Privacy Policy
This Privacy Policy applies to Sharpingknives (the "App" or the "Service"), a self-hosted social media scheduling and publishing tool operated by Mario Gabriele Sabbatini, trading as Sharpingknives, Italy ("we", "us", "our", the "Operator"). Sharpingknives runs at postiz.sharpingknives.com and is deployed from the open-source Postiz software. This policy explains how the App collects, uses, stores and discloses information when you create an account and use it.
By creating an account or otherwise using the Service, you ("you", "the user") acknowledge that you have read and understood this Privacy Policy.
1. Who we are (Data Controller)
The data controller responsible for the processing of personal data through the Service is:
- Sharpingknives — Mario Gabriele Sabbatini, Italy.
- Contact: mario@sharpingknives.com
2. The service in brief
The Service allows authenticated users to:
- Connect one or more accounts they own on supported third-party platforms (TikTok, Instagram, Facebook, YouTube, X, LinkedIn, Threads, Pinterest, Reddit, Mastodon, Discord, Bluesky, and others supported by the underlying Postiz software).
- Compose, schedule, and publish text, image and video posts to those connected accounts on the user's behalf, via the official APIs of each platform.
- Retrieve aggregated analytics that those platforms expose for the connected accounts (e.g., views, likes, follower counts).
The Service does not read, scrape, repost or otherwise interact with content produced by users other than the authenticated user who has explicitly connected an account.
3. The data we collect
3.1 Account & identity data
When you register for an account on the Service, we collect: your email address, a hashed password (we never store passwords in plain text), and the display name you choose. We also assign you a unique internal identifier.
3.2 Connected third-party platform data
When you connect a third-party platform account to the Service, we receive information from that platform via its official OAuth flow and APIs. The specifics depend on the platform:
3.2.1 TikTok
When you connect a TikTok account, we use the TikTok Login Kit and the TikTok Content Posting API. We collect and store, only for the duration needed to operate the Service:
- Profile information: display name, avatar URL,
open_id,union_id, and username — used solely to identify the connected account inside your dashboard. - Access and refresh tokens: stored in our database and used exclusively to publish content that you explicitly schedule or submit through the Service, and to refresh the session when the access token expires.
- Video and image content you upload: temporarily stored on the server to be transmitted to TikTok via the Content Posting API. Once the upload completes successfully, the source file may be retained for re-use (e.g., re-scheduling, re-publishing) but is never shared with anyone other than TikTok.
- Post metadata returned by TikTok: post ID, publish timestamp, and aggregated metrics (views, likes, shares) for posts you published through the Service.
We do not request access to your TikTok inbox, direct messages, follower list, or to any content posted by other TikTok users. We do not use TikTok data for advertising, profiling, or any purpose other than operating the Service for you.
3.2.2 Meta — Instagram & Facebook
When you connect an Instagram Business / Creator account or a Facebook Page, we use the Meta Graph API. We collect: page or business account ID, name, profile picture, access tokens, and post-level metadata (post ID, publish timestamp, aggregated insights) for content you publish through the Service. We do not access personal Instagram accounts or content posted by users you do not control.
3.2.3 YouTube / Google
When you connect a YouTube channel, we use the Google OAuth 2.0 flow and the YouTube Data API v3. We collect: channel ID, channel title, thumbnail, OAuth access/refresh tokens, and metadata for videos you upload through the Service (video ID, status, aggregated public statistics).
Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
3.2.4 Other supported platforms
For any other platform you choose to connect (X, LinkedIn, Threads, Pinterest, Reddit, Mastodon, Discord, Bluesky, etc.), we collect the minimum data required by that platform's official API to identify the connected account and to publish content on your behalf — typically an account identifier, display name, and OAuth tokens.
3.3 Content you upload for scheduling
Any text, image or video you compose or upload through the Service for the purpose of scheduling or publishing is stored on the server hosting the Service until you delete it, or until the corresponding scheduled post has been published and any retention period set by the user has elapsed.
3.4 Operational logs and usage data
We log technical information necessary to operate and secure the Service: timestamps of login attempts, IP addresses of authenticated sessions, errors returned by third-party APIs, and scheduled-job execution outcomes. These logs are retained for security and debugging purposes and are not used for profiling.
3.5 Cookies
The Service uses strictly necessary first-party cookies to keep you logged in (session cookies and a JWT). No advertising, analytics, or cross-site tracking cookies are set.
4. How we use the data & legal bases (GDPR)
- To provide the Service (account creation, scheduling, publishing) — legal basis: performance of a contract (Article 6(1)(b) GDPR).
- To secure the Service and prevent abuse (logging, rate limiting) — legal basis: legitimate interest (Article 6(1)(f) GDPR).
- To comply with legal obligations (e.g., responding to lawful requests) — legal basis: legal obligation (Article 6(1)(c) GDPR).
5. Who we share data with
We do not sell or rent personal data, and we do not share it with third parties for advertising or analytics. We share data only with:
- The third-party platforms you have explicitly connected — when you schedule or publish content, we transmit it to the platform you selected, using your access tokens. When you request analytics, we receive aggregated data from that platform.
- Infrastructure providers strictly necessary to operate the Service: Hetzner Online GmbH (server hosting, EU data centers); Resend (transactional email delivery for password resets and account verification).
- Competent authorities when required by a binding legal order under applicable law.
6. International data transfers
The Service is hosted in the European Economic Area (Helsinki, Finland). When you publish content to third-party platforms (e.g., TikTok, Meta, Google), data is transmitted to servers operated by those platforms, which may be located outside the EEA. Such transfers are governed by the respective platforms' own privacy policies and transfer mechanisms.
7. Data retention
- Account data (email, hashed password, display name): retained for as long as your account is active. After you delete your account, this data is removed within 30 days, except where retention is required by applicable law.
- OAuth access and refresh tokens: stored as long as the corresponding third-party account is connected. When you disconnect a platform from the Service, the tokens are deleted from our database immediately and the Service additionally invokes the platform's token-revocation endpoint where available.
- Uploaded content: retained until you delete it, or until the scheduled post completes and the user-configured retention window elapses.
- Operational logs: retained for up to 90 days, then deleted or anonymised.
8. How to revoke access
You can disconnect any connected third-party account at any time, directly from the "Channels" page of your Sharpingknives dashboard. Disconnecting:
- Immediately deletes the access and refresh tokens stored on the Service.
- Where the platform offers a token-revocation endpoint (TikTok, Google, Meta, etc.), the Service invokes it so that the tokens are also invalidated on the platform side.
Independently of disconnecting through the Service, you can revoke access at any time from the third-party platform itself:
- TikTok: Settings and privacy → Security and login → Manage app permissions, then revoke "Sharpingknives".
- Instagram & Facebook (Meta): Settings → Apps and websites, then remove the Postiz integration.
- Google / YouTube: myaccount.google.com/permissions, then revoke "Sharpingknives".
9. Security
OAuth tokens and password hashes are stored in a PostgreSQL database accessible only over an internal network. All HTTP traffic to the Service is served over TLS 1.2+ (Let's Encrypt). The underlying server uses encrypted storage and is protected by firewall rules limiting administrative access.
10. Your rights (GDPR)
If you are located in the European Economic Area, the United Kingdom, or in another jurisdiction that grants equivalent rights, you have the right to:
- Access the personal data we hold about you.
- Request rectification of inaccurate data.
- Request erasure ("right to be forgotten").
- Request portability of data you have provided.
- Object to or restrict processing.
- Lodge a complaint with your local supervisory authority (in Italy: Garante per la Protezione dei Dati Personali).
To exercise any of these rights, contact us at mario@sharpingknives.com.
11. Children
The Service is not directed to children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
12. Third-party platforms
Each third-party platform you connect to the Service operates under its own privacy policy, which governs how that platform processes data once it leaves the Service. Please review:
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last updated" date at the top and, where feasible, notify users through the Service. Continued use of the Service after such changes constitutes acceptance of the updated policy.
14. Contact
For any question regarding this Privacy Policy or the processing of your personal data, contact us at mario@sharpingknives.com.