Privacy Policy

Last updated: 16 July 2026

This policy explains what data the Sow & Store Poster application accesses from Meta, why it accesses it, how long it is kept, and what rights you have over it.

Scope. Sow & Store Poster is an internal tool with no public sign-up and no end users. The only Meta account it ever connects to is the operator’s own, and the only Page it ever writes to is the Sow & Store Facebook Page. It does not collect data from visitors to this website, and it does not collect data from people who follow or interact with the Page.

1. Who is responsible for your data

The operator of the Sow & Store Facebook Page is the data controller for the processing described here. Contact: [email protected].

2. What data is accessed from Meta

When the operator connects the application to Facebook, it accesses:

  • The list of Pages the operator administers (Page name and Page ID), via pages_show_list — used only to identify the Sow & Store Page.
  • A Page access token for the Sow & Store Page — the credential that authorises publishing.
  • The ID and publish status of posts this application created, via pages_read_engagement — used to confirm a post went live and to attach its first comment.

The application does not access, request, or store:

  • Personal profile data, friend lists, photos, or email addresses of any Facebook user;
  • Comments, messages, reactions, or any other content created by people who visit the Page;
  • Data about any Page, account, or business other than the operator’s own;
  • Special categories of personal data under Article 9 of the GDPR.

3. Why the data is used (purpose and legal basis)

The data above is processed for a single purpose: publishing the Page owner’s own scheduled content to the Page owner’s own Facebook Page, and confirming that each publish succeeded so that no post is published twice.

The legal basis is legitimate interests (Article 6(1)(f) GDPR) — operating the Page owner’s own publishing workflow. Because the only person whose data is involved is the operator, who is also the controller, this processing has no impact on the rights of third parties. The data is never used for advertising, profiling, automated decision-making, analytics, or sale, and is never shared with third parties for their own purposes.

4. Storage and retention

  • Page access token: stored as an encrypted secret in the application’s hosting environment. It is never written to logs, source code, or the post queue. It is replaced when rotated and deleted when the application is disconnected from Facebook.
  • Page ID and post IDs: stored in the application’s own scheduling database, retained only as long as needed to prevent duplicate publishing, and deleted on request.
  • Post content: written by the operator, stored in the same database, and deleted after publication or on request.
  • Operational logs: record whether a publish attempt succeeded or failed. They contain no personal data beyond post IDs and are retained for no more than 30 days.

Data is stored on infrastructure located in the European Union and the United States. Where data is transferred outside the European Economic Area, that transfer is covered by the Standard Contractual Clauses adopted by the European Commission.

5. Security

  • All connections to the Meta Graph API use HTTPS/TLS.
  • Access tokens are held only as encrypted secrets, never in the repository or in logs.
  • Access to the application and its database is limited to the operator.
  • The application requests the minimum set of permissions required for publishing.
  • Tokens are rotated if there is any reason to believe they have been exposed.

6. Sub-processors

The application relies on Meta Platforms, Inc. (the Graph API it publishes to) and on its hosting provider, which stores the scheduling database and the encrypted token. Neither is permitted to use this data for its own purposes.

7. Your rights

Under the GDPR you have the right to request access to your personal data, rectification of inaccurate data, erasure, restriction of processing, data portability, and to object to processing based on legitimate interests. Where processing rests on consent, you may withdraw that consent at any time without affecting processing already carried out.

To exercise any of these rights, email [email protected]. Requests are answered within 30 days. Deletion is covered in detail on the Data Deletion page.

You also have the right to lodge a complaint with your national data protection supervisory authority.

8. Children

This application is not directed at children and is not accessible to the public. It does not knowingly process any data relating to children.

9. Changes to this policy

Any change to this policy will be published on this page with an updated date at the top.

Contact

Questions about this policy or about data handling: [email protected]

Replace this placeholder address with the operator’s real contact email before submitting for App Review.