Privacy Policy

Introduction

At Outstand ("we," "our," or "us"), we are committed to protecting your privacy and ensuring transparency in how we collect, use, and safeguard your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our API-only social media scheduling service. We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Information We Collect

Personal Data

When you create an account, we collect information that identifies you as an individual, including your name, email address, and billing information necessary to provide our services.

API Usage Data

We collect information about your API usage, including request logs, response times, API endpoints accessed, error logs, and usage patterns to ensure service quality, security, and accurate billing.

Website Usage and Tracking Data

When you visit our website or use our services, we automatically collect certain information about your device and usage patterns, including:

• IP address and geolocation data
• Browser type, version, and language preferences
• Device type, operating system, and screen resolution
• Pages visited, time spent on pages, and navigation paths
• Referring website or source
• Date and time of access
• Click data and interaction patterns

This data is collected through cookies, web beacons, and similar tracking technologies. We use analytics services (including PostHog) to analyze this data and improve our website's functionality and user experience.

Social Media Content

We temporarily process the social media content you schedule through our API to deliver it to the appropriate platforms. This includes post text, images, videos, metadata, and scheduling information. This content is processed in real-time and is not stored permanently on our servers after delivery.

Social Media Account Credentials

We store encrypted OAuth tokens and access credentials for your connected social media accounts to enable post scheduling and publishing on your behalf.

Legal Basis for Processing Personal Data

Under GDPR, we process your personal data based on the following legal grounds:

• Contractual Necessity: Processing is necessary to provide our services under our Terms of Service
• Legitimate Interests: We process certain data (like usage analytics and IP addresses) for security, fraud prevention, service improvement, and business operations, provided these interests don't override your rights
• Consent: Where required by law, we obtain your explicit consent for specific processing activities, such as marketing communications and non-essential cookies
• Legal Obligations: Processing is necessary to comply with legal requirements, such as tax laws and regulatory obligations

How We Use Your Information

We use the collected data for the following purposes:

• To provide, maintain, and improve our API services
• To process and schedule your social media posts on connected platforms
• To calculate usage-based billing ($1/month per account + $0.01 per post)
• To authenticate users and secure accounts
• To provide customer support and respond to your inquiries
• To analyze website usage and user behavior to improve our services
• To monitor and prevent fraudulent activities, security threats, and abuse
• To develop new features and functionality
• To send service-related communications and updates
• To comply with legal obligations and enforce our terms

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your website usage. Cookies are small data files stored on your device. We use the following types of cookies:

• Essential Cookies: Required for website functionality, authentication, and security
• Analytics Cookies: Help us understand how visitors interact with our website
• Performance Cookies: Track and improve website performance and user experience

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our service.

Data Sharing and Disclosure

We do not sell, trade, or rent your personal data to third parties. We may share your information with:

• Service Providers: Third-party vendors who assist in operating our services (hosting, payment processing, analytics), subject to strict confidentiality agreements and GDPR compliance
• Social Media Platforms: To deliver your scheduled content to Twitter, LinkedIn, Facebook, Instagram, and other connected platforms
• Legal Authorities: When required by law, legal process, or to protect our rights, safety, and property
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) where our service providers operate. When we transfer your data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions recognizing equivalent data protection standards
• Binding corporate rules and certification mechanisms

Data Security

We implement comprehensive technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction, including:

• End-to-end encryption for all API communications using TLS/SSL protocols
• Encrypted storage of sensitive data, including social media access tokens
• Regular security audits and vulnerability assessments
• Access controls and authentication mechanisms
• Employee training on data protection and security practices
• Incident response and breach notification procedures

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but continually work to enhance our security measures.

Data Retention

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy:

• Account Information: Retained for as long as your account is active, plus 90 days after account deletion (for recovery purposes)
• Social Media Content: Processed and delivered immediately, not stored permanently after delivery
• Usage Logs and API Data: Retained for up to 2 years for billing, analytics, and service improvement
• Website Analytics Data: Retained for up to 26 months
• Billing Records: Retained for 7 years to comply with tax and accounting regulations

After the retention period, we securely delete or anonymize your data.

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under GDPR:

• Right to Access: Request confirmation of whether we process your personal data and obtain a copy of your data
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure (Right to be Forgotten): Request deletion of your personal data under certain conditions
• Right to Restrict Processing: Request limitation on how we process your data in specific circumstances
• Right to Data Portability: Request transfer of your data to another organization in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Withdraw previously given consent at any time (where processing is based on consent)
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority if you believe your rights have been violated
• Right to Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or significant effects

To exercise any of these rights, please contact us at support@outstand.so. We will respond to your request within 30 days in accordance with GDPR requirements. We may need to verify your identity before processing your request.

Third-Party Services

Our service integrates with various social media platforms (Twitter/X, LinkedIn, Facebook, Instagram, etc.) and third-party service providers to deliver your content and operate our services. Each platform and provider has its own privacy policy and terms of service that govern how they handle your data. We are not responsible for the privacy practices of these third parties.

Key third-party services we use include:

• Analytics and monitoring services (PostHog)
• Payment processing providers
• Cloud infrastructure providers (Cloudflare, Neon)
• Social media platforms for content delivery

Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal information, please contact us immediately at support@outstand.so, and we will take steps to delete such information.

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and 34.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify you of any material changes by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on our website

Your continued use of our services after changes take effect constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, including exercising your GDPR rights, please contact us at:

We are committed to resolving any concerns you may have about your privacy and personal data in a timely and transparent manner.