Privacy Policy for CrossPost Pro
Note. This English version is provided for convenience only. The German version is legally binding.
1. Controller
The controller within the meaning of the General Data Protection Regulation ("GDPR") is:
Bastian Aunkofer
Burgunderweg 8
93326 Abensberg
Germany
Email: bastian.aunkofer@gmail.com
Phone: +49 9443 700051
No data protection officer has been appointed. Data protection inquiries can be made using the contact details above.
2. Scope
This Privacy Policy applies to the "CrossPost Pro" iOS app, the backend interfaces under crosspostpro.app, the public website, support communication, and technically associated status, redirect, and legal pages.
CrossPost Pro is a tool that allows users to select or import videos, prepare them locally, define platform texts and settings, connect social-media accounts via OAuth, and publish content on selected platforms such as YouTube, Instagram, and TikTok.
3. Short overview
- The app does not use an advertising ID, app tracking, analytics SDKs, or marketing SDKs.
- The website does not use analytics or marketing cookies. It may store a technically functional language-preference cookie if you select a language.
- Videos, covers, texts, tags, platform settings, and OAuth data are processed for publication.
- Uploaded media is technically made available through temporary, publicly retrievable URLs so that selected platforms can retrieve the media. Anyone who knows such a URL can access it during its technical availability.
- Uploaded media, covers, derived conversion files, and temporary public media URLs are deleted after no more than 14 days unless a shorter manual deletion takes place.
- Error and crash reports are transmitted only after the user's express confirmation and are deleted after no more than 6 months.
- According to the operator, hosting, domain/DNS, and server operation are provided by Hetzner in Helsinki, Finland/EU.
- Payments and subscriptions are processed through the Apple App Store; CrossPost Pro does not process its own payment data on the backend.
4. Processing in detail
| Purpose | Data | Legal basis | Storage / control |
|---|---|---|---|
| Website and API provision | IP address, date/time, path/URL, HTTP status, user agent, technical log data | Art. 6 para. 1 lit. f GDPR: secure and stable operation, abuse and error analysis; when using the app additionally Art. 6 para. 1 lit. b GDPR | Server logs are generally retained for up to 30 days and then deleted or anonymized, unless longer storage is required to investigate abuse, attacks, or legal claims. |
| App installation, local use, and anonymous backend session | Anonymous backend user identifier, access/refresh token, installation date, trial status, local settings, sorting, guide status | Art. 6 para. 1 lit. b GDPR: provision of app functions; Art. 6 para. 1 lit. f GDPR: security and abuse prevention | Access tokens are short-lived; refresh tokens are designed for 60 days. Local app data can be removed by deleting the app; further deletion can be requested through the contact details. |
| Local media selection and editing | Selected videos from Photos or Files, local video copy, preview images, covers, titles, descriptions, tags, platform states | Art. 6 para. 1 lit. b GDPR: requested app function | Local drafts remain stored until deleted by the user. After successful publication on all selected platforms, the app automatically deletes completed local videos after a short follow-up period. |
| OAuth account connection | OAuth state/PKCE, authorization code, access token, refresh token, expiration times, platform ID, username, avatar/profile restrictions | Art. 6 para. 1 lit. b GDPR: connection and publication through selected platforms; Art. 6 para. 1 lit. f GDPR: secure token management | Platform tokens are stored encrypted in production and retained until the relevant platform account is disconnected, until a justified deletion request is made, or until they are no longer required for the service. Tokens may be refreshed for functionality. |
| Publication on third-party platforms | Video/cover files, temporary media URLs, title, description, tags, visibility, TikTok/Instagram/YouTube settings, external posting IDs, error status | Art. 6 para. 1 lit. b GDPR: execution of the publication order initiated by the user | Backend media no later than 14 days. After publication, the privacy and deletion rules of the respective platform also apply. |
| Temporary public media provision | Public media URL, video/cover file, derived conversion files | Art. 6 para. 1 lit. b GDPR: technical provision for platform retrieval | The URLs are not intended as a public feed or search service, but are technically retrievable without login while they exist. Deletion after no more than 14 days; CrossPost Pro cannot control copies held by platforms or third parties. |
| Error and crash reports | Type of report, error message, stack trace/crash text, iOS version, app version, device model, locale, trial/Pro status, installation date, timestamp | Transmission after consent: Art. 6 para. 1 lit. a GDPR; analysis for troubleshooting and security: Art. 6 para. 1 lit. f GDPR | Transmission only after express confirmation. No screenshots. Deletion after no more than 6 months, unless longer storage is required for security or legal cases. |
| Support communication | Email address, message text, information provided by the user, and, where applicable, device data inserted by the mail draft | Art. 6 para. 1 lit. b GDPR for support relating to app/contract; Art. 6 para. 1 lit. f GDPR for efficient communication; Art. 6 para. 1 lit. c GDPR for statutory retention obligations | Routine support emails are generally retained for up to 3 years after completion of the matter. Business, tax, or legally relevant correspondence may be retained longer in accordance with statutory obligations, generally 6 or 10 years. Spam and irrelevant messages are deleted earlier. |
| Apple subscriptions | Product ID, transaction ID, original transaction ID, purchase and expiration date, local entitlement status | Art. 6 para. 1 lit. b GDPR: activation and verification of Pro use | Payment, invoices, payment data, and refunds are handled by Apple. CrossPost Pro stores subscription data only locally in the app and does not process payment data on the backend. |
| Website language preference | Language value such as de or en | Section 25(2) TDDDG for a language function selected by the user; Art. 6 para. 1 lit. f GDPR or Art. 6 para. 1 lit. b GDPR for user-friendly display | The cookie is used exclusively for language selection and not for tracking. You can delete it in your browser. |
App permissions and local storage
- Photos/media: The app requests iOS access to the photo library so that you can select videos. Network access may be required if a selected iCloud asset first needs to be downloaded.
- Files: Videos can be imported through the iOS file picker.
- No camera, microphone, location, contacts, or push function: Based on the current feature set, the app does not itself access the camera, microphone, location, contacts, or push notifications. Selected videos may of course contain audio or personal content.
- Clipboard: Copying and pasting tags occurs only through user action.
- Keychain: Backend tokens and installation/trial information.
- UserDefaults: App settings, onboarding status, local platform-account cache, and local StoreKit entitlement status.
- CoreData and app files: local videos, thumbnails, covers, titles, descriptions, tags, and platform states.
No advertising, no tracking, no profiling
Based on the current state, CrossPost Pro does not use an advertising ID, an App Tracking Transparency request, external analytics SDKs, or automated individual decision-making, including profiling within the meaning of Art. 22 GDPR. Videos and support data are not used to train the provider's own AI systems.
5. Recipients and third-party providers
| Recipient / service | Role and purpose | Data |
|---|---|---|
| Hetzner Online GmbH | Hosting, servers, DNS/domain, technical infrastructure; processor according to the operator with a data-processing agreement | Backend data, media, database, technical logs, website access data |
| Apple App Store / StoreKit | Processing of in-app purchases, subscriptions, cancellations, and refunds; Apple acts independently in this respect under Apple's terms | Apple ID-related payment and subscription data; the app receives only StoreKit entitlement information |
| Google / YouTube | OAuth login, YouTube channel information, upload and publication on YouTube; Google/Gmail may also be involved as support email infrastructure | OAuth data, channel ID/title/avatar, video, title, description, visibility; support emails if you contact the provider by email |
| Meta / Instagram | OAuth login, Instagram profile information, publication via Instagram/Meta APIs, deauthorization and data-deletion callbacks | OAuth data, Instagram ID, username, caption, video/cover URL, publication status |
| TikTok | TikTok login/SDK, profile/creator information, video upload or pull-URL publication | OAuth data, Open ID, username/avatar, TikTok publication settings, video or temporary video URL |
| bastian-aunkofer.com | Imprint, support, developer, and status links | When technical status/web pages are retrieved, IP address and browser/app access data may be generated in server logs |
If you use an external link or a third-party platform, the privacy information of the respective provider also applies. The most important platform notices can be found, among others, at Apple, Google/YouTube, Meta/Instagram, and TikTok.
6. Third-country transfers
According to the operator, CrossPost Pro's core technical infrastructure is operated in the EU. However, Apple, Google/YouTube, Meta/Instagram, TikTok, and Google/Gmail may transfer data to countries outside the European Economic Area or process data there.
To the extent CrossPost Pro itself initiates such a transfer and the GDPR requires this, the transfer is based on appropriate safeguards such as adequacy decisions of the European Commission, certification under the EU-U.S. Data Privacy Framework for participating U.S. companies, Standard Contractual Clauses, or the transfer required to perform the service requested by the user. For social-media platforms, publication also takes place based on your own selection and authorization of the respective platform.
7. Retention periods
| Data category | Regular retention period |
|---|---|
| Backend access tokens | Short-lived, regularly 60 minutes. |
| Backend refresh tokens | Regularly up to 60 days, unless reset or deleted earlier. |
| OAuth state/PKCE | Short-term, regularly about 10 minutes. |
| Connected platform accounts and OAuth tokens | Until the platform account is disconnected, until a justified deletion request is made, or until they are no longer required for the service. |
| Uploaded media, covers, conversions, and temporary public URLs | No later than 14 days after upload/creation; earlier in the case of successful manual deletion where technically possible. |
| Local app drafts | Until deletion by the user or by the app's automatic cleanup after publication is completed. |
| Error and crash reports | Maximum 6 months. |
| Server/security logs | Generally up to 30 days; longer only in cases of misuse, security, or legal matters. |
| Support emails | Routine cases generally up to 3 years after completion; business, tax, or legally relevant correspondence according to statutory retention obligations, generally 6 or 10 years. |
| Subscription data in the app | As long as required for local entitlement verification or until the app data is deleted/updated. |
| Backups | Backups may contain data until overwrite or until the relevant backup cycle expires. Deletion in the production system does not necessarily lead to immediate deletion from already existing backups. |
8. Your rights
Subject to the GDPR, you have the right to access, rectification, deletion, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consents granted with effect for the future.
To exercise your rights, send a message to bastian.aunkofer@gmail.com. Additional information for identification may be required so that the request can be assigned, especially if the app was used only with anonymous backend IDs.
Responses are generally provided within one month of receipt. This period may be extended by up to two further months for complex or numerous requests; you will be informed of this within one month.
You also have the right to lodge a complaint with a data protection supervisory authority. For the controller's registered office, the competent authority is regularly the Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach, Germany.
9. Security
CrossPost Pro protects personal data through technical and organizational measures, in particular HTTPS/TLS transport encryption, anonymous backend sessions, role- and access-restricted server access, encrypted storage of platform tokens in production, limitation of error-report fields, time-based deletion rules for media and error reports, and separation of local app data from backend data.
No internet service can guarantee absolute security. In the event of security incidents, the legally required review, documentation, and notification obligations are observed.
10. Minors and third-party content
CrossPost Pro is intended exclusively for persons aged 18 or older. Please do not use the app or transmit personal data if you are younger than 18 years old.
Videos may contain personal data of other persons, including image, voice, or potentially sensitive information. Upload and publish such content only if you are authorized to do so and the necessary consents, rights, or other legal bases exist.
11. Changes to this Privacy Policy
This Privacy Policy will be adjusted if functions, processing operations, providers, or legal requirements change. The current version is made available through this website. In the case of material changes, additional notices or consents will be obtained to the extent legally required.