Privacy Policy.
This Privacy Policy describes how Slap Post, operated by Jessyka Mathews (sole proprietor), handles your personal data. Slap Post is an iOS app that schedules text posts to your X (Twitter) account.
1. What we collect
- Account info: your email address (if you sign up with email) or your Apple-provided private relay address (if you sign in with Apple).
- Subscription state: whether you have an active Slap Post subscription, mirrored from Apple's App Store Server Notifications.
- Your scheduled posts: the text content of each scheduled post and the time you scheduled it for. Stored until you delete the post or your account.
- Your X connection: the OAuth access + refresh tokens we receive when you connect your X account, plus your X username and numeric X user ID. Tokens are encrypted at rest in Supabase Vault (pgsodium-backed encryption).
- Server logs: limited request logs (IP, timestamp, endpoint) for security and abuse-prevention. Retained 30 days.
- Performance diagnostics: Apple's MetricKit collects aggregated performance metrics (cold-launch time, hitch rate, memory usage) and crash/hang diagnostics. We forward anonymized summaries to our backend to monitor app health. No personal identifiers are included.
We do not collect your X password (we never see it — only OAuth tokens), your contacts, your photos, your location, your device identifiers for advertising, or any tracking pixels.
2. Why we collect it
- To authenticate you (email / Apple).
- To gate features behind your subscription state.
- To fire your scheduled posts to X at the time you chose.
- To respond to support emails you send us.
- To prevent abuse of the service.
3. Where it lives
All data lives in our Supabase project (Postgres, hosted in the United States). X OAuth tokens are stored encrypted via Supabase Vault. The plaintext tokens never appear in logs and are decrypted only at the moment a scheduled post fires.
Server functions run on Netlify. Subscription notifications are received from Apple's App Store servers.
4. Who we share it with
We do not sell your data. We share data only with infrastructure providers strictly necessary to operate the service:
- Apple (App Store subscription state, Sign in with Apple).
- Supabase (database + auth provider).
- Netlify (web hosting + serverless functions).
- X / Twitter (when we publish your scheduled posts to your X account on your behalf, via the official X API).
Each provider has its own privacy policy and processes data in line with industry standards.
5. Your rights
- Access: email hello@slapforge.com and we'll send you a copy of your data within 30 days.
- Disconnect X: from in-app Settings → Disconnect X. Immediately deletes the encrypted tokens and revokes them on X's side.
- Delete your account: from in-app Settings → Delete account. Permanently removes your account, scheduled posts, and X tokens within 24 hours. Does not cancel your Apple subscription — cancel that separately in iOS Settings.
- EU/UK residents have GDPR/UK GDPR rights (access, rectification, erasure, portability, restriction, objection). Email us to exercise them.
- California residents have CCPA rights (know, delete, opt-out of sale). We do not sell personal data.
6. Children
Slap Post is not directed at children under 13. If you believe a child has provided us data, contact us and we will delete it.
7. Tracking
Slap Post does not perform any cross-app or cross-site tracking. There is no Apple ATT prompt because we don't track. We don't use Google Analytics, Meta Pixel, or any third-party advertising SDKs in the iOS app.
8. Cross-promotion of sister apps
Slap Post displays in-app banners promoting our sister app Slap Social. These banners are static promotional content shown in the Queue tab and after milestone events (for example, after your 10th scheduled post). They contain a link that opens slapsocial.app in your browser.
We do not share any of your data with Slap Social to power these banners — they are static. If you also use Slap Social, that is a separate account governed by Slap Social's own privacy policy.
You can disable cross-promotion banners at any time in Settings → Communications → Cross-promotion inside the app.
9. Marketing communications
From time to time we may send you marketing emails about new Slap Post features, our sister apps (such as Slap Social), or other product updates relevant to your account.
You may opt out of marketing emails at any time:
- In-app: Settings → Communications → Marketing emails
- From any marketing email: click the unsubscribe link in the footer
- By email: send a message to info@slapforge.com with the subject "Unsubscribe"
Transactional emails (password reset, security alerts, post-failure notifications, billing notices) are required for service operation and cannot be opted out of while your account is active.
10. Security
We use TLS in transit, encryption at rest for X OAuth tokens, Row Level Security on the database, and least-privilege service-role keys held only by server-side functions. No system is perfectly secure; we will notify affected users of any material data breach within 72 hours of discovery.
11. Changes
We may update this Policy. Material changes will be announced in the app and on slappost.app. The "Last updated" date at the top reflects the most recent change.
12. Contact and trader information
For privacy questions, data access requests, or deletion requests: hello@slapforge.com.
For legal notices, EU consumer inquiries, or marketing-communications unsubscribe requests, contact the operator at the address below. This is the trader/data-controller of record for Slap Post (DSA + GDPR):
Jessyka Mathews (sole proprietor)2166 W Broadway #1008
Anaheim, CA 92804-2446
United States
Phone: (714) 400-2632
Email: info@slapforge.com