How velociPost actually handles authentication, data, and your accounts — with specifics, not marketing.
No jargon. No hand-waving. Here's what velociPost does — and doesn't do — with your accounts and your content.
velociPost never sees or stores your platform passwords. Every connection uses the official OAuth flow provided by each platform — you log in on their site, approve the permissions you're granting, and the platform hands us a revocable access token scoped to the minimum we need.
The access tokens we do store live in Supabase Vault — a managed encrypted secret store built on Postgres with authenticated encryption. Tokens are never exposed in logs, never transmitted to your browser, and never accessible through the standard database surface.
Every row of customer data is scoped to a workspace, and every query runs through Postgres row-level security policies. One customer's data is not accessible to another customer's session — not accidentally, not through bugs, not through misconfigured API routes. It's enforced at the database.
Every request to velociPost.com and every call between our services runs over TLS 1.3. All data at rest — your workspace data, your media, your content history — is encrypted on disk by the underlying platforms we run on (Supabase and Vercel).
Disconnect a platform from velociPost and the token is deleted from our vault. Revoke velociPost from your platform's own connected-apps page and the token is invalidated on their side. Cancel your account and everything is deleted after 30 days.
We only request the OAuth permissions required to post content and monitor engagement on the accounts you connect. We do not ask for private messages, friend or follower lists, contact data, or account administration. Each platform shows you the exact permissions before you approve.
Exactly what velociPost collects, why, how long we keep it, and what we do not collect. If it isn't listed here, we don't have it.
| Data | Purpose | Retention | Shared? |
|---|---|---|---|
| Account infoEmail, name, workspace, plan | Log you in, bill you, and route your content to the right workspace. | Life of account + 30 days after cancellation. | Subprocessors only |
| Platform access tokensEncrypted in Supabase Vault | Publish posts and fetch engagement on the accounts you connect. | Until you disconnect the platform or delete your account. | Never |
| Knowledge baseBusiness info, tone, content rules | Generate on-brand posts in your voice. Feeds the AI prompt. | Life of account + 30 days after cancellation. | AI subprocessors |
| Generated & uploaded contentPosts, images, videos | Display in your calendar, publish to platforms, let you edit and re-use. | Life of account + 30 days after cancellation. | Hosting only |
| Engagement metadataLikes, comments, reply text | Surface comments in the unified inbox, power insights and analytics. | Life of account + 30 days after cancellation. | Never |
| Billing infoHandled entirely by Stripe | Process subscription payments. We never see your card number. | Stripe retention policy; we hold receipt metadata only. | Stripe |
| Usage logsPage views, API calls, errors | Diagnose issues, improve reliability, protect against abuse. | 90 days, then deleted. | Never |
| Direct messages / DMsFrom connected platforms | We do not request DM permissions. We cannot read your DMs. | Not collected. | Not collected |
| Contact lists & follower dataFrom connected platforms | We do not request these permissions. We cannot see your contacts. | Not collected. | Not collected |
velociPost is a small team running on best-in-class infrastructure. Here's every vendor that touches customer data, what they do, and where their data is processed.
Serverless functions, background jobs, static asset delivery. Handles every request to velociPost.com.
Vercel DPAPrimary Postgres database, user authentication, media file storage, and encrypted token vault for platform access tokens.
Supabase privacySchedules and runs the recurring jobs that generate content, publish scheduled posts, and poll platforms for engagement.
Inngest privacyClaude models generate captions, hooks, and reply drafts. Your knowledge base and content rules feed the prompt for each generation.
Anthropic privacyRecraft V3 generates on-brand images. Kling 2.5 Turbo Pro generates short-form portrait video clips for platforms that support video.
fal.ai privacySends all outbound email from velociPost — review reminders, weekly insights, support replies, billing receipts.
Resend privacyProcesses all subscription billing. We never see your full card number — Stripe handles the full PCI-DSS scope.
Stripe privacyCaptures application errors and performance traces so we can diagnose and fix issues. Configured to scrub sensitive fields.
Sentry privacyEach connected platform receives the posts you approve via its official API. Platform-specific terms apply to what they do with your content.
Governed by each platform's termsIf we become aware of unauthorized access to your data — or a material security incident affecting velociPost — we will notify you without unreasonable delay, and in any case within 72 hours of confirming the incident. We will tell you what happened, what data was involved, what we've done in response, and what you can do on your end.
We will post operational status and confirmed incidents to our status page as they unfold. We will not quietly sit on something and hope you don't notice.
If you believe you've found a security vulnerability in velociPost, we want to hear about it. Please reach out directly — we'll acknowledge within one business day.
security@velocipost.comNo. velociPost never sees or stores your platform passwords. We connect to Facebook, Instagram, LinkedIn, TikTok, YouTube, X/Twitter, Threads, Google Business Profile, Pinterest, and Bluesky using OAuth — the official authorization flow each platform provides. You log in on the platform's own site, approve the permissions you're granting, and the platform hands us a revocable access token.
Only if you explicitly turn on auto-approve. The default is manual approval — every post waits for your review in the calendar. If you choose to turn auto-approve on, it's an explicit toggle in Settings, and you can switch it off any time. You can also run different modes per platform or per client workspace.
On cancellation, your account is immediately deactivated. You have 30 days to export your data or reactivate your subscription. After 30 days, your workspace data is permanently deleted. OAuth tokens can be revoked immediately at any time — either from within velociPost or directly from the platform's own "connected apps" settings page.
Primary application data is stored in Supabase (Postgres) in the US-East region. Media assets — images and videos — are stored in Supabase Storage in the same region. Serverless compute runs on Vercel's global edge network. Email is sent via Resend. Payments are processed by Stripe. All data in transit uses TLS 1.3; all data at rest is encrypted by the underlying platforms.
velociPost is operated by GroRevOps, LLC. Access to production systems is limited to the founder and is protected by strong authentication. We access customer data only when necessary — to investigate a support request you've filed, or to diagnose a system issue. No third-party contractors have access to production customer data.
The minimum required to publish content and monitor engagement on the accounts you connect. We do not request permissions for private messages, friend or follower lists, contact data, or account administration. Each platform shows you the exact permissions during the OAuth approval screen — you can decline any connection or revoke it at any time from the platform's own settings.
Tokens are encrypted at rest in Supabase Vault and are never transmitted to your browser or exposed in server logs. If we detect suspicious activity on an account, we will revoke the affected token immediately. You can also revoke access at any time — from the platform's connected-apps settings or from the Connections tab inside velociPost. Both paths invalidate the token on the platform side.
We share data only with the subprocessors listed above — the vendors that make velociPost function (hosting, database, AI generation, email, payments). We do not sell data. We do not share data with advertisers. We do not provide data to data brokers. If our subprocessor list changes, we update this page.
Email security@velocipost.com. We'll acknowledge within one business day and keep you updated as we investigate.
Join the waitlist and we'll email you the moment early access opens. No credit card, no commitment.