Schedule & ShareSchedule & ShareBack to app
Schedule & Share

Privacy Policy

BrandMongo Pty Ltd ("we", "us", "our") operates the Schedule & Share platform. This Privacy Policy explains how we collect, use, store, and protect your personal data.

Last updated: February 2026

Quick Navigation

Data We CollectHow We Use DataSecurity MeasuresData RetentionSub-ProcessorsInternational TransfersYour Rights (GDPR)CookiesChildren's PrivacyPolicy ChangesContact Us
1

Data We Collect

Account Data

  • Email address, first name, and last name
  • Password (stored as a bcrypt hash — never plaintext)
  • Authentication provider (credentials or Google OAuth)
  • Avatar URL (if provided via Google OAuth)

Social Media Platform Data

  • Platform user IDs and usernames
  • OAuth access tokens and refresh tokens (encrypted at rest)
  • Platform-granted permission scopes

Content Data

  • Post text, hashtags, and media file URLs
  • Scheduling timestamps and publishing status
  • Engagement metrics returned by platform APIs

Security & Audit Data

  • Audit logs of security-relevant actions
  • IP addresses and user agent strings (security only)
  • Rate limiting counters (stored temporarily)
2

How We Use Your Data

Service delivery

Authenticating you, scheduling and publishing posts to your connected platforms

Security

Protecting your account with MFA, session management, and audit logging

Analytics

Displaying engagement metrics for your published content

Content moderation

Optionally analysing content for policy compliance (opt-in per platform)

Communication

Sending transactional emails (password resets, account notifications)

3

Security Measures

We implement robust security measures to protect your data with industry-leading encryption and authentication protocols.

AES-256-GCM encryption at rest

Google Cloud KMS key management

bcrypt password hashing

TLS 1.2+ transport security

TOTP multi-factor authentication

8-hour JWT session security

Audit Integrity

All security-relevant actions are logged with SHA-256 hash-chain verification for tamper detection, ensuring complete audit trail integrity.

4

Data Retention

Data Category
Retention Period
Account data
Account lifetime + 30-day grace period
OAuth tokens
Until platform disconnected or account deleted
Post content
User-controlled; max 2 years after publish
Audit logs
1 year
Delivery logs
2 years
Session data
8 hours (auto-expiry)
Rate limit counters
1–24 hours (auto-expiry)
5

Sub-Processors

We use the following third-party services to process your data:

MongoDB Atlas
Database hosting
US / EU
Upstash Redis
Caching, sessions, job queues
Global edge
Google Cloud Platform
Compute, storage, key management
Asia (Mumbai)
SendGrid (Twilio)
Transactional email
US
Social media platforms
Content publishing
US
6

International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area. Where such transfers occur, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission to ensure adequate protection of your data.

7

Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights under the General Data Protection Regulation:

Access

Article 15

Export all your data via Settings → Privacy → Export Data

Rectification

Article 16

Update your profile via Settings

Erasure

Article 17

Delete your account via Settings → Privacy → Delete Account

Restriction

Article 18

Request restriction of processing by contacting us

Portability

Article 20

Download your data in machine-readable JSON format

Objection

Article 21

Opt out of analytics tracking via Settings

Learn more about data deletion
8

Cookies

We use essential cookies required for the Service to function, as well as consent-gated analytics cookies.

If you accept our cookie banner, we use Google Analytics (with anonymized IP addresses) to understand how users interact with our platform. Google Analytics cookies are only set after you give explicit consent. You can withdraw consent at any time by clearing your cookies.

Read our full Cookie Policy
9

Children's Privacy

Our Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.

10

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11

Contact Us

Privacy Inquiries

For privacy-related questions

privacy@scheduleandshare.comContact Page

Your privacy matters to us

We're committed to protecting your data and being transparent about how we use it.

Get Started FreeContact Us