Legal
Privacy policy
Last updated 2026-05-12
This policy explains what data we collect when you use Vindy Post, why we collect it, how we store it, and the rights you have over it. Plain language wherever possible.
Who we are
Vindy Post is a social media scheduling service operated by Vindy Enterprises Private Limited (CIN U62020TN2026PTC193535), a company incorporated in India with its registered office at 26 Perumal Koil Street, Aranvoyal, Tiruvallur, Tamil Nadu - 602025. You can reach us at hello@vindypost.in for any privacy question or request.
What data we collect
Account data. Your email address, display name, and profile photo (if you upload one). We use this to identify you and keep your work separate from other users.
Connected platform data. When you connect Instagram, Facebook, YouTube, X, LinkedIn, or Threads, we store the OAuth access token issued by that platform plus the public account details the platform returns (page name, handle, avatar URL). We never see or store your platform passwords.
Content you create. Captions, hashtags, scheduled times, and any media files you upload to schedule a post. Stored only as long as needed to publish the post (and a short history afterwards so you can see what went out).
Billing data. If you subscribe to Pro, we receive a payment reference, plan, and renewal date from Razorpay. We do not see or store your card number, UPI ID, bank credentials, or CVV. Those go directly to Razorpay.
Usage data. Standard server logs (IP, browser, page visited, timestamps). Used for security and debugging.
How we use it
- To run the service: schedule and publish your posts when you ask us to.
- To bill you correctly and issue GST invoices for Pro subscriptions.
- To send transactional email: payment receipts, security alerts, important notices.
- To debug and improve Vindy Post (in aggregate, never selling individual data).
We do not sell your data. We do not use your post content, captions, or media to train AI models. See the AI section below.
Third parties we share data with
We share the minimum needed to run the service, with these processors:
- Supabase: database and authentication. Stores your account and content.
- Vercel: hosting. Serves the website and runs the scheduler.
- Razorpay: payment processing for Pro subscriptions.
- Google Gemini API: generates AI captions and content plans only when you ask. See AI section below.
- Resend: sends transactional email.
- Connected social platforms: Meta (Facebook, Instagram, Threads), Google (YouTube), X, LinkedIn, only the data needed to publish your scheduled posts to your accounts.
Google API Services: Limited Use
Vindy Post's use and transfer of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.
Google data we access. When you connect your YouTube channel, we request the youtube and youtube.upload OAuth scopes. Through these scopes we access: your YouTube channel ID, channel title, and channel profile picture URL. We also receive OAuth access and refresh tokens issued by Google.
How we use Google data. We use your YouTube channel information solely to display your connected channel inside the Vindy Post app and to publish videos and Shorts to your channel on your behalf when you schedule a post. We do not use Google user data for advertising, analytics, market research, or any purpose unrelated to providing the Vindy Post service.
Sharing of Google data. Your Google user data is not shared with any third parties except as strictly necessary to operate the service:
- Supabase (database provider): stores your encrypted OAuth tokens and channel metadata so we can publish on your behalf.
- Inngest (job scheduler): receives the post payload (your content, not raw tokens) to execute the scheduled publish via the YouTube API.
We do not sell, lease, or transfer Google user data to any other party. We do not use Google user data to train AI or machine-learning models.
Storage and protection of Google data. OAuth tokens are encrypted at rest before being stored in our database (hosted on Supabase in the ap-south-1 region). Access to the database is restricted to application-level service roles only. All communication between Vindy Post and Google APIs occurs over HTTPS/TLS.
Retention and deletion of Google data.We retain your YouTube OAuth tokens and channel metadata for as long as your channel remains connected in Vindy Post. You can disconnect your YouTube channel at any time from the Channels page, which immediately deletes the stored tokens and channel data from our database. Deleting your Vindy Post account also removes all Google data. You may also revoke Vindy Post's access from your Google Account permissions page. For manual deletion requests, email hello@vindypost.in and we will process it within 30 days.
Meta Platforms (Facebook, Instagram, Threads)
We use Meta's Graph API to publish content to Facebook Pages, Instagram Business accounts, and Threads accounts you explicitly connect. Tokens are stored encrypted at rest. You can revoke access at any time from your platform settings or from inside Vindy Post.
AI features
Vindy Post uses Google Gemini to generate captions and content plans on demand. When you click an AI button, the prompt is sent to Gemini and the response comes back. Per Google's Gemini API terms, your prompts and outputs are notused to train Google's models. We don't retain AI prompt history beyond what you save as a draft.
How long we keep data
- Account and content: until you delete your account.
- Published post history: kept indefinitely until you delete it manually or delete your account.
- Billing records: retained for the period mandated by Indian tax law (currently 8 years for GST).
- Server logs: typically 30 days, then rotated out.
Your rights
You can access, correct, export, or delete your data at any time. Deletion is documented at /legal/data-deletion. For other requests, email hello@vindypost.infrom your registered address and we'll respond within 30 days.
Children
Vindy Post is not directed at children under 18. We don't knowingly collect data from anyone under 18. If you believe a minor has signed up, email us and we'll remove the account.
Changes
If we change this policy materially, we'll email registered users and update the "Last updated" date at the top.
