Privacy Policy
Effective 17 July 2026 · Last updated 17 July 2026
This Privacy Policy explains how Dystro (operated by Bamboo Bay, Lda., "Dystro", "we", "us") collects, uses, shares, and protects information when you use our website, API, dashboard, and related services (the "Service"). Dystro is a unified social API: it lets our customers connect their social media accounts and publish, schedule, manage, and analyze content across those networks through a single interface.
1. Who this policy covers
This policy applies to two groups: customers (developers and businesses who hold a Dystro account) and the end users whose social accounts are connected to Dystro by a customer. If your social account was connected to Dystro by a business you work with, that business is the controller of your data and you should also review their privacy policy.
2. Information we collect
Information you provide
- Account information — name, email address, organization details, and authentication identifiers when you sign up.
- Content — posts, captions, media, schedules, and drafts you create or upload to publish through the Service.
- Communications — messages you send us for support or sales.
Information from connected social platforms
When you connect a social account, you authorize the platform (via OAuth) to share data with Dystro on your behalf. Depending on the platform and the scopes you grant, this may include: your profile and page/channel identifiers, access and refresh tokens, the content you publish through us, and engagement data such as comments, mentions, messages, and metrics. We request the minimum scopes needed to provide the features you use.
Information we collect automatically
- Usage and diagnostics — API requests, feature usage, error and performance telemetry, and log data (including IP address and device/browser metadata).
- Cookies — strictly necessary cookies for authentication and session management, and limited analytics. We do not use advertising cookies.
3. How we use information
- To operate the Service — authenticate you, connect accounts, and publish, schedule, and manage content you direct us to.
- To deliver features you enable — media transcoding, webhooks and unified inbox, analytics, and approval workflows.
- To maintain security, prevent abuse and spam, and enforce rate limits and our Terms.
- To provide support and communicate with you about the Service.
- To improve reliability and performance using aggregated, non-identifying diagnostics.
We do not sell your personal information, and we do not use the content or data obtained from connected platforms for advertising or to train advertising or third-party models.
4. Use of platform data & compliance
Data obtained through a platform's API is used solely to provide and improve features you have enabled, in accordance with that platform's developer terms — including the Meta Platform Terms and Developer Policies, the Google API Services User Data Policy (including its Limited Use requirements), the X Developer Agreement and Policy, the TikTok Developer Terms, LinkedIn, Reddit, Pinterest, Snap, and Bluesky/AT Protocol terms. We only retain platform data for as long as needed to provide the Service and honor your instructions, and we delete it on disconnection or request as described below.
5. Legal bases (EEA/UK)
Where GDPR/UK GDPR applies, we process personal data on the bases of: performance of a contract (to provide the Service), legitimate interests (security, abuse prevention, product reliability), consent (where required, e.g. connecting an account and granting scopes), and legal obligation.
6. How we share information
We share information only as needed to run the Service, and with contractual protections in place. We use the following categories of sub-processors:
| Sub-processor | Purpose |
|---|---|
| Convex | Application database & backend runtime |
| Cloudflare (R2, Pages, network) | Media storage, content delivery, hosting |
| WorkOS | Authentication & identity |
| Stripe | Billing & payment processing |
| Resend | Transactional email |
| Upstash | Caching & rate limiting |
| PostHog | Product analytics & error tracking |
| Connected social platforms | Publishing & retrieving content you direct |
We may also disclose information to comply with law, enforce our Terms, protect rights and safety, or in connection with a merger or acquisition (with notice where required). We never sell personal information.
7. Data retention
We keep account information for as long as your account is active. Content and connected-platform data are retained while the relevant account is connected and for a limited period afterward to support recovery and audit, then deleted or anonymized. Access and refresh tokens are deleted promptly when you disconnect an account or delete your account. See Data Deletion for details and timelines.
8. Security
We protect data with encryption in transit, encryption at rest for credentials and tokens, scoped access controls, audit logging, and least-privilege access to sub-processors. No system is perfectly secure, but we work continuously to safeguard your data and will notify affected users and regulators of a breach as required by law.
9. Your rights & choices
Depending on your location, you may have rights to access, correct, export, restrict, or delete your personal data, and to withdraw consent. You can disconnect any social account at any time from the dashboard, and you can request deletion of your account and data. To exercise your rights, use the dashboard or contact privacy@dystro.dev. California residents have rights under the CCPA/CPRA, including the right to know and delete; we do not sell or share personal information as defined by those laws.
10. International transfers
We may process and store information in countries other than yours. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses for cross-border transfers.
11. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal information. If you believe a child has provided us data, contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. We will post the revised version here with a new effective date and, for material changes, provide additional notice.
13. Contact us
Questions or requests? Contact privacy@dystro.dev, or write to Bamboo Bay, Lda., Urbanização Algarve Sol, Bloco B, 4º E, Apartamento 2046, 8125-188 Quarteira, Portugal. For users in the EEA/UK, our representative can be reached at the same address.