Privacy Policy

1. Who we are

PostAtlas is built and operated by Kularion FZC, registered in the UAE. Kularion FZC is the data controller for any personal data processed in connection with PostAtlas. You can reach us at hello@kularion.com.

2. What PostAtlas is

PostAtlas is a desktop application for short-form creators. It runs on your own computer (currently macOS), connects to TikTok, YouTube, Facebook, and Instagram via each platform's official API, organises your video files from folders you choose, and publishes posts on your behalf at scheduled times. Your videos, captions, schedules, and OAuth tokens stay on your machine. We do not operate cloud infrastructure that stores your content. A future hosted version of PostAtlas will be covered by an updated policy with a clear effective date.

3. What we collect

• Connected social accounts. When you connect TikTok, YouTube, Instagram, or Facebook, PostAtlas receives an OAuth access token and (where available) a refresh token, plus your platform-side display name, username, account ID, and profile picture URL. Tokens are stored in your operating system's secure credential store (macOS Keychain on macOS), never in plaintext on disk, and never sent to any server we operate.
• Your content. Videos remain in the local folders you select. Captions, schedules, and queue history are stored in a local database file on your computer. None of this data is uploaded to any server we operate.
• Operational data. Publish attempts, retries, and platform error responses are stored in the same local database so you can audit your own queue. We do not have access to this data.
• Website analytics. For the marketing website you are reading right now (not the desktop app), we use Cloudflare Web Analytics. It is cookie-less, aggregate, and does not track individuals across sites. We do not use Google Analytics, Meta Pixel, or session-replay tools. There is no analytics SDK inside the desktop app.
• Waitlist signups. When you submit the waitlist form on this site, your email address and the tier you indicated are captured through Tally (our form provider) and forwarded to us. We use this data only to email you about closed-beta intakes and announcements. We retain it until you ask for it to be removed or until we have decided not to invite you, whichever comes first. To delete a waitlist signup, email hello@kularion.com from the same address.
• Email correspondence. If you email hello@kularion.com we keep your email for support history.

4. How OAuth tokens are used

When you connect a platform, the OAuth handshake happens directly between your machine and the platform's authentication server. The resulting access and refresh tokens are written to your operating system's secure credential store and used by PostAtlas, running on your machine, to publish the posts you schedule and to refresh themselves before they expire. We do not log, transmit, or otherwise have access to your tokens. We do not read DMs, scrape your followers, or perform any action you have not directly initiated.

You can revoke a token at any time by disconnecting the account inside PostAtlas, or by revoking PostAtlas in the platform's connected-apps settings (linked in Section 6 below). Either method immediately disables scheduled posts to that account.

5. How videos are handled

Video files stay in the local folders you select on your machine. PostAtlas reads them when a scheduled post fires and uploads them directly from your machine to the destination platform's content API. The video does not pass through any server we operate. Deleting a video from your folder removes it from the PostAtlas library too.

6. Platform-specific disclosures

PostAtlas connects to short-form platforms using their official APIs. Each platform requires us to disclose, for transparency and audit, what data we receive and how it is used.

TikTok

PostAtlas uses TikTok's Login Kit and Content Posting API. When you connect a TikTok account PostAtlas receives a scoped OAuth access token and refresh token, your TikTok open ID, username, display name, and profile picture URL. These are stored locally on your machine and used solely to publish videos you schedule, retrieve the public URL of a published post for your own queue history, and refresh tokens before they expire. We do not read direct messages, fetch your followers or followings, or take any action you have not directly initiated. Your use of TikTok through PostAtlas is also governed by the TikTok Terms of Service and the TikTok Developer Terms of Service. You can revoke PostAtlas at any time from your TikTok connected-apps settings.

YouTube (Google)

PostAtlas is a client of YouTube API Services. When you connect a YouTube channel PostAtlas receives a scoped Google OAuth access token and refresh token, plus your YouTube channel ID, channel name, and channel thumbnail URL. These are stored locally on your machine and used solely to upload Shorts you schedule and to read upload status for your own queue history. We do not access your subscriptions, watch history, comments, or any other YouTube data outside what is required to upload and verify the upload. Your use of YouTube through PostAtlas is also governed by the YouTube Terms of Service and the Google Privacy Policy. You can revoke PostAtlas at any time from your Google Account permissions page.

Facebook and Instagram (Meta)

PostAtlas uses Meta's Graph API for Facebook Pages and Instagram Business accounts. When you connect, PostAtlas receives a scoped Page access token, your Facebook Page ID and name, your Instagram Business account ID, username, and profile picture URL. These are stored locally on your machine and used solely to publish posts and Reels you schedule. We do not read messages, post outside your scheduled queue, or access friends, followers, or audience data. Your use of Facebook and Instagram through PostAtlas is also governed by the Meta Platform Terms, the Facebook Terms, and the Instagram Terms of Use. You can revoke PostAtlas at any time:

• Facebook: facebook.com/settings/apps
• Instagram: instagram.com/accounts/manage_access

Permissions we never request

We do not request scopes for direct messaging, comments, follower or subscriber lists, ad accounts, or analytics beyond what is required to confirm a post has been published. If a platform offers a permission we do not need, we do not ask for it.

7. Sharing

We do not collect, store, or hold your videos, captions, schedules, or platform tokens on any server we operate, so there is nothing for us to share with third parties. PostAtlas does not contain telemetry that sends usage data back to us. The website analytics described in Section 3 are aggregate, cookie-less, and not shared with anyone.

8. Your rights and data deletion

Because all PostAtlas user data lives on your own machine, you can delete it directly: uninstall the app, remove the local data folder, and revoke PostAtlas in the platform's connected-apps settings. For step-by-step instructions, see our Data deletion page. If you have emailed us at hello@kularion.com and want that correspondence deleted, email us from the same address and we will action the request within 30 days.

9. International transfers

When you publish a post, the video travels from your machine directly to the destination platform's infrastructure (which they host wherever they choose). PostAtlas does not move your content internationally because we do not hold it. Email correspondence with us may be processed in the UAE.

10. Children

PostAtlas is not directed to children under 16. We do not knowingly collect personal data from children.

11. Changes

If we make material changes to this policy, the date at the top will be updated and (for the eventual hosted version) we will notify users at least 30 days before changes take effect.

12. Contact

Questions, requests, or complaints can be sent to hello@kularion.com.