Privacy Policy

1. Introduction

Birdy ("we", "our", or "the app") is a social media management tool that allows you to post to multiple platforms from a single interface. This Privacy Policy explains how we collect, use, and protect your information when you use Birdy.

2. Information We Collect

We collect the following types of information:

• Account information: Email address and password (hashed) when you register.
• Multi-factor authentication: If you enable MFA, we store your TOTP secret and hashed one-time backup recovery codes.
• OAuth tokens: When you connect a social media platform (LinkedIn, Facebook, Instagram, Threads, Twitter, Bluesky), we receive and store access tokens and related session data provided by those platforms. We do not store your social media passwords.
• Platform credentials: For platforms like Discord (webhook URLs) and Mastodon (access tokens and OAuth client credentials), you provide these directly.
• Post content: Text and images you compose and schedule through Birdy. A log of published post content is also retained in our database for your post history.
• Usage data: Post counts, scheduling information, and post history for enforcing plan limits and displaying your activity.

3. How We Use Your Information

• To authenticate you and manage your account, including multi-factor authentication.
• To post content to your connected social media accounts on your behalf.
• To schedule and publish posts at your requested times.
• To display your connected account names/usernames in the app interface.
• To enforce subscription plan limits.
• To send you email notifications when a scheduled post fails to publish.
• To run periodic health checks against your connected platforms and automatically disconnect integrations that are no longer valid.
• To automatically refresh expiring tokens for Instagram and Threads in the background so your connections remain active.
• To track and diagnose errors using Sentry, which may include session replay data when errors occur.

4. Third-Party Services

Birdy integrates with the following third-party platforms. When you connect an account, their respective privacy policies apply:

• Meta (Facebook, Instagram, Threads): Meta Privacy Policy
• LinkedIn: LinkedIn Privacy Policy
• X (Twitter): X Privacy Policy
• Bluesky: Bluesky Privacy Policy
• Discord: Discord Privacy Policy
• Mastodon: Privacy policy varies per instance.

We also use the following third-party services to operate Birdy:

• Supabase: Cloud-hosted PostgreSQL database and object storage for all application data and temporary image uploads. Supabase Privacy Policy
• Sentry: Error tracking and performance monitoring. When an error occurs, Sentry may capture session replay data (page content and user interactions) to help diagnose the issue. Sentry Privacy Policy
• Resend: Transactional email delivery for scheduled post failure notifications. Resend Privacy Policy

5. Data Storage & Security

• All data is stored in a Supabase-hosted PostgreSQL database with row-level security enabled.
• Passwords are hashed using bcrypt before storage. MFA backup codes are also individually hashed.
• OAuth tokens and sensitive platform credentials are encrypted using AES-256-GCM before storage in the database.
• All connections use HTTPS/TLS encryption in transit.
• Temporary image uploads (for Instagram and Threads) are stored in Supabase Storage to generate URLs required by those platforms, then removed on a best-effort basis after posting.

6. Automated Processing

Birdy performs the following automated actions on your behalf:

• Scheduled posting: Posts you schedule are automatically published at the requested time.
• Token refresh: Access tokens for Instagram and Threads are automatically refreshed before they expire to keep your connections active.
• Health checks: Periodic checks verify that your connected platforms are still accessible. If a connection is found to be invalid, it is automatically disconnected and the associated credentials are deleted.

7. Data Sharing

We do not sell, trade, or share your personal information with third parties. Your data is sent to the social media platforms you explicitly connect when you initiate or schedule a post. Error and diagnostic data may be sent to Sentry, and failure notification emails are sent via Resend. No other third parties receive your data.

8. Data Retention & Deletion

• You can disconnect any platform at any time, which immediately deletes the associated tokens and credentials from our database.
• You can request full account deletion by contacting the administrator.
• Scheduled posts are retained until sent or manually deleted.
• Post history (including content) is retained indefinitely unless you request deletion.
• Temporary image files are removed from storage on a best-effort basis after posting.

9. Your Rights

Under GDPR and similar regulations, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Withdraw consent for data processing at any time by disconnecting platforms or deleting your account.

10. Cookies

Birdy uses essential cookies only: session authentication cookies and short-lived CSRF state cookies during OAuth flows. We do not use tracking or analytics cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated date.

12. Contact

If you have any questions about this Privacy Policy, please contact the application administrator.