← Back to site

Privacy Policy

Last updated: May 14, 2026

1. Data controller identification

The controller of personal data processed by Viraly Post is VIRALY POST LTDA, CNPJ 65.654.417/0001-13, headquartered at Rua São Vicente de Paula, 81 — Agronômica, Florianópolis/SC, CEP 88.025-330, Brazil.

To exercise rights, ask questions, or submit complaints related to personal data, contact the Data Protection Officer (DPO): contato@viralypost.com.

2. Data we collect

  • Registration data: email, name (optional), time zone.
  • OAuth authorisation tokens: access tokens for connected social networks (Instagram), stored encrypted at rest using AES-256-GCM.
  • Uploaded media: images and videos you upload for publishing.
  • Post content: captions, scheduled dates, publication status.
  • Access logs: IP address and timestamps of access to the application (see §7c).

3. Purpose of processing

Data is processed to:

  • Operate the social media publishing service;
  • Authenticate and identify you in the application;
  • Communicate with Meta APIs and other networks on your behalf to deliver publications.

Future artificial intelligence features (caption generation, hashtag suggestions, etc.) will come with specific notice at the time of use and will employ providers whose terms are compatible with applicable data protection law.

4. Legal basis (LGPD)

Under Brazilian Law 13,709/2018 (LGPD):

  • Contract performance (art. 7, V) — for data essential to the operation of the service (email, password hash, media, posts).
  • Consent (art. 7, I) — for OAuth connection to social networks (you explicitly authorise each network when connecting).

5. Sharing with third parties

To operate the service, we share data with the following processors:

  • Supabase — authentication, Postgres database, and media storage;
  • Vercel — hosting for the Next.js application, edge, and server functions;
  • Inngest — background job orchestration (publishing, token refresh);
  • Meta — Instagram APIs (and Facebook in the future) to publish content on your behalf;
  • Sentry — error capture for diagnostics (when enabled in production).

International data transfer: some of these processors operate infrastructure outside Brazil. The legal basis for this transfer is art. 33, IX of the LGPD — necessity for the performance of the contract with the data subject, combined with the hypothesis of art. 7, V. Operating the publishing service requires infrastructure from global processors.

Specific details about the region and data processing agreements (DPA) of each processor are available upon request at contato@viralypost.com.

6. Where data is stored

Each processor operates under its own contracts and regions:

  • Personal data and media: Supabase (Postgres + Storage) on AWS infrastructure, with the region configured at project creation.
  • Hosting and Server Functions: Vercel — the architectural intent is to pin Server Functions to gru1 (São Paulo).
  • Application access logs: logging systems of the processors themselves (Vercel Functions Logs + Supabase Logs), subject to their respective retention policies (see §7c).
  • Background jobs (Inngest) and error tracking (Sentry, when active) run on each provider’s own infrastructure.

Encryption: OAuth authorisation tokens are stored encrypted at rest using AES-256-GCM.

7. Data retention

Data is retained in separate layers according to its nature and legal requirements:

  • (a) Identifiable personal data (email, name, media, posts, OAuth tokens): immediate cascading deletion upon account cancellation. Implemented via foreign keys with ON DELETE CASCADE in the database.
  • (b) Financial data (electronic invoices, payment receipts) when issued: retained for 5 years plus the current year, as required by Brazilian tax law (National Tax Code, arts. 173 and 174).
  • (c) Application access logs (IP, timestamps): retained by providers Vercel (3 days) and Supabase (7 days) in their respective logging systems. Brazilian Internet Civil Framework, art. 15 (Law 12,965/2014) sets 6 months as a reference period for internet application providers with economic purposes. We are currently below this parameter as a pre-revenue indie MVP, with a plan to evolve as our user base scales.

Financial data and logs are handled separately and do not prevent the deletion of personal data upon account cancellation.

8. Your rights as a data subject (LGPD art. 18)

The Brazilian General Data Protection Law guarantees you the following rights:

  • I. Confirmation of the existence of processing of your data;
  • II. Access to your data;
  • III. Correction of incomplete, inaccurate, or outdated data;
  • IV. Anonymisation, blocking, or deletion of unnecessary, excessive, or non-compliant data;
  • V. Data portability to another service provider;
  • VI. Deletion of personal data processed with your consent (except in the cases of art. 16 of the LGPD);
  • VII. Information about the public and private entities with which we share your data;
  • VIII. Information about the possibility of withholding consent and the consequences of refusal;
  • IX. Revocation of consent (pursuant to art. 8, §5 of the LGPD).

To exercise any of these rights, contact contato@viralypost.com. A response will be provided within 15 days, as per art. 19 of the LGPD.

9. Cookies

Viraly Post uses only essential cookies required for the service to function:

  • sb-access-token and sb-refresh-token — Supabase authentication.

We do not use tracking, analytics, or marketing cookies. When — in the future — we introduce any such tool (e.g. Meta Pixel, PostHog, Google Analytics), this Policy will be updated and the current informational banner will be replaced by a banner with granular opt-out.

10. Minors under 18

Viraly Post is intended for people aged 18 and over. Age confirmation is mandatory at registration (checkbox “I confirm I am 18 years old or older”).

If we identify that data from a person under 18 has been collected, we remove it immediately. If you suspect this has occurred, report it at contato@viralypost.com.

Processing in accordance with art. 14 of the LGPD.

11. Updates to this Policy

This Policy may be updated. Material changes (change of processing purpose, new sharing arrangements, new non-essential cookies) will be communicated by email with 30 days’ notice. The “Last updated” date at the top of this page reflects the current version.

12. Jurisdiction

This Policy is governed by the laws of the Federative Republic of Brazil. The courts of Florianópolis, Santa Catarina are elected as the competent forum — without prejudice to applicable consumer protection law.

13. Competent authority

If you disagree with how your personal data is being processed, you may contact the Brazilian National Data Protection Authority (ANPD) at gov.br/anpd.