Privacy Policy
Last updated: 28 April 2026 · Mandalar Ltd, United Kingdom
1. Who We Are
PostFlow and all products on this site are operated by Mandalar Ltd, a company registered in England and Wales.
- Company Number: 17167234
- Registered Address: Flat 33, 46-52 Park Street, Luton LU1 3HP, United Kingdom
- Email: hello@mandalar.app
- Phone: +44 7818 250432
- Website: mandalar.app
2. What Data We Collect
- Account data: your name and email address when you register for PostFlow
- Facebook data: Facebook Page access tokens and Page metadata (see Section 3)
- Post content: messages, images, and scheduled times you create in PostFlow
- Payment data: processed by Stripe — we do not store card details
- Usage data: post counts, plan usage, and timestamps
3. Facebook Data
PostFlow integrates with the Facebook Graph API to allow you to schedule and publish posts to your Facebook Pages. To do this, we request the following Facebook permissions:
- pages_show_list — to retrieve a list of Facebook Pages you manage, so you can select which Page to post to.
- pages_read_engagement — to read engagement data on your Pages, used to display basic Page information within PostFlow.
- pages_read_user_content — to read content posted on your Pages, used to verify post publication status.
- pages_manage_posts — to create and publish posts on your Facebook Pages on your behalf, at the times you schedule.
Purpose: To allow users to connect their Facebook Pages, view page insights, and schedule and publish posts via the Facebook Graph API.
Token storage: Facebook Page access tokens are stored in our secure database (Supabase, hosted on AWS infrastructure). Tokens are long-lived (~60 days) and are refreshed when you reconnect your Page. We store tokens only for as long as your account is active or until you disconnect your Page.
We do not: sell your Facebook data, use it for advertising, share it with third parties for their own purposes, or use it for any purpose beyond operating PostFlow for you.
4. How We Use Your Data
- To operate your PostFlow account and process scheduled posts
- To publish posts to your Facebook Pages at your scheduled times
- To send transactional emails (account confirmation, billing receipts)
- To enforce plan limits and process subscription payments via Stripe
- To improve PostFlow using aggregated, anonymised analytics only
5. Legal Basis for Processing (UK GDPR)
- Contract: to provide the PostFlow service you have subscribed to
- Legitimate interests: to operate, secure, and improve PostFlow
- Consent: when you connect your Facebook account via OAuth
6. Third-Party Services
- Supabase (AWS) — database and file storage for your posts, account data, and Facebook tokens
- Stripe — payment processing for subscriptions. Stripe is PCI-DSS compliant.
- Vercel — application hosting and deployment
- Anthropic / Groq — AI text generation for the AI Generator feature (post content only; no personal data shared)
- Unsplash — free stock photo search (no personal data shared)
- Meta / Facebook — Graph API for Page publishing
7. Data Retention
- Account data: retained while your account is active; deleted within 30 days of account deletion
- Facebook access tokens: deleted immediately when you disconnect your Page or delete your account
- Post content: retained while your account is active; deleted on account deletion
- Payment records: retained for 7 years for legal and tax compliance
8. Data Deletion
You can request deletion of all data we hold about you — including all Facebook data received via the Graph API — at any time.
- Email: hello@mandalar.app
- Or visit our Data Deletion page
We will action all deletion requests within 30 days.
9. Your Rights (UK GDPR)
You have the right to access, correct, delete, or port your data, and to object to or restrict processing. To exercise any right, email hello@mandalar.app. You may also lodge a complaint with the ICO.
10. Cookies
PostFlow uses only essential cookies for authentication (session management). We do not use advertising or tracking cookies.
11. Changes to This Policy
We may update this policy from time to time. We will notify you by email of any material changes. Continued use of PostFlow after changes constitutes acceptance.
12. Contact
Mandalar LtdFlat 33, 46-52 Park Street, Luton LU1 3HP, United Kingdom
Company No: 17167234
Email: hello@mandalar.app
Phone: +44 7818 250432