are handled by our payment providers (RevenueCat and Stripe). We receive confirmation of your plan, credits, and invoices — we never see or store your full card number.
3. How & why we use it, and our lawful bases
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Create and run your account; publish, schedule, and report on the content you ask us to | Performance of a contract with you |
| Take payment and manage credits, plans, and invoices | Performance of a contract |
| Secure the service, prevent abuse, debug, and keep audit logs | Legitimate interests (running a safe, reliable service) |
| Send essential service emails (verification, password reset, billing, renewal reminders) | Performance of a contract / legitimate interests |
| Keep financial records | Legal obligation (UK tax/accounting law) |
| Any optional marketing (only if we ever add it) | Your consent, which you can withdraw at any time |
We do not sell your personal data, and we do not use your content to train AI models.
4. Who we share it with
We share data only with the service providers ("sub-processors") that help us run PostLake, and with the social networks you choose to connect. Each is bound to protect your data and use it only on our instructions. The current list — including what each does and where it is located — is on our Sub-processors page.
We may also disclose data if required by law, or to protect our rights, our users, or the security of the service.
5. International transfers
Some of our sub-processors are based outside the UK (for example in the United States). Where personal data is transferred outside the UK, we rely on appropriate safeguards — such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision — so your data receives an equivalent level of protection.
6. How long we keep it
| Data | Retention |
|---|---|
| Account & profile | While your account is open, then deleted within 30 days of closure (unless we must keep it longer by law) |
| Connected-account tokens | Until you disconnect the account or close your account |
| Content (posts, media, schedules) | While your account is open, or until you delete it |
| Billing & invoice records | Up to 7 years, to meet UK tax and accounting obligations |
| Security & audit logs | Typically up to 12 months |
7. How we protect it
- All traffic is encrypted in transit (TLS/HTTPS).
- Connected-account tokens and other secrets are encrypted at rest (AES-GCM).
- Passwords are stored only as salted hashes; API and session tokens are stored hashed.
- Access to production systems is limited and audit-logged.
No system is perfectly secure, but we take reasonable technical and organisational measures appropriate to the risk.
8. Your rights
Under UK data protection law you have the right to:
- Access the personal data we hold about you;
- Rectify data that is inaccurate or incomplete;
- Erase your data ("right to be forgotten");
- Restrict or object to certain processing;
- Portability — receive your data in a portable format;
- Withdraw consent at any time, where we rely on it.
To exercise any of these, email crumblelake@gmail.com. We will respond within one month. You can also disconnect accounts and delete content yourself from your dashboard, or request full deletion via our data deletion page.
If you are unhappy with how we handle your data, you have the right to complain to the UK's supervisory authority, the Information Commissioner's Office (ICO) — though we'd appreciate the chance to put things right first.
9. Cookies
We use only a strictly-necessary session cookie and a functional theme-preference cookie — no advertising or cross-site tracking. Full details are in our Cookie Policy.
10. Children
PostLake is a business tool and is not directed at children. You must be at least 18 to use it. We do not knowingly collect data from anyone under 18.
11. Changes to this policy
We may update this policy from time to time. If we make material changes we'll update the date above and, where appropriate, notify you by email. Continued use of PostLake after a change means you accept the updated policy.
12. Contact
Questions, requests, or complaints about privacy? Email crumblelake@gmail.com. PostLake is a CrumbleLake product, United Kingdom.