Privacy Policy

Market Post is an Indonesia-based software platform that enables marketing agencies to book, schedule, and publish content to verified Instagram Business or Creator accounts through the official Meta Instagram Graph API. Inquiries about this policy can be directed to privacy@marketpost.app.

We collect the categories of information listed below.

Account information

Name, email address, hashed password, organization name, role (agency, support, moderator, admin), two-factor authentication factors, and audit metadata such as login IP and user agent.

Instagram / Meta data

When you connect an Instagram Business account via OAuth, we receive a user access token and, via the Meta Graph API, the account username, Instagram Business Account ID, media metadata, comments, and insights (reach, impressions, engagement, follower_count). We do NOT access direct messages, private photos, follower identities, or any data outside the scopes you approved.

Content you submit

Campaign briefs, uploaded creative assets (images, videos, captions), order parameters, chat messages, support tickets, and proof-of-payment files.

Financial data

Top-up amounts, credit ledger entries, and references to external payment-channel transactions. We do not store raw card numbers; payment instruments are handled by licensed processors.

Usage and device data

Server logs, request metadata, session cookies, feature interactions, and error traces used to operate and improve the Services.

Cookies

Strictly necessary cookies for authentication and CSRF protection, plus optional analytics cookies if you consent.

• Provide the Services, including account management, order placement, publishing to Instagram, and insights reporting.
• Authenticate users, enforce role-based access control, and prevent fraud or abuse.
• Process payments, apply credits, and maintain auditable financial records.
• Operate the live-chat / support ticket system and, where configured, an AI assistant that answers user questions from a curated knowledge base.
• Send transactional emails (verification, password reset, invoice, order status, security alerts).
• Comply with legal obligations and with the Meta Platform Terms and Developer Policies.
• Improve the Services through aggregated analytics — never sold to third parties.

Where applicable, we rely on the following legal bases: performance of a contract (to provide the Services you signed up for), legitimate interests (security, fraud prevention, product improvement), consent (marketing communications, optional analytics, connecting your Instagram account), and legal obligation (tax, accounting, regulator requests).

Our use and transfer of information received from the Meta Platform complies with the Meta Platform Terms and Developer Policies, including the Limited Use requirements.

• We request only the minimum scopes required: instagram_business_basic, instagram_business_content_publish, instagram_business_manage_comments, and instagram_business_manage_insights.
• Instagram access tokens are encrypted at rest using authenticated encryption (AES-256-GCM) and are never logged in plaintext.
• We do not sell, license, or transfer Meta data to data brokers, advertising networks, or any party outside our processors.
• You may disconnect your Instagram account from the Admin Console at any time; all tokens are invalidated and associated access is revoked.
• On request via privacy@marketpost.app, we will delete all Meta data we hold about your account within 30 days, subject to legal retention requirements.

We share information only with the following categories of recipients:

• Meta Platforms, Inc. — when calling the Graph API on your behalf.
• Infrastructure processors — cloud hosting, managed databases, object storage, email delivery, under written data-processing agreements.
• Payment providers — to settle top-ups and refunds.
• AI providers (optional) — if the admin enables an OpenAI or Google Gemini backed support assistant, the content of your ticket messages is transmitted to the configured provider under their enterprise data-handling terms; this can be disabled at any time.
• Authorities — when required by valid legal process.

We never sell personal information and we do not use your content to train third-party models without your explicit, opt-in consent.

Market Post is operated from Indonesia. If data is transferred outside your jurisdiction (for example to Meta's global infrastructure or a processor in a different region), we use appropriate safeguards such as Standard Contractual Clauses or equivalent regulatory mechanisms.

• Account data is retained for the life of your account plus 90 days after deletion to support dispute resolution.
• Financial records are retained for 10 years in line with Indonesian tax and accounting law.
• Security and audit logs are kept for up to 18 months.
• Instagram tokens and Graph data are deleted within 30 days of account disconnection or user deletion request, whichever comes first.

Subject to applicable law (including UU PDP No. 27/2022 and GDPR where relevant), you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Request portability of your data in a structured, machine-readable format.
• Object to or restrict certain processing activities.
• Withdraw consent you have previously given, without affecting the lawfulness of prior processing.
• Lodge a complaint with the Indonesian data-protection authority or your local supervisory authority.

Submit requests to privacy@marketpost.app. We respond within 30 days.

We maintain administrative, technical, and organizational safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include TLS in transit, AES-256 encryption at rest for secret material, hashed passwords with Argon2id, role-based access control, audit logging, least-privilege database access, and mandatory multi-factor authentication for administrators. No system is perfectly secure; we will notify affected users and regulators of material breaches as required by law.

Market Post is a business-to-business service and is not directed to individuals under 18. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. Material changes will be announced in-product and via email to account owners at least 30 days before they take effect, except where a shorter notice period is required by law.

Data protection inquiries: privacy@marketpost.app
General inquiries: hello@marketpost.app