Privacy Policy

Your privacy is important to us. This Privacy Policy explains what information BestPostingTimes collects about you and your Instagram account, how we use and share that information, and your rights regarding your data. BestPostingTimes is committed to handling your personal data in a transparent and secure manner in accordance with the European Union’s General Data Protection Regulation (GDPR) and applicable Polish data protection laws. By using BestPostingTimes, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service. We may update this Privacy Policy from time to time (we will notify you of any material changes), so please review it periodically.

Information We Collect

When you use BestPostingTimes, we collect certain information from and about you to provide and improve our services. This includes:

Account Information

When you register or sign in to BestPostingTimes, we collect information such as your name and email address. For example, if you sign up with Google Sign-In, we receive your Google account email and possibly your name. If you create an account via our own system, you may provide an email and create a password (passwords are stored securely in hashed form).

Authentication Tokens

To access your Instagram data, BestPostingTimes uses OAuth tokens or access keys provided by Instagram when you connect your Instagram account. We store your Instagram Access Token securely. This token allows our application to request your Instagram data on your behalf. We also store session tokens or cookies (from our authentication system, Supabase) to keep you logged into BestPostingTimes. These tokens contain identification information (like a user ID) so that our system recognizes your authenticated session (see our Cookie Policy for more details on these).

Instagram Account Data

Once authorized, we collect data from your Instagram account through the Instagram API. This can include:

  • Profile Information: Your Instagram username, account ID, profile picture URL, and bio, as allowed by Instagram.
  • Media Data: Information about the content you have posted on Instagram, such as your photos, videos, captions, timestamps of posts, and possibly thumbnails or URLs of media (we do not store the media files themselves, only references or data needed for analytics).
  • Engagement Metrics: Statistics associated with your Instagram content and account, such as the number of likes, comments, views, shares on your posts; follower count and following count; and other interactions or metrics that Instagram’s API provides (e.g., impressions, reach, profile views if available).
  • Audience Insights: If available via Instagram, aggregated information about your audience (for example, breakdown of followers by age range, gender, or location, and times of day or days of week when your followers are most active) – this helps us show you insights like “best posting times” or audience demographics.
  • Analytics Results: The analytics and reports we generate from the raw Instagram data, such as engagement rates, growth charts, or content performance rankings. (Note: These results are computed by BestPostingTimes from the data above. We may store these results for your convenience so you can view historical analytics without re-fetching old data from Instagram repeatedly.)

Payment Information

If you subscribe to our Pro Plan or make any purchase through BestPostingTimes, you will provide payment details. Payment transactions are processed by Stripe, our third-party payment processor. When you enter your credit card or payment information, it is transmitted directly to Stripe. We do not store your full card number or CVC on our servers. We do receive and store certain payment-related information from Stripe, such as: your name, email, billing address (if provided), the type of subscription you purchased, payment method type (e.g., Visa ending in last 4 digits), subscription start and end dates, and payment status. This information is necessary for billing, account management, and customer support.

Usage Data

Like most online services, we automatically collect some basic information about how you interact with BestPostingTimes. This may include your IP address, device type, browser type, approximate location (e.g., city or country), the pages or features you access on our Service, and the timestamps of your activities. We collect this to monitor for security (e.g., recognizing suspicious login attempts) and to analyze and improve our Service’s performance. We do not profile or track you across other sites, and we do not collect any more usage data than necessary to run BestPostingTimes effectively.

Cookies and Similar Technologies

We use cookies or similar technologies to authenticate you and remember your settings. For detailed information, please see our separate Cookie Policy. In summary, these cookies include session cookies (to keep you logged in) and any preferences. They may also include cookies used by third-party providers like Google (for sign-in) or Stripe (for payment processing pages). Any personal data collected via cookies (such as a user identifier) is treated in accordance with this Privacy Policy.

We limit our collection to information that is relevant for the purposes described below. You have choices about providing information: for example, you can choose not to connect your Instagram account (but then you won’t be able to use the analytics features), or you can choose not to subscribe (and just use the free features without providing payment info).

How We Use Your Information

BestPostingTimes uses the collected information for the following purposes:

  • Provide and Operate the Service: We use your data to log you in, fetch your Instagram analytics, and display personalized insights to you. For instance, your Instagram token and account ID allow us to retrieve your Instagram posts and engagement stats and then calculate analytics (like your average engagement rate or best posting times) which we show in your dashboard. Without this data, we cannot provide the core functionality of BestPostingTimes.
  • Service Improvement and Analytics: Internally, we may use aggregated data (across many users) to understand usage patterns, fix technical issues, and improve our features. For example, we might analyze which features are used most or check system logs to debug a problem. This may involve reviewing some user interactions or metrics, but we do not use your personal content for any purpose other than to enhance the Service for you and other users. Any analytics we perform on usage data will typically use anonymized or aggregated data where possible (not tied to your identity).
  • Authentication and Security: We use your account credentials (like session cookies or tokens) to keep you logged in securely and to prevent unauthorized access to your account. Your email may be used for verification or password reset if applicable. We also use information like IP addresses or device information to detect and prevent fraudulent or unauthorized activity. For example, if we notice an unusual login attempt, we might use the IP or device data to block the attempt or notify you.
  • Communication: We may use your email address to send important notifications related to the Service. These communications include: confirming your account signup, sending you receipts or invoices for subscription payments, alerting you about important changes or issues (like updates to terms or privacy policy, security alerts, or if the Service is undergoing maintenance). If you explicitly opt-in to marketing communications (not required to use the Service), we might also send newsletters, product updates, or promotional offers. You can opt out of marketing emails at any time. Transactional or essential emails (like billing receipts or critical notices) will still be sent as needed for the Service.
  • Subscription and Billing Management: If you are a Pro Plan subscriber, we use your information to manage your subscription. This includes processing payments (via Stripe), reminding you of upcoming renewals, handling billing inquiries or disputes, and providing customer support related to your subscription. For example, if your payment method expires, we might email you to update it. We also maintain records of your payments for accounting, tax, and compliance purposes.
  • Compliance with Legal Obligations: In certain cases, we may need to use or disclose your information to comply with legal obligations, such as responding to lawful requests by public authorities, complying with finance/tax regulations (e.g., keeping transaction records for a required period), or to enforce our Terms of Use. We will only disclose the minimum necessary information and only when required by law (see also “Data Sharing” below).
  • Other Purposes (with your consent): If we ever need to use your personal information for purposes other than those listed above, we will ask for your consent if required by law. For instance, if we wanted to publish a testimonial you gave with your name or wanted to use your data in a new way, we would obtain your permission.

Our legal bases for processing personal data under GDPR include: performance of a contract (providing you the Service as per our Terms of Use), legitimate interests (such as improving our Service, ensuring security, and managing subscriptions, in ways that do not override your privacy rights), and consent (where applicable, such as for optional marketing communications or certain cookie uses). Where we rely on consent, you have the right to withdraw that consent at any time.

How We Store and Protect Your Data

Your data security is a top priority for us. We use industry-standard practices to store and safeguard the information we collect:

  • Data Storage Location: We utilize Supabase (a third-party cloud platform) for our database and authentication infrastructure. This means your data (including account info, Instagram metrics, analytics results, etc.) is stored on Supabase’s servers on our behalf. We strive to choose data storage options that are in regions with strong data protection standards (for example, Supabase offers hosting in various regions, and we aim to store EU users’ data in EU data centers when possible). Regardless of location, all data is handled in compliance with GDPR requirements through appropriate safeguards (see “International Data Transfers” below if data is stored or accessed outside the European Economic Area).
  • Encryption: We enforce encryption in transit by using HTTPS for all communications between your browser and our servers. This means any data (like your login credentials or analytics data) is encrypted while being transmitted to or from BestPostingTimes. For sensitive tokens (like your Instagram access token and session tokens), we store them in a secure manner (for example, in our database or authentication service with encryption at rest or as securely hashed values where feasible). Stripe handles your payment details using their own strong encryption and security measures (we never see your raw credit card number).
  • Access Controls: Access to personal data in our system is restricted on a need-to-know basis. Only authorized personnel or service processes (for example, the parts of our application that need to fetch data from Instagram) are allowed to access personal information, and only to fulfill the purposes outlined in this policy. Our team is trained on data protection principles and obligated to keep your data confidential. Administrative access to the database or systems requires authentication and is logged.
  • Security Measures: We implement various technical and organizational measures to prevent unauthorized access, loss, or alteration of data. These measures include firewalls and network security configurations, regular software updates and patching, monitoring for suspicious activities or vulnerabilities, and backups of data. We also have procedures for handling any suspected data breaches, including notifying users and authorities as required by law.
  • No Absolute Guarantee: While we work hard to protect your information, no system is impenetrable. We cannot guarantee absolute security of data. However, we do have a response plan in place. In the unlikely event of a data breach or security incident affecting your personal data, we will promptly inform affected users and relevant authorities as required by GDPR and take necessary steps to mitigate harm.

By using BestPostingTimes, you understand that your information will be stored and processed as described above. If you have specific questions about our security practices, please contact us (see “Contact Us” at the end of this policy).

Data Sharing and Disclosure

We treat your personal data with care and do not sell or rent your information to third parties. However, in order to operate the Service and fulfill the purposes described, we share certain data with third parties under strict conditions:

  • Instagram (Meta Platforms, Inc.): BestPostingTimes uses the Instagram Graph API (or Instagram Basic Display API) to retrieve your Instagram account data. When you connect your Instagram account to BestPostingTimes, you are authorizing us to access your Instagram data through this API. In practice, this means our servers will communicate with Instagram’s servers: we send your access token and requests (for example, “get the list of my recent posts and their metrics”) and Instagram responds with the data. We do not provide Instagram with any new personal information about you beyond the authentication token and the fact that our request is for your data. However, your use of BestPostingTimes to connect to Instagram is also governed by Instagram/Meta’s own privacy policy and platform terms. Instagram, as the provider of the data, may log API requests and usage. We have no control over Instagram’s internal use of that data, but they generally use it to ensure compliance and service functionality. We only access your Instagram data with your permission and do not share that data with any parties other than as described in this policy.
  • Stripe: We use Stripe to process subscription payments. When you enter payment information, you are interacting with Stripe’s system (either via an embedded Stripe form or a redirect). Stripe will receive your credit card number, CVV, expiration date, billing zip code, and other necessary details to process the transaction. Stripe may also receive your email and name to send receipts or for fraud prevention. Stripe acts as a data processor and in some contexts, an independent data controller for your payment information. We share only the information with Stripe that is necessary for processing payments (and any future refunds or subscription management). All such data is transmitted securely, and Stripe is PCI-DSS compliant. We receive from Stripe a confirmation of payment and certain identifiers (like a customer ID, subscription ID, last4 of card, payment status). Stripe’s use of your data is governed by Stripe’s Privacy Policy. We encourage you to review Stripe’s privacy practices if you have concerns.
  • Supabase: Supabase is our cloud service provider for database, authentication, and possibly file storage. As such, Supabase is a data processor for us: it stores and processes data under our instructions. Supabase’s infrastructure may technically have access to your data for purposes of hosting and backups, but they will not use your data for any purpose except to provide services to BestPostingTimes. We have a data processing agreement with Supabase to ensure your data is protected according to GDPR standards. Supabase may engage its own subprocessors (like cloud hosting providers) to store the data, but those are also bound by data protection requirements.
  • Google Sign-In (OAuth): If you choose to sign in or register using Google Sign-In, some data exchange with Google occurs. Specifically, when you click “Sign in with Google,” you will be redirected to Google’s authentication service, where you will enter your Google credentials and grant permission to share your basic profile info (such as your name, email, and Google profile ID) with BestPostingTimes. After you consent, Google provides us with an authentication token and the mentioned profile info. We use that information to log you into BestPostingTimes and create your account profile. We do not send any data from BestPostingTimes to Google apart from what is necessary for the sign-in process (which mainly involves confirming your token). Google may place certain cookies or trackers as part of the OAuth process (see our Cookie Policy). Google’s handling of your data (like your Google account credentials) is governed by Google’s Privacy Policy, and we do not control their systems. We do not share your Instagram data or BestPostingTimes usage data with Google.
  • Analytics or Logging Services: (If applicable) Currently, BestPostingTimes does not use external analytics platforms like Google Analytics for tracking users on our site. If we ever introduce an analytics or error tracking service, we will update this policy. Any such service would only receive pseudonymous data (like device info or errors) and not your Instagram content.
  • Legal Compliance and Protection: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). We may also disclose information if we believe in good faith that such action is necessary to (i) comply with a legal obligation or regulatory requirement, (ii) protect and defend the rights or property of BestPostingTimes, (iii) prevent or investigate possible wrongdoing in connection with the Service (such as fraud or security issues), (iv) protect the personal safety of users or the public, or (v) protect against legal liability. In all such cases, we will only provide the information that is necessary and will, to the extent allowed by law, inform affected users of the disclosure.
  • Business Transfers: If BestPostingTimes (or the company/individual that operates it) is involved in a merger, acquisition, sale of assets, or reorganization, your data may be transferred to the succeeding entity or prospective buyer as part of that transaction. We will ensure that any such party is bound to respect your personal data in a manner consistent with this Privacy Policy. We will notify you (for example, via email or a notice on our site) of any change in ownership or use of your personal data, as well as any choices you may have regarding your personal data in that event.
  • With Your Consent: Aside from the cases above, if there is ever a need to share your information with any other third party for a purpose outside the scope of this Privacy Policy, we will ask for your explicit consent. For example, if we wanted to feature your success story on our blog and mention your statistics, we would only do so if you agree.

Importantly, we do not sell your personal information to third parties for advertising or marketing purposes. We also do not share your data with third-party advertisers or social networks for their independent use. Any third parties that process your data do so on our behalf (as service providers) or in collaboration to provide the service you expect, and they are bound by contractual agreements to protect your information.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements:

  • Account Data: If you have a BestPostingTimes account, we will keep your account information, Instagram data, and analytics results for as long as your account is active. All the data remains available so you can see historical analytics and have a continuous experience. If you decide to delete your BestPostingTimes account or if you are inactive for an extended period, we will initiate deletion of your personal data. Typically, upon account deletion (whether initiated by you or due to inactivity/termination), we will remove or anonymize personal data within a reasonable period (usually within 30 days), except for any data we are required to keep longer.
  • Instagram Access: If you disconnect your Instagram account or revoke BestPostingTimes’s access to your Instagram data, we will no longer retrieve new data from your Instagram. However, we may retain the previously collected Instagram data and analytics for your account unless you delete your BestPostingTimes account or request deletion. This is so you have a record of past analytics. If you want this data removed, you can request deletion as described below.
  • Subscription and Payment Records: We retain payment transaction records, invoices, and subscription history as long as needed for financial reporting and compliance. For example, under certain laws we may need to keep records of payments for a number of years (e.g., for tax or audit purposes). This information will typically include your contact info and details of the transaction, but not sensitive payment details like full credit card numbers (which we do not store).
  • Logs and Security Data: Our server logs and security records (which may include IP addresses, login history, and other usage data) are typically retained for a short period for monitoring and security (for example, 90 days), unless we need to keep them longer for investigating a specific incident or as required by law.
  • Backups: Our system may keep backup copies of data, which are rotated and purged regularly. There could be a short delay (a few additional days) after deletion before data is fully removed from all backup systems. We ensure that any retained backups are stored securely and eventually deleted or overwritten in the normal backup cycle.

When we no longer have a legitimate need or legal obligation to retain your personal information, we will securely delete it or anonymize it so that it can no longer be associated with you. If deletion is not immediately possible (for instance, because the data is stored in backups), we will ensure it remains securely protected and isolated from further use until it can be deleted.

Your Rights and Choices

As a user of BestPostingTimes and as a data subject under GDPR (for users in the EU and similar jurisdictions), you have several rights regarding your personal data. We are committed to honoring these rights. Below is a summary of your key rights and how you can exercise them:

  • Access Your Data: You have the right to request a copy of the personal data we hold about you. This includes information in your profile, your Instagram data stored on our system, and logs of interactions. We can provide this in a common electronic format. For example, you can request that we export your data such as the analytics results we have for your account.
  • Rectification (Correct Your Data): If you believe that any personal data we have is inaccurate or incomplete, you have the right to request that we correct or update it. For instance, if your email address has changed or if some of your Instagram data in our system is outdated due to changes on Instagram, let us know and we will update our records if we have that data stored. (Note: Some data like Instagram metrics update automatically when we fetch new data, but historical records remain as originally stored. We can update or remove those if needed upon request.)
  • Deletion (Right to be Forgotten): You have the right to request the deletion of your personal data. You can achieve this by deleting your account via our interface (if the feature is available) or by contacting us to request deletion. We will then erase your personal information from our active databases. Keep in mind, as noted in Data Retention, we might retain certain information for legal compliance or legitimate purposes (which we would communicate to you if applicable). Once your data is deleted, your BestPostingTimes account will no longer be accessible.
  • Data Portability: You have the right to obtain your personal data in a format that can be moved to another service. Typically, this would apply to data you provided directly or that was collected via your usage. We can provide you, upon request, with a structured, commonly used, machine-readable file (for example, a CSV or JSON file) containing your data, such as your basic account info and any Instagram analytics data we have processed for you.
  • Withdraw Consent: In cases where we rely on your consent to process data, you have the right to withdraw that consent at any time. For example, if you gave consent to receive marketing emails, you can opt out at any time (each marketing email will have an unsubscribe link, or you can adjust settings in your profile if available). Withdrawing consent for a particular processing activity does not affect the legality of processing done before your withdrawal. Note that much of our processing is based on contract (providing you the service) or legitimate interest, not consent, but where applicable (like certain cookies or marketing), you have full control.
  • Object to Processing: You have the right to object to our processing of your data in certain situations. For example, if we were to process your data for direct marketing (which we currently do not without consent) or for some legitimate interests, and you feel this impacts your rights, you can object. If you object, we will evaluate your request and will stop or adjust processing unless we have compelling legitimate grounds to continue or it’s needed for legal reasons.
  • Restriction of Processing: You can request that we limit processing of your data in certain circumstances – for instance, while a complaint or request to correct your data is being resolved. This means we would store your data but not use it until the issue is resolved.
  • Automated Decision-Making: BestPostingTimes does not make any decisions that significantly affect you based solely on automated decision-making or profiling. Our analytics provide insights, but any actions (like what to post or when) are decided by you, not by our system automatically on your behalf. If this ever changes, you would have rights related to automated decisions (like the right to human review of a decision).
  • Complaints: If you believe your data protection rights have been violated, you have the right to file a complaint with a supervisory authority. BestPostingTimes is based in Poland, so our lead supervisory authority is the Polish Personal Data Protection Office (UODO). You can contact the UODO or your local EU data protection authority. Of course, we hope to resolve any issue directly and encourage you to contact us first to work out any concern.

To exercise any of your rights, please contact us using the contact information provided at the end of this Privacy Policy. We will respond to your request as soon as possible, and in any case within the timeframe required by law (under GDPR, typically within one month). For security, we may need to verify your identity before fulfilling certain requests (for example, to ensure that the person requesting data deletion is actually the account owner). There is generally no charge for exercising your rights. However, if a request is manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on the request (as allowed by law), but we will explain our reasoning in such cases.

International Data Transfers

Where Your Data May Be Processed: BestPostingTimes is operated from Poland, but we use third-party services that may be located in other countries. When you use BestPostingTimes, your personal data may be transferred to and stored in servers located in countries outside of your own country. If you are in the European Economic Area (EEA) or another region with data protection laws, this means your data might be transferred to countries outside the EEA, potentially including the United States (for services like Stripe, Google, and possibly Supabase or Instagram’s servers). Protection Measures: Whenever we transfer your data outside of the EEA, we ensure appropriate safeguards are in place as required by GDPR. These safeguards may include:

  • Relying on adequacy decisions (if the country is deemed by the European Commission to have adequate data protection, for example certain countries).
  • Implementing Standard Contractual Clauses (SCCs) with our service providers, which are contractual commitments approved by the EU to protect personal data transferred outside Europe. For instance, our agreements with Supabase and Stripe include data protection clauses that commit them to GDPR-level standards.
  • Ensuring that, where possible, our service providers participate in recognized frameworks (for example, if any relevant, like the EU-U.S. Data Privacy Framework if applicable in the future, or have binding corporate rules).

We only transfer data as necessary for the services we use, and each service provider is contractually bound to process personal data in compliance with applicable data protection laws.

Your Choices: By using BestPostingTimes and submitting information to us, you acknowledge that your information may be transferred to and processed in countries other than your own. If you prefer not to have your data transferred outside your country or the EEA, we understand, but please be aware that in such case we might be unable to provide our Service (since key functionality like Instagram access and payment processing inherently involve U.S.-based companies). We will always endeavor to keep your data protected no matter where it is processed. If you have questions about our data transfer practices or want more details about the safeguards in place, feel free to contact us.

Children’s Privacy

BestPostingTimes is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13 years old. If you are under 13, you should not use our Service, and under our Terms of Use you are not permitted to do so. If we become aware that we have inadvertently collected personal data from a child under 13 (or under the applicable age of consent in their jurisdiction, which might be higher), we will take steps to delete that information promptly. If you are a parent or guardian and believe that a child under your care has provided us with personal information, please contact us so we can investigate and delete any such data. (Note: As Instagram itself requires users to be 13 or older, and our Service is for Instagram account holders, we generally will not encounter data from children under 13.)

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make material changes, we will notify you by email (sent to the address associated with your account) or by placing a prominent notice on our website or within the app prior to the change becoming effective. The “Effective Date” at the top of this policy indicates when the current version took effect. We encourage you to review this Privacy Policy periodically for any updates. Continued use of BestPostingTimes after any changes to this policy constitutes your acceptance of the revised terms, to the extent permitted by law.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. We are here to help and address any issues you might have about privacy. Contact Information:

  • Email: BestPostingTimes@gmail.com (for general support, which will route privacy questions appropriately)
  • Address: BestPostingTimes – [Jakub Nowikowski], [ul. Legionów 102B/73], [81-472 Gdynia], Poland.

We will respond to your questions or requests as soon as possible, and no later than as required by law. Thank you for trusting BestPostingTimes with your Instagram analytics needs – we are committed to keeping that trust by respecting and protecting your privacy.

Terms of UseCookie Policy