Privacy Policy

Last updated: May 13, 2026

1. Introduction

FuturePost is a product of Allo GmbH("we", "us", "our"), the data controller responsible for processing your personal data in connection with the FuturePost web application, API, and browser extension (collectively, the "Service").

This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have about your data. By using FuturePost, you consent to the practices described here.

Controller details (Art. 4(7) GDPR):

Allo GmbH
represented by Alexander Hillebrecht
An den Grachten 8
30926 Seelze
Germany
E-Mail: info@allo.dev

2. Information We Collect

2.1 Information from 𝕏 (Twitter) OAuth

When you sign in with your 𝕏 account, we receive and store the following through 𝕏's OAuth 2.0 with PKCE flow:

  • 𝕏 User ID and username
  • Display name and profile image URL
  • Confirmed email address (if available from 𝕏)
  • Account metrics: follower count, following count, tweet count
  • Verification status (Blue Verified or legacy verified)
  • Bio / profile description

We also store the OAuth access token and refresh token issued by 𝕏 so we can perform actions you authorize (posting tweets, reading analytics, managing follows). These tokens are encrypted at rest using AES-256-GCM with a key managed in our infrastructure, and are decrypted only in memory at the moment they are sent to 𝕏.

2.2 Content You Create

  • Tweet content: text, media references, polls, thread structure, reply settings, quote-tweet URLs
  • Scheduled publish times, time zone, and other posting preferences
  • Draft tweets, tags, categories, and pinned-draft state
  • Media files uploaded to your gallery (stored on AWS S3)
  • Image-editor states and edited variants of uploaded media
  • Automation rules (auto-retweet, auto-plug, scheduled rotations)
  • Disclosure flags (paid partnership, made with AI)

2.3 Analytics & Engagement Data

  • Synced tweet engagement metrics (likes, retweets, replies, views) for tweets on your connected accounts
  • Point-in-time snapshots of your follower / following / tweet counts (for the growth chart)
  • Point-in-time snapshots of individual tweet engagement (for performance over time)
  • Cached following-list data used by the browser extension (usernames, follower counts, last-tweet date, verified status, bio, avatar)

2.4 Team & Collaboration Data

  • Team names, ownership, and member lists
  • Role assignments (Owner, Admin, Editor, Viewer)
  • Connections between teams and 𝕏 accounts
  • Team-level settings (default time zone, automation defaults)

2.5 Billing & Credit Usage

Payment processing is handled entirely by Stripe. We store:

  • Stripe Customer ID and Subscription ID
  • Subscription status, current price ID, and billing period dates
  • Current plan tier (Free, Starter, Pro, Team)
  • Credit-usage counters for the current billing cycle, the cycle reset timestamp, and your hard-cap preference
  • Stripe meter events for any post-quota overage

We do not store credit-card numbers, bank account details, or other sensitive payment information. That data is held exclusively by Stripe under their Privacy Policy.

2.6 AlloPass NFT Integration

If you hold an AlloPass NFT, we automatically grant your account the Pro plan. To check NFT ownership, we periodically call api.allo.dev/public-profile with your 𝕏 username and read the user_badges field of the response. We store a boolean (allopassHolder) and the timestamp of the last check.

2.7 Referral & Affiliate Data

  • Your unique referral code
  • Referral relationships (which user referred which user)
  • Commission records (amounts, status, payment dates)
  • Endorsely affiliate tracking identifiers received via the endorsely_referral cookie

2.8 Browser Extension Data

The FuturePost browser extension accesses:

  • Your x.com session cookies (to authenticate the unfollow requests)
  • Your following list on 𝕏 (usernames, follower counts, last-tweet date, verified flag, bio, avatar)
  • Unfollow action logs, persisted to your FuturePost account as an audit trail
  • Per-day unfollow counters stored locally in browser storage (for the 400/day safety cap)

The extension activates only on x.com and does not collect browsing data from other websites.

2.9 Notification & Account Preferences

  • Time zone
  • Notification toggles for: post published, post failed, 𝕏 connection expired, credit usage alerts, team invites, weekly recap, inactivity nudge, auto-retweet executed, auto-plug posted
  • Appearance settings (theme, reading direction, time format)
  • Internal stamps such as the last cycle the "credits blocked" email was sent and the last date an inactivity nudge was sent (so we don't email you more than necessary)

2.10 Authentication & Logs

  • JWT token version (incremented on logout-all and account deletion to invalidate old sessions)
  • Standard server access logs (IP, user agent, request path, response status, latency). Used for security, abuse prevention, and debugging. Retained for 30 days.

2.11 Cookies

We use only essential cookies (no analytics or advertising cookies):

  • access_token: authentication JWT, httpOnly, secure in production, scoped to the parent domain so api.* and the bare frontend can both read it.
  • x_verifier and x_state: temporary OAuth flow tokens used to protect against CSRF.
  • connect_user_id and connect_team_id: temporary cookies for the "connect another 𝕏 account" flow.
  • pending_checkout: short-lived cookie that carries a Stripe price ID through the sign-up flow when a visitor clicks a pricing CTA.
  • referral_code: 30-day cookie that tracks which user referred you.
  • endorsely_referral: 30-day cookie used by our affiliate-tracking partner.
  • futurepost_team_id: remembers which team you last switched to.

3. How We Use Your Information

We use your information to:

  • Authenticate you and maintain your session.
  • Schedule, publish, and manage tweets and threads on your behalf.
  • Display analytics and post-performance metrics.
  • Execute auto-retweets, auto-plugs, and scheduled draft-rotation automations.
  • Store and serve media you upload to the gallery.
  • Enable team collaboration and shared 𝕏 account access.
  • Process subscription payments, prorate plan switches, and bill metered overages through Stripe.
  • Compute and pay affiliate commissions.
  • Sync and display your 𝕏 following list for the browser extension.
  • Send transactional and engagement emails (see Section 4 for the full list).
  • Detect abuse, debug failures, and improve the Service.

4. Emails We Send

We send the following emails:

4.1 Transactional (always sent)

  • Welcome message on first sign-up
  • Subscription receipts (trial start, paid invoice, plan switched, canceled)
  • Payment failed alerts
  • Trial-ending reminder, 3 days before

These are required for billing records and operating your account. You cannot opt out without deleting your account.

4.2 Optional (default on, opt out anytime)

  • Post published
  • Post failed (with reason and reschedule link)
  • 𝕏 connection expired (with reconnect link)
  • Credit usage alerts at 80% and 100% of monthly quota
  • Team invite received
  • Weekly recap (top 3 posts + follower delta), sent Mondays
  • Inactivity nudge, sent at most once every 14 days after 7+ days without posting
  • Auto-retweet / auto-plug executed (Pro+)

You can toggle any optional category under Settings → Notifications.

5. Data Sharing & Third Parties

We share your data with the following service providers strictly as necessary to operate the Service. None of them are advertisers, and we never sell your personal information.

  • 𝕏 (Twitter), OAuth tokens and content for posting, reading analytics, and managing follows.
  • Stripe, Billing, subscription management, Stripe Tax (if applicable), and Stripe Connect for affiliate payouts.
  • AWS, PostgreSQL database hosting, S3 for media files, CloudFront for delivery, ElastiCache for Redis-backed job queues.
  • useSend, Transactional and engagement email delivery.
  • Allo.dev, Public profile lookup to verify AlloPass NFT ownership.
  • Endorsely, Affiliate / referral tracking.

We may also disclose information when required by law, to comply with a valid legal request, or to protect our rights, property, or safety (or that of our users or the public).

6. Data Storage & Security

Your data is stored in:

  • PostgreSQL database, account data, tweets, analytics snapshots, settings, billing metadata.
  • Redis, temporary job queue payloads and caches. Job data is removed on completion.
  • AWS S3, uploaded media files. Object keys are non-guessable and access is gated through signed URLs.

We protect your data through:

  • AES-256-GCM encryption at rest for 𝕏 OAuth access and refresh tokens.
  • TLS 1.2+ for all data in transit.
  • PKCE (Proof Key for Code Exchange) for secure OAuth flows.
  • CSRF state tokens on every OAuth round-trip.
  • httpOnly, secure, sameSite cookies for the auth session.
  • JWT-based authentication with versioned invalidation: logging out everywhere increments a token version that immediately invalidates any copy of the token elsewhere.
  • Role-based access control on every team-scoped endpoint.
  • Webhook signature verification on every Stripe event we accept.
  • Constant-time comparisons for admin keys.

We do not guarantee absolute security. If you discover a vulnerability, please report it privately to security@futurepost.ai. We acknowledge within 48 hours.

7. 𝕏 (Twitter) OAuth Permissions

When you connect your 𝕏 account, we request the following OAuth scopes:

  • tweet.read, read your tweets for analytics.
  • tweet.write, post and schedule tweets, threads, polls, and quote tweets.
  • users.read, access your public profile information.
  • users.email, receive your confirmed email address from 𝕏.
  • offline.access, maintain access via refresh tokens so scheduled posts can run while you are not logged in.
  • follows.read, read your following list for the browser extension.
  • follows.write, unfollow accounts on your behalf when you ask the extension to.
  • media.write, upload media attachments with your tweets.

You can revoke FuturePost's 𝕏 access at any time through your 𝕏 Connected Apps settings or by deleting your FuturePost account.

8. Data Retention

We retain your data for as long as your account is active. When you delete your account:

  • All 𝕏 OAuth tokens are immediately revoked at 𝕏.
  • All your records are permanently deleted: tweets, drafts, scheduled posts, gallery items, analytics snapshots, team memberships, automation rules, unfollow logs, notification preferences, and subscription metadata.
  • Deletion is cascading. Records that reference your user ID are removed by the same operation.
  • Server access logs are retained 30 days for security and abuse prevention.
  • We may retain a small amount of anonymized, aggregated usage data (counts, percentages) for product analysis.

9. Your Rights

You have the right to:

  • Access, request a copy of the personal data we hold about you.
  • Rectification, update your information through Settings or by contacting us.
  • Deletion, delete your account and all associated data at any time through Settings → Account → Delete account.
  • Revoke access, disconnect 𝕏 from FuturePost via the 𝕏 Connected Apps settings, or disconnect individual 𝕏 accounts from FuturePost teams via Settings.
  • Portability, request your data in a portable format (JSON export).
  • Object to processing, opt out of any optional email category or, for processing you cannot opt out of, delete your account.
  • Lodge a complaint, if you are in the EU, you may lodge a complaint with your local data-protection authority.

To exercise any of these rights, contact us at support@futurepost.ai. We respond within 30 days.

10. Children's Privacy

FuturePost is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child under 16 has provided us with personal information, contact us and we will promptly delete it.

11. International Data Transfers

Your data may be processed and stored in jurisdictions outside your own (including the United States). By using the Service, you consent to those transfers. Our processors (Stripe, AWS) operate under standard contractual clauses and equivalent transfer mechanisms.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the Service (banner or email). Continued use after changes constitutes acceptance of the updated policy.

13. Contact

For questions or concerns about this Privacy Policy or your data, contact:

Allo GmbH
Alexander Hillebrecht
An den Grachten 8
30926 Seelze
Germany
E-Mail: info@allo.dev

For general product support you may also write to support@futurepost.ai. For security reports use security@futurepost.ai.