Privacy Policy

Last updated: May 7, 2026

Post Moderator ("we", "us", or "the Service") is a comment moderation platform that helps brand owners and social media managers manage comments on Instagram Business or Creator accounts and TikTok Business accounts via official platform APIs.

We comply with the TikTok Developer Terms of Service, the TikTok API Terms of Service, the Meta Platform Terms, the Instagram Platform Policy, and the GDPR (EU Regulation 2016/679).

1. Data We Collect from Instagram

When an Instagram account is connected, the Service collects and processes the following data through the official Instagram Platform API:

Account ID, username, profile picture URL, and connection status;
Media IDs, permalinks, timestamps, and comment counts;
Comment IDs, comment text, commenter username, commenter ID, timestamps, hidden/deleted status, and reply IDs;
OAuth access tokens required to read comments, receive webhook events, hide or unhide comments, publish approved replies, and perform moderation actions authorized by the account owner;
CRM user data: username, role, account status, session identifiers, and audit log entries.

2. Data We Collect from TikTok

When a TikTok account is connected, the Service collects and processes the following data through the official TikTok API:

Comment text and comment ID;
Video ID (the TikTok post the comment belongs to);
Commenter display name (nickname) and TikTok open_id;
Comment timestamps and reply relationships;
Authenticated account profile: display name, avatar URL, and TikTok account ID;
TikTok API access tokens (stored encrypted at rest, never logged in plain text).

3. How We Use Your Data

We use collected data solely to provide the Service. Specific purposes:

Display comments in the moderation dashboard for review by authorized users;
Apply automated and manual moderation rules (hide, delete, keep, or flag comments);
Generate aggregated sentiment and engagement analytics for the account owner;
Prepare AI-assisted reply drafts — replies are published only after manual approval by an authorized user;
Maintain an audit trail of moderation actions.

4. AI Processing

Comment text may be sent to an AI provider (OpenAI) to classify comments and generate optional reply drafts. We do not use TikTok or Instagram user data to train third-party AI models. AI-generated replies require manual approval before publication.

5. Data Sharing

We do not sell TikTok or Instagram user data to any third party;
We do not share data with advertisers or external analytics providers;
We do not use platform data to train AI models on behalf of third parties;
We share data only with service providers required to operate the Service (hosting, database, AI classification), and only for the purposes described in this policy.

6. Data Storage and Location

All data is stored on servers located in Estonia, European Union — within GDPR jurisdiction.

Data is encrypted in transit (TLS 1.2+) and at rest;
Access tokens are stored encrypted and are never written to logs in plain text;
Access to stored data is restricted to authorized personnel only.

7. Data Retention

Comment data, reply drafts, and moderation logs are retained for 90 days for active connected accounts;
All data associated with an account is deleted within 30 days after account disconnection or service cancellation;
Users may request immediate deletion at any time — see Section 9.

8. Deauthorization

You may revoke the Service's access to your account at any time:

TikTok: Settings & Privacy → Security → Manage app permissions → find "Post Moderator" → Revoke access. When you revoke access, TikTok notifies us automatically and your associated data is queued for deletion within 30 days.
Instagram: Settings → Security → Apps and Websites → find "Post Moderator" → Remove. You may also email us to request immediate data deletion.

9. Your Rights (GDPR)

If you are located in the European Union, you have the right to:

Access the personal data we hold about you;
Rectify inaccurate data;
Request erasure of your data ("right to be forgotten");
Object to processing or request restriction of processing;
Lodge a complaint with a supervisory authority.

To exercise these rights or to request data deletion, visit our Data Deletion page or email info@postmoderator.com.

10. Security

Access to the CRM is protected by login, role-based permissions, session management, and CSRF protection. We conduct periodic security reviews of API access and stored credentials.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will indicate the date of the most recent update at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data access requests, or deletion requests:
Email: info@postmoderator.com