Privacy Policy

Last Updated: May 18, 2026

This Privacy Policy describes how Leannoku ("we", "us", "our") collects, uses, stores, and deletes your information when you connect Facebook Pages or Instagram Business accounts to Leannoku to schedule and publish posts. Leannoku is operated by Outspirations MB, a private company registered in Lithuania (registry code 305739215).

Leannoku is the post scheduler product under the Leannoku brand. The generic Leannoku privacy policy at /privacy covers other Leannoku products. This page is the authoritative privacy notice for Leannoku and the data shared via Facebook and Instagram.

1. Data we collect

Account data

• Email address (for sign-in, scheduling notifications, account recovery)
• Name (optional, only if you provide it)
• Password hash (we never store plaintext passwords)

Data we receive from Facebook and Instagram via OAuth

When you connect your Facebook account and authorize Leannoku, Meta returns the following to us:

• A user access token (encrypted at rest)
• Page access tokens for each Facebook Page you choose to manage
• The list of Facebook Pages you administer (Page ID, name, picture)
• Linked Instagram Business account IDs and basic profile (username, profile picture)
• Business Manager identifiers (only used to scope your accounts cleanly)

Data we create on your behalf

When you schedule and publish posts via Leannoku, we store:

• The post content you provide (caption, media, scheduled time, target channels)
• The platform post ID returned by Facebook or Instagram after publishing
• Engagement metrics for posts we published (likes, comments, reach) — only for posts created via Leannoku
• Publish status, error reasons, and timestamps

Technical and usage data

• IP address and basic device data (for security and abuse prevention)
• Product usage events via PostHog (anonymized, first-party)
• API request logs (endpoint, timestamp, no request bodies)
• Error logs and stack traces (no third-party post content)

2. How we use the data

• Provide the service: publish, schedule, and report on posts to the Facebook Pages and Instagram Business accounts you connect
• Operate the scheduler worker: fire scheduled posts at the chosen time
• Show you status: display engagement and publish status back to you inside Leannoku
• Security: detect abusive or suspicious activity, prevent token theft
• Improve the product: aggregated, non-identifying analytics on feature usage

We do not sell, rent, or share your data with third parties for marketing purposes. We do not use your Facebook or Instagram data to train AI models.

3. Legal basis for processing (GDPR)

For users in the European Economic Area, our legal basis for processing your data is:

• Contract performance (Art. 6(1)(b) GDPR): to provide the scheduling and publishing service you signed up for
• Legitimate interest (Art. 6(1)(f) GDPR): security, abuse prevention, product improvement on aggregated data
• Consent (Art. 6(1)(a) GDPR): for the Facebook and Instagram scopes you grant via OAuth, which you may withdraw at any time by disconnecting

4. Storage and security

• Application database: PostgreSQL hosted on Railway
• All data encrypted in transit (HTTPS/TLS)
• All data encrypted at rest
• Facebook and Instagram access tokens are stored encrypted with application-level keys (envelope encryption)
• Passwords are hashed with bcrypt
• Access to production systems is restricted to essential personnel

5. Data retention and deletion

• Access tokens: deleted within 30 days of channel disconnect or account closure
• Post history (caption, scheduled time, platform post ID): deleted within 30 days of account closure
• Account record: deleted within 30 days of account closure
• Engagement metrics: deleted with the parent post
• Aggregated analytics: we may retain non-identifying aggregates (counts, distributions) indefinitely
• Tax and financial records: retained for the period required by Lithuanian and EU law

To request immediate deletion before the 30-day window expires, see /post/data-deletion.

6. Third-party processors

We share data with the following processors to operate Leannoku:

• Meta (Facebook, Instagram): the platforms we publish to; access via Graph API under the scopes you grant
• Railway: application hosting and PostgreSQL database (United States)
• Cloudflare: CDN, marketing site hosting, DNS (European Union)
• PostHog: anonymized product analytics (European Union region)

Each processor is bound by a data processing agreement. We use only processors that meet GDPR requirements.

7. Your rights

You have the right to:

• Access the data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Request a portable export of your data
• Disconnect any Facebook or Instagram channel at any time
• Withdraw consent for the scopes you granted (by disconnecting from Leannoku or revoking the app inside Facebook settings)
• Lodge a complaint with your local data protection authority (in Lithuania: the State Data Protection Inspectorate, vdai.lrv.lt)

To exercise these rights, contact [email protected]. We respond within 30 days.

8. Children

Leannoku is not directed at children under 16. We do not knowingly collect data from anyone under 16. Meta's own platform policies also require users to be at least 13.

9. International transfers

Some processors (Railway) are based in the United States. Transfers outside the EEA are governed by Standard Contractual Clauses.

10. Cookies

We use session cookies for authentication. We do not use third-party advertising cookies. PostHog uses a first-party cookie for anonymized product analytics.

11. Changes to this policy

We may update this Privacy Policy. We will notify connected users by email of material changes at least 14 days before they take effect, and we update the "Last Updated" date above.

12. Contact

Outspirations MB (operator of Leannoku and the Leannoku brand)
Registry code: 305739215
Address: Alekniškio vs. 10, Širvintų r., Lithuania
Email: [email protected] (primary)
Fallback: [email protected]
Phone: +370 665 98324