Privacy Policy

This Privacy Policy describes how Slap Post, operated by Jessyka Mathews (sole proprietor), handles your personal data. Slap Post is an iOS app that schedules text posts to your X (Twitter) account.

1. What we collect

• Account info: your email address (if you sign up with email) or your Apple-provided private relay address (if you sign in with Apple).
• Subscription state: whether you have an active Slap Post subscription, mirrored from Apple's App Store Server Notifications.
• Your scheduled posts: the text content of each scheduled post and the time you scheduled it for. Stored until you delete the post or your account.
• Your X connection: the OAuth access + refresh tokens we receive when you connect your X account, plus your X username and numeric X user ID. Tokens are encrypted at rest in Supabase Vault (pgsodium-backed encryption).
• Server logs: limited request logs (IP, timestamp, endpoint) for security and abuse-prevention. Retained 30 days.

We do not collect your X password (we never see it — only OAuth tokens), your contacts, your photos, your location, your device identifiers for advertising, or any tracking pixels.

2. Why we collect it

• To authenticate you (email / Apple).
• To gate features behind your subscription state.
• To fire your scheduled posts to X at the time you chose.
• To respond to support emails you send us.
• To prevent abuse of the service.

3. Where it lives

All data lives in our Supabase project (Postgres, hosted in the United States). X OAuth tokens are stored encrypted via Supabase Vault. The plaintext tokens never appear in logs and are decrypted only at the moment a scheduled post fires.

Server functions run on Netlify. Subscription notifications are received from Apple's App Store servers.

4. Who we share it with

We do not sell your data. We share data only with infrastructure providers strictly necessary to operate the service:

• Apple (App Store subscription state, Sign in with Apple).
• Supabase (database + auth provider).
• Netlify (web hosting + serverless functions).
• X / Twitter (when we publish your scheduled posts to your X account on your behalf, via the official X API).

Each provider has its own privacy policy and processes data in line with industry standards.

5. Your rights

• Access: email hello@slapsocial.app and we'll send you a copy of your data within 30 days.
• Disconnect X: from in-app Settings → Disconnect X. Immediately deletes the encrypted tokens and revokes them on X's side.
• Delete your account: from in-app Settings → Delete account. Permanently removes your account, scheduled posts, and X tokens within 24 hours. Does not cancel your Apple subscription — cancel that separately in iOS Settings.
• EU/UK residents have GDPR/UK GDPR rights (access, rectification, erasure, portability, restriction, objection). Email us to exercise them.
• California residents have CCPA rights (know, delete, opt-out of sale). We do not sell personal data.

6. Children

Slap Post is not directed at children under 13. If you believe a child has provided us data, contact us and we will delete it.

7. Tracking

Slap Post does not perform any cross-app or cross-site tracking. There is no Apple ATT prompt because we don't track. We don't use Google Analytics, Meta Pixel, or any third-party advertising SDKs in the iOS app.

8. Security

We use TLS in transit, encryption at rest for X OAuth tokens, Row Level Security on the database, and least-privilege service-role keys held only by server-side functions. No system is perfectly secure; we will notify affected users of any material data breach within 72 hours of discovery.

9. Changes

We may update this Policy. Material changes will be announced in the app and on slappost.app. The "Last updated" date at the top reflects the most recent change.

10. Contact

Privacy questions, data requests, deletion: hello@slapsocial.app.

Operator: Jessyka Mathews, sole proprietor.