Privacy Policy
Last updated: June 8, 2026
This Privacy Policy explains how Feedloop ("we", "us", "our") collects, uses, stores, and shares information when you use our service at feedloophq.com and app.feedloophq.com (the "Service"). We've written this in plain English. If anything here is unclear, email [email protected] and we'll explain.
Our three commitments — read these first
- We don't use your content to train AI. Not ours, not anyone else's. Your posts, captions, and uploaded media are never put into training datasets.
- We don't sell, rent, or share your data with advertisers or data brokers — including any data we receive from third-party platforms such as Pinterest, Meta (Facebook, Instagram, Threads), or Google (YouTube). The only third parties that ever see your content are the social platforms you explicitly connect (because publishing to them is the product).
- We never see your social-platform passwords. We use OAuth — the platform hands us a revocable access token, not your credentials. Tokens are encrypted at rest with AES-256-GCM. Revoke our access any time and we lose it instantly.
1. Who we are
Feedloop is a social media automation tool built and operated from Ethiopia. We help people publish content from a single source (an RSS feed, blog, or connected social account) to multiple social networks automatically.
2. The information we collect
2.1 Information you give us directly
- Account data — your name, email address, and a password (stored hashed, never in plain text) when you sign up.
- Profile preferences — your timezone, locale, and display settings.
- Billing information — we don't store your card details. Ethiopian Birr payments are handled manually via Telebirr (you transfer to our Telebirr account, we match the SMS to your subscription); US Dollar payments are processed by Polar (acting as our Merchant of Record). For Telebirr we store your transaction reference and the SMS text you forward to us; for Polar we only store the transaction reference, plan, and status they return.
- Content you create — automations you configure, post templates, hashtag rules, posting schedules, and any media (images, videos) you upload.
2.2 Information from connected social accounts
When you connect a social account (Facebook, Instagram, LinkedIn, Mastodon, Pinterest, X, etc.) we receive an OAuth access token issued by that platform, along with the public profile information the platform sends us (typically: username, display name, avatar URL, and account ID).
We encrypt all OAuth tokens at rest using AES-256-GCM before writing them to our database. We never receive or store your social-platform passwords.
When you connect a Pinterest account, we additionally receive the read and write scopes you authorize (currently pins:read, pins:write, user_accounts:read, boards:read, and boards:write). We use these scopes to publish pins on your behalf, schedule content to the boards you select, and read public analytics (impressions, saves, pin clicks, outbound clicks) for the Stats dashboard. Pinterest's own API policies govern what we may request and how often we may call its endpoints.
When you connect a feed as an input (e.g., your Mastodon account, an Instagram feed, an RSS URL), we additionally fetch the recent posts from that feed in order to syndicate them. We store the fetched content (post text, link, media URL, publish date) so we can deduplicate and queue it.
2.3 Information we collect automatically
- Usage logs — request method, path, status code, timestamp, and IP address. Used for security, abuse prevention, and debugging. Retained for 30 days.
- Analytics snapshots — for each connected social account, we record daily snapshots of follower count, post count, and engagement metrics (likes, reblogs) that the platform exposes through its API. These are shown on your Stats dashboard.
- Session cookies — a single secure, HTTP-only session cookie set by our authentication system. No third-party tracking cookies, no analytics pixels, no advertising trackers.
3. How we use your information
- To operate the Service: poll your sources, format posts per platform, deliver them to your connected accounts on schedule.
- To authenticate you and keep your account secure.
- To bill you on the plan you've chosen (via Telebirr for ETB or Polar for USD).
- To communicate with you about your account, billing events (receipts, failures), and material changes to the Service.
- To improve the Service by analyzing aggregated, anonymized usage patterns.
- To comply with legal obligations and respond to lawful requests from competent authorities.
We do not sell, rent, or trade your personal information. We do not use your content to train AI models. We do not show you advertising.
4. Who we share information with
- The social platforms you connect — when you create an automation that posts to, e.g., Facebook, the post content and media are sent to Facebook's API. This is the entire point of the Service.
- Payment processors — Polar (for USD card payments, acting as our Merchant of Record) receives the transaction data necessary to process your subscription. Telebirr payments are handled directly between you, your Telebirr account, and Feedloop's admin team; no third-party processor sees that data.
- Infrastructure providers — our server (currently Contabo in the European Union) and our database run in Europe. No customer data is moved outside the EU without your consent.
- Authorities — only when compelled by a valid legal process, and only to the minimum extent required.
5. Where your data lives
Our application servers and database run in the European Union (Frankfurt region). Encrypted backups are retained for 10 days. The encryption key for OAuth tokens is held only in our application environment and never stored alongside the data it encrypts.
6. How long we keep your data
- Account data: as long as your account exists.
- Content (automations, posts, uploads): as long as your account exists, unless you delete the items.
- Request logs: 30 days.
- Billing records: 7 years (required by tax law).
- After account deletion: we delete personal data and content within 30 days, except billing records (above) and items we are legally required to retain.
7. Your rights
Regardless of where you live, you have the right to:
- Access a copy of the personal data we hold about you.
- Correct any information that's wrong.
- Delete your account and the data associated with it.
- Export your data in a machine-readable format.
- Withdraw consent for connected social accounts by disconnecting them in the dashboard.
- Object to specific processing or restrict it.
To exercise any of these rights, email [email protected] from the email address on your account. We respond within 30 days.
If you're in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.
8. Security
We protect your data with industry-standard measures, including:
- TLS (HTTPS) for all traffic between you and us.
- AES-256-GCM encryption at rest for all OAuth tokens.
- Hashed passwords (we never store, log, or transmit plain-text passwords).
- Rate limiting and abuse detection on every public endpoint.
- Restricted, audited access for our own staff.
No system is perfectly secure. If we discover a breach affecting your data, we will notify affected users within 72 hours of confirmation, as required by applicable law.
9. Children
Feedloop is not intended for users under the age of 16. We do not knowingly collect data from children. If we learn we have, we delete it immediately.
10. Third-party platforms
When you connect a social platform to Feedloop, that platform's own privacy policy governs how it handles your data. We are not responsible for, and do not control, those platforms' practices. You can review and revoke our access through each platform's account settings at any time.
10.1 Pinterest-specific disclosures
Feedloop is not endorsed by or affiliated with Pinterest, Inc. We use the Pinterest API to (a) publish content to the boards and pins you authorize, and (b) read public analytics (follower count, impressions, saves, pin clicks, outbound clicks) for the accounts you have connected. We do not resell, sublicense, or redistribute Pinterest content or Pinterest-derived data to any third party.
Pinterest data we store:
- OAuth access token (encrypted at rest with AES-256-GCM).
- Pinterest user/account ID, username, display name, and avatar URL.
- Daily analytics snapshots (follower count, per-pin impressions, saves, pin clicks, outbound clicks).
- Pins and board assignments you author through Feedloop.
Pinterest data lifecycle:
- When you disconnect Pinterest in the Feedloop dashboard, we delete the OAuth access token, account ID, username, display name, and avatar within 24 hours. Historical analytics snapshots remain in your account until you delete the Feedloop account or 90 days pass from disconnect (whichever comes first).
- When you delete your Feedloop account, all Pinterest-derived data (tokens, profile metadata, analytics snapshots, published pin metadata) is permanently deleted within 30 days.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we'll notify you by email and post a notice on the dashboard at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance.
12. Contact
Questions, requests, or complaints about this policy or your data:
Email: [email protected]