Your privacy is important to us. This Privacy Policy explains how Krosspost collects, uses, stores, shares, and protects your personal data in compliance with applicable Indian laws.
Effective Date: June 6, 2026 | Last Updated: June 6, 2026
1. Introduction
This Privacy Policy ("Policy") governs the collection, use, storage, processing, and disclosure of personal data by Krosspost ("Company", "we", "us", or "our"), a product operated under applicable Indian laws. Krosspost is a social media management and automation platform accessible at https://krosspost.ai.
We are committed to protecting your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000 (IT Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
Under the DPDPA, Krosspost acts as a Data Fiduciary. You, the user, are the Data Principal. By using our Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, please do not use Krosspost.
2. Definitions
- "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDPA, 2023.
- "Data Principal" means the individual to whom the personal data relates — i.e., you, the user.
- "Data Fiduciary" means the entity that determines the purpose and means of processing personal data — i.e., Krosspost.
- "Data Processor" means any entity that processes personal data on behalf of the Data Fiduciary.
- "Processing" means any operation performed on personal data, including collection, storage, use, sharing, disclosure, and erasure.
- "Service" means the Krosspost platform, including all features, tools, APIs, and related services.
- "Platform(s)" means third-party social media platforms integrated with Krosspost, including but not limited to Instagram, Facebook, WhatsApp, X (Twitter), LinkedIn, YouTube, Reddit, Telegram, Discord, and Spotify.
3. Personal Data We Collect
We collect personal data that is necessary for the functioning of our Service and only for the purposes outlined in this Policy. The categories of data we collect include:
3.1 Account Information
- Full name
- Email address
- Mobile phone number (optional)
- Password (stored as a cryptographic hash; we never store plaintext passwords)
- Profile picture / avatar
- Bio / description (up to 300 characters)
- Device fingerprint (hashed, for fraud prevention and referral attribution)
- Account creation and last login timestamps
3.2 Social Media Account Data
When you connect your social media accounts to Krosspost, we collect:
- Platform access tokens and refresh tokens (encrypted at rest)
- Token expiration details and token type
- OAuth scopes and permissions granted
- Platform-specific profile metadata (profile picture, username, page details, Instagram business account info)
- Connected page and account identifiers
Platforms supported: Instagram, Facebook, WhatsApp Business, X (Twitter), LinkedIn, YouTube, Reddit, Telegram, Discord, Spotify, and Gmail.
3.3 Content Data
- Posts, messages, and media files (images, videos, documents) you create or upload through the Service
- Scheduled post content, captions, and publishing preferences
- AI-generated content produced by our content generation tools
- User prompts and inputs provided to AI content generators
3.4 Instagram DM & Comment Data
- Instagram Direct Messages (DMs) — including sender ID, recipient ID, message content, and timestamps — received via Meta's official Webhook API
- Instagram comments on your posts, including commenter profile information
- AI-generated comment replies and DM auto-responses created by our AI Agent system
- Opt-out/suppression records when a recipient requests to stop receiving automated messages
3.5 WhatsApp Business Data
- WhatsApp Business Account ID and phone number ID
- Message content, message type (text, image, video, audio, document), and delivery status (sent, delivered, read, failed)
- Template message details (name, language, parameters)
- Error codes and error messages for failed message deliveries
- Media metadata (media ID, type, URL, size) associated with messages
- Webhook event payloads received from Meta
3.6 Knowledge Base & AI Agent Data
- FAQs, business information, and instruction sets you provide to train your AI Agent
- Uploaded documents and text descriptions used as knowledge sources
- Audio reply configuration and usage data
- Linked platform accounts associated with each Knowledge Base
3.7 Kavach Account Safety Data
Our Kavach safety engine collects and analyses metrics to protect your social media accounts from platform enforcement risks:
- Message volume, velocity, and burst detection metrics
- Send/receive ratios, repetition scores, and template similarity analysis
- Link frequency, suspicious link detection, and domain diversity
- Engagement quality scores, follower engagement ratios, and response rates
- Account health score (0–100), risk factors, and confidence level
- Historical scan records for trend analysis
3.8 Payment & Billing Data
- Razorpay order ID, payment ID, and subscription ID
- Transaction amount (inclusive of GST), base amount, and currency (INR)
- Payment status and complete payment response data
- Coupon and discount details (if applied)
We do not store your full credit card or debit card numbers. All payment processing is handled securely by Razorpay, a PCI-DSS compliant payment gateway. Please refer to Razorpay's Privacy Policy for their data handling practices.
3.9 Analytics & Follower Data
- Follower demographics, growth trends, and engagement metrics retrieved from platform APIs
- Post-level analytics (reach, impressions, engagement rates)
- WhatsApp analytics (delivery rates, read rates, failure rates)
3.10 Automation Configuration Data
- Automation settings for Google Reviews, Spotify shows, YouTube video alerts, and Medium RSS integrations
- Cron schedules, AI prompt configurations (tone, emoji preferences, hashtag settings, content length)
- Automation status and execution history
3.11 Log & Technical Data
- IP address
- Browser type, version, and user-agent string
- Operating system and device information
- Pages visited, time spent, and navigation patterns
- Referral source and landing page URLs
- Login history and session data
3.12 Cookies
We use cookies and similar tracking technologies to maintain your session, remember your preferences, and improve Service performance. Cookies are small data files stored on your device. You may configure your browser to reject cookies; however, this may limit your ability to use certain features of the Service.
4. Purpose of Processing
We process your personal data only for specific, clear, and lawful purposes as required under the DPDPA. The purposes include:
- Account creation and management — To register your account, verify your identity, and manage your profile.
- Service delivery — To publish, schedule, and manage your social media content across connected platforms.
- AI content generation — To generate post captions, comment replies, DM auto-responses, and other AI-powered content using third-party AI models (Google Gemini, Groq, DeepSeek).
- Automation execution — To run scheduled automations (Google Reviews, Spotify, YouTube alerts, Medium RSS) and Instagram/WhatsApp DM automations on your behalf.
- Account safety monitoring — To calculate and maintain your Kavach safety score, detect risk patterns, and recommend protective actions.
- Analytics and insights — To provide follower analysis, engagement metrics, and performance dashboards.
- Payment processing — To process subscription payments, manage billing, and apply discounts or coupons.
- Communication — To send you service-related announcements, rate-limit alerts, post-status notifications, and message failure alerts (subject to your notification preferences).
- Meta platform compliance — To enforce opt-out requests, maintain private reply ledgers, process Data Subject Access Requests (DSARs), and comply with Meta's rate-limit policies.
- Security and fraud prevention — To detect unauthorized access, prevent abuse, and maintain the integrity of the Service.
- Legal compliance — To comply with applicable laws, respond to legal requests, and protect our legal rights.
- Customer support — To address your queries, complaints, and support requests.
5. Use of Artificial Intelligence & Automation
Krosspost uses third-party AI models to provide content generation, comment reply, and messaging automation features. Specifically:
- AI Content Generation: We use Google Gemini, Groq (LLaMA-based models), and DeepSeek to generate post captions, message drafts, and content suggestions based on your prompts and inputs.
- AI Comment Replies: Our AI Agent system can automatically generate replies to Instagram comments using your Knowledge Base data (FAQs, business info, uploaded documents) as context.
- AI DM Automation: When configured, our system can generate and send automated Instagram DM responses using AI-generated content based on your Knowledge Base.
- Audio Replies: If enabled, AI-generated text responses may be converted to audio using ElevenLabs text-to-speech technology.
Important: AI-generated content is produced by third-party models and may not always be accurate, appropriate, or aligned with platform policies. You are solely responsible for reviewing, editing, and approving all AI-generated content before it is published or sent. Krosspost does not guarantee the accuracy, legality, or suitability of any AI-generated output.
Your prompts, inputs, and Knowledge Base data may be sent to third-party AI providers for processing. These providers process data in accordance with their own privacy policies. We do not use your data to train third-party AI models.
6. Lawful Basis for Processing
Under the DPDPA, we process your personal data based on the following lawful grounds:
- Consent: You provide explicit, free, specific, informed, and unambiguous consent at the time of account registration and when connecting social media accounts. Consent is not bundled — each purpose is presented clearly.
- Contractual necessity: Processing necessary for the performance of the Service you have subscribed to (e.g., posting content, running automations, processing payments).
- Legitimate uses: Processing for certain legitimate purposes as specified under Section 7 of the DPDPA, including compliance with legal obligations, responding to medical emergencies, and employment-related purposes (where applicable).
7. Data Sharing & Third-Party Services
We may share your personal data with the following categories of third parties, strictly for the purposes described in this Policy:
7.1 Social Media Platforms (Data Processors)
When you use Krosspost to publish content, send messages, or manage interactions, your data is transmitted to the respective social media platforms via their official APIs. Each platform governs the use of data once it reaches their systems under their own privacy policies:
7.2 AI Service Providers
- Google (Gemini API) — For AI content generation. Krosspost's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- Groq — For AI-powered text generation using LLaMA-based models.
- DeepSeek — For AI content generation tasks.
- ElevenLabs — For text-to-speech audio reply generation (when enabled by the user).
7.3 Payment Processor
Razorpay: All payment transactions are processed through Razorpay, a PCI-DSS Level 1 certified payment gateway registered in India. We share your payment details (order amount, subscription ID) with Razorpay to process transactions. Razorpay handles and stores your card/UPI/bank details directly.
7.4 Cloud Infrastructure
We use Amazon Web Services (AWS) for cloud hosting, file storage (S3), and infrastructure services. Your data may be stored on AWS servers. AWS operates in compliance with applicable data protection standards.
7.5 Legal & Regulatory Disclosure
We may disclose your personal data if required to do so by law or in good faith belief that such action is necessary to: (a) comply with a legal obligation or order from a court or government authority; (b) protect and defend our legal rights or property; (c) prevent fraud or abuse of the Service; (d) protect the personal safety of users or the public; or (e) respond to lawful requests from the Data Protection Board of India.
8. Meta Platform Compliance
Krosspost integrates with Meta's platforms (Instagram, Facebook, WhatsApp) via official Graph API and Webhook APIs. We maintain compliance with Meta Platform Terms, including:
- Rate Limits: We enforce hourly and daily rate limits on automated comments and DMs sent through Meta platforms to prevent exceeding Meta's API usage thresholds.
- Opt-Out Enforcement: We automatically detect opt-out keywords (such as "stop", "unsubscribe", "opt out", "remove me") in inbound messages and suppress further automated messaging to those recipients.
- Private Reply Limits: We maintain a ledger to ensure only one private reply is sent per comment, as required by Meta's policies.
- Token Redaction: We redact Meta access tokens, signed URLs, and sensitive credentials from all logs and error messages.
- Data Deletion Callbacks: We support Meta's Data Deletion Request Callback mechanism. When a user removes our app integration from their Meta account, we process the deletion request and remove associated data from our systems.
- Data Subject Access Requests (DSAR): We provide endpoints to export and purge all user-identifiable data (DMs, comments, AI-generated replies, suppression records) for any given recipient upon request.
9. Data Retention & Deletion
We retain your personal data only for as long as it is necessary to fulfil the purposes described in this Policy, or as required by applicable law. Our retention practices include:
- Account data: Retained for the duration of your active account. Upon account deletion, we erase your personal data within 30 days, except where retention is required by law.
- Social media tokens: Retained while your platform connection is active. Tokens are deleted when you disconnect an account.
- DMs and comments: Retained for the operational period required by our features (e.g., Kavach analysis, automation history). You may request deletion at any time.
- WhatsApp message data: In accordance with Meta's policies, Meta automatically deletes message data from its Cloud API infrastructure within 30 days. Data stored in our systems is retained as per our standard retention policy and can be deleted upon request.
- Payment records: Retained for a minimum of 8 years as required by Indian tax and accounting regulations (Income Tax Act, GST Act).
- Kavach scan history: Retained for trend analysis purposes. Historical scores are anonymised after account deletion.
- Log data: Retained for up to 90 days for security and debugging purposes, then automatically purged.
9.1 How to Request Data Deletion
You may request the deletion of your personal data by:
- Contacting us at help@krosspost.ai with the subject line "Data Deletion Request".
- Deleting your account through the Settings page within the Krosspost application.
- Removing the Krosspost app integration from your Meta/Google security settings, which triggers our automated data deletion callback.
Upon receiving a valid deletion request, we will erase your personal data within 30 days, except where retention is legally required. We will provide a confirmation code and status URL for tracking the deletion process.
10. Your Rights as a Data Principal
Under the Digital Personal Data Protection Act, 2023, you have the following rights:
- Right to Access: You have the right to obtain a summary of the personal data being processed about you and the processing activities related to it.
- Right to Correction: You have the right to request the correction of inaccurate or misleading personal data and the completion of incomplete data.
- Right to Erasure: You have the right to request the erasure of your personal data, subject to legal retention requirements.
- Right to Withdraw Consent: You may withdraw your consent at any time by contacting us or adjusting your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
- Right to Grievance Redressal: You have the right to file a complaint with our Grievance Officer. If unsatisfied with our response, you may escalate to the Data Protection Board of India.
- Right to Nominate: You have the right to nominate another individual to exercise your rights under the DPDPA in the event of your death or incapacity.
To exercise any of these rights, please contact our Grievance Officer at help@krosspost.ai. We will respond to your request within 30 days.
11. Consent Mechanism
We obtain your consent in the following manner:
- At registration: By creating an account, you provide explicit consent to the collection and processing of your account data for the purposes stated in this Policy.
- At platform connection: When you connect a social media account, you grant specific consent for Krosspost to access and process data from that platform via its OAuth mechanism.
- For AI features: By enabling AI content generation, comment replies, or DM automations, you consent to your data being processed by third-party AI service providers.
- Withdrawal: You may withdraw consent at any time by disconnecting platform accounts, disabling automation features, or deleting your Krosspost account.
12. Data Security
We implement reasonable security safeguards as required under the IT (Reasonable Security Practices and Procedures) Rules, 2011, and the DPDPA. These include:
- Encryption: Sensitive data, including platform access tokens, refresh tokens, and passwords (hashed), are encrypted at rest and in transit.
- Token redaction: Meta access tokens (EAA/EAAG/IGQ patterns), signed URLs, and API credentials are automatically redacted from all logs and error outputs.
- Access controls: Role-based access control with granular admin permissions. Two-factor authentication support.
- Secure hosting: Data is hosted on password-protected, access-controlled cloud infrastructure (AWS).
- Payment security: Billing and payment information is processed through PCI-DSS compliant payment gateways (Razorpay).
- Monitoring: Automated monitoring for unauthorized access attempts and anomalous activity.
While we take all reasonable measures to protect your data, no electronic transmission or storage system is 100% secure. We cannot guarantee absolute security. In the event of a data breach, we will notify the Data Protection Board of India and affected Data Principals as required under the DPDPA.
13. Links to Third-Party Websites
Our Service may contain links to third-party websites, social media platforms, and services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of every third-party website you visit.
14. Children's Privacy
Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. Under the DPDPA, processing of personal data of children (below 18 years) requires verifiable consent of a parent or lawful guardian. If you are a parent or guardian and become aware that your child has provided us with personal data, please contact us immediately at help@krosspost.ai. We will delete such data from our records promptly.
15. Cross-Border Data Transfers
Your personal data may be transferred to, and processed in, countries other than India when we use cloud infrastructure providers (AWS) or send data to third-party AI service providers (Google, Groq, DeepSeek, ElevenLabs) and social media platform APIs. Such transfers are carried out in compliance with Section 16 of the DPDPA, which permits transfers to countries or territories not restricted by the Central Government. We ensure that appropriate safeguards are in place to protect your data during such transfers.
16. Notification Preferences
You have control over the types of email notifications you receive from us. You can manage your preferences for:
- Post status notifications (published/failed)
- Message failure alerts (WhatsApp, Telegram, Email)
- Rate limit alerts (Meta daily/hourly limits)
You may update your notification preferences at any time through your account Settings page.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. When we make material changes, we will notify you by: (a) posting the updated Policy on this page with a revised "Last Updated" date; and (b) sending an email notification to the address associated with your account. Your continued use of the Service after the posting of an updated Policy constitutes your acceptance of the changes.
18. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and all applicable rules and regulations thereunder. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts in India.
19. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us: