Privacy Policy
Last updated: 8 July 2026
FSL Software Ltd, trading as CrossPostr.
This Privacy Policy explains how FSL Software Ltd, a company registered in England & Wales (company number 17258058, registered office 2 Rhosili Road, Cefn Hengoed, CF82 7JE), trading as CrossPostr ("CrossPostr", "we", "us", "our"), collects and processes your personal data when you use the CrossPostr website, API, MCP server, and dashboard (together, the "Service"). We are the data controller for the personal data described below.
We are committed to protecting your data in line with the UK GDPR and the Data Protection Act 2018. Questions? Email privacy@crosspostr.io.
1. Data we collect
- Account data — your email address, and authentication and billing identifiers.
- Connected-account data — when you connect a YouTube or TikTok account, we receive and store OAuth access and refresh tokens, your platform account ID, display name, and avatar. We request only the scopes needed to operate the Service (see section 5).
- Content data — the videos, captions, titles, and scheduling details you submit for publishing, and the media files you stage for upload.
- Analytics data — engagement metrics (views, likes, comments, shares) we retrieve from the connected platforms on your behalf.
- Usage & technical data — API request logs, IP address, timestamps, and error diagnostics used to operate, secure, and debug the Service.
2. How we use your data
- To provide the Service — publishing, scheduling, and retrieving analytics on your behalf.
- To authenticate API requests and maintain your connected accounts.
- To process billing and prevent fraud and abuse.
- To provide support, and to secure, monitor, and improve the Service.
- To comply with our legal obligations.
3. Legal bases (UK GDPR)
- Performance of a contract — to deliver the Service you sign up for.
- Legitimate interests — to secure, debug, and improve the Service, where not overridden by your rights.
- Consent — where you connect a social account, you consent to us accessing that platform's data for the requested scopes; you can withdraw consent at any time by disconnecting the account.
- Legal obligation — where processing is required by law.
4. Storage, security, and retention
OAuth tokens are encrypted at rest using AES-256-GCM. Data is hosted on infrastructure within the UK/EU and on Cloudflare's network. We retain connected-account data only while the account is connected: when you disconnect an account or delete your CrossPostr account, we delete the associated tokens and stop retrieving data from that platform. We may retain minimal billing and log records where required for legal, accounting, or security purposes.
5. Connected platforms
CrossPostr acts on your behalf to publish to and read analytics from third-party platforms. We request the minimum scopes required:
| Platform | Scopes requested | Purpose |
|---|---|---|
| YouTube (Google) | youtube.upload, youtube.readonly, yt-analytics.readonly, youtube.force-ssl | Upload videos, read your channel and video data, retrieve analytics, and manage comments where you request it. |
| TikTok | user.info.basic, video.list, video.upload (and video.publish where enabled) | Identify your account, list your videos, upload content to your inbox/drafts, and publish where you enable direct posting. |
YouTube API Services
CrossPostr uses YouTube API Services. By connecting a YouTube account, you agree
to the YouTube Terms of
Service. Google's handling of your data is described in the
Google Privacy Policy.
You can revoke CrossPostr's access to your Google/YouTube data at any time via the
Google security
settings page (https://myaccount.google.com/permissions).
Limited Use. CrossPostr's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data solely to provide and improve the user-facing features of the Service, do not transfer it except as necessary to provide those features or as required by law, do not use it for advertising, and do not allow humans to read it except with your consent, for security, to comply with law, or where the data is aggregated and anonymised.
TikTok
CrossPostr integrates with the TikTok Content Posting and Display APIs to publish content and read analytics on your behalf, subject to TikTok's Terms of Service and Privacy Policy. You can revoke access from your TikTok account's connected-apps settings.
6. Sharing and sub-processors
We do not sell your personal data. We share it only with service providers who process it on our behalf under contract, including: cloud/hosting and network providers (including Cloudflare), payment processing (Stripe), and the social platforms you connect. We may disclose data where required by law.
7. International transfers
Where data is transferred outside the UK/EEA (for example to a sub-processor), we rely on adequacy decisions or appropriate safeguards such as the UK International Data Transfer Agreement or Standard Contractual Clauses.
8. Your rights
Under UK data protection law you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and the right to data portability. To exercise any right, email privacy@crosspostr.io. You also have the right to complain to the Information Commissioner's Office (ICO).
9. Cookies
The marketing site uses only essential cookies. The dashboard uses cookies strictly necessary for authentication and security. We do not use advertising cookies.
10. Children
The Service is not directed to individuals under 18, and we do not knowingly collect their data.
11. Changes
We may update this policy; we will revise the "Last updated" date and, for material changes, provide additional notice.
12. Contact
FSL Software Ltd, trading as CrossPostr — privacy@crosspostr.io.
