How Postli Labs collects, uses, stores, and protects information when you use the Postli Shopify application and the usepostli.com website.
Postli ("Postli", "we", "us", "our") is a software-as-a-service application operated by Postli Labs, the legal entity that owns and operates the usepostli.com domain and the Postli application available on the Shopify App Store.
Postli is a business-to-business application built for Shopify merchants. It is not a consumer social network and does not host social content for the general public. Merchants install Postli inside their Shopify admin to manage short links, schedule social posts to their own connected accounts, and measure which posts and links drive revenue in their store.
Plain-English summary. Postli is installed by Shopify merchants. We collect the data we need to run the app — Shopify shop information, OAuth tokens for any social platforms the merchant chooses to connect, click events on the merchant's short links, and a small amount of account data. We do not sell personal data, and we delete merchant data when the app is uninstalled.
This policy applies to:
usepostli.com and short-link domain pstl.sh.Postli is a data processor on behalf of Shopify merchants for shopper-level data they collect through the app, and a data controller for the merchant's own account data and for our website visitors.
When a Shopify store installs Postli, we receive the following from Shopify:
If a merchant chooses to connect a social platform (Facebook, Instagram, Threads, X / Twitter, TikTok, YouTube, LinkedIn, Pinterest, or Google Business Profile), the platform issues us an OAuth access token and refresh token, plus the public account identifiers (account ID, page ID, handle, profile name, profile image URL). We use these only to publish content on the merchant's behalf and to read engagement metrics for posts the merchant published through Postli.
Posts, captions, schedules, media uploads, short-link destinations, UTM parameters, tags, and any other content the merchant authors inside Postli.
When a shopper clicks a Postli short link we record:
_pl_click set on the merchant's storefront for last-click attribution (7-day window).To match orders to clicks, we ingest product metadata (title, image, description, identifiers) and order webhooks (line items, totals, currency, anonymized customer ID) from Shopify. We do not store full customer profiles or shipping addresses.
On usepostli.com we collect minimal server logs (request path, status code, hashed IP, user-agent) for security and performance. We also load the following third-party analytics scripts on the public marketing site:
None of the above is loaded inside the embedded Postli Shopify app or on the short-link redirector at pstl.sh — those surfaces remain analytics-free.
| Purpose | Data used | Lawful basis (GDPR) |
|---|---|---|
| Running the Postli application for the merchant | Shopify shop data, OAuth tokens, content the merchant creates | Performance of contract |
| Publishing scheduled posts to the merchant's connected accounts | Social platform OAuth tokens, post content | Performance of contract |
| Click tracking and revenue attribution | Hashed IP, UTM, cookie ID, order webhook | Legitimate interests of the merchant |
| Security, fraud, and abuse prevention | Server logs, hashed IPs, click patterns | Legitimate interests |
| Customer support | Account email, support messages | Performance of contract |
| Service announcements and product updates (opt-out anytime) | Account email | Legitimate interests |
| Marketing-site analytics (page views, click maps, scroll) via Microsoft Clarity and tags loaded through Google Tag Manager — public marketing site only | Anonymised session data, no PII | Legitimate interests |
We do not sell personal data, do not use it for behavioral advertising, and do not use shopper-level data to train AI models.
We share data only as necessary to operate the service:
When a merchant connects a third-party social platform, that platform's terms and privacy policy also apply to the data they hold about the merchant's account. Postli only stores the OAuth tokens and minimum metadata needed to publish posts and read engagement on content the merchant created through Postli.
Specifically, for each platform:
Merchants can revoke any connection at any time from Integrations → Disconnect inside the Postli app, which immediately deletes the stored OAuth tokens.
Postli uses a small set of first-party cookies. Functional cookies are strictly necessary for the service to work; analytics cookies help us understand how the marketing site is used.
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
_pl_click | Postli | Last-click revenue attribution on merchant storefronts | 7 days |
| Shopify session token | Shopify | Authenticates the embedded admin session | Session |
| Laravel session | Postli | Server-side session handling for the application | Session |
_clck, _clsk | Microsoft Clarity (first-party on usepostli.com) | Anonymised product analytics for the marketing site — page views, scroll, click maps, session replays. Clarity does not capture sensitive form input by default and we do not enable cross-site tracking. | Up to 1 year |
Cookies set by Google Tag Manager and tags loaded through it (e.g. _ga, _ga_* if Google Analytics is loaded) | Google (via GTM container on usepostli.com) | Analytics for the marketing site. The exact set of cookies depends on which tags are configured in the GTM container at any given time. We do not load advertising or remarketing pixels through GTM. | Up to 2 years (varies by tag) |
We do not load advertising or remarketing pixels (Meta Pixel, Google Ads, TikTok Pixel, etc.) on this site. Microsoft Clarity and tags loaded through Google Tag Manager are used only on the public marketing site at usepostli.com — never inside the embedded Shopify app or on the short-link redirector at pstl.sh. You can opt out of Clarity by enabling Do Not Track in your browser; Google Analytics provides an opt-out browser add-on at tools.google.com/dlpage/gaoptout.
We retain merchant data for as long as the app remains installed plus a 30-day grace period. When the merchant uninstalls Postli, Shopify fires the app/uninstalled webhook and we run a complete cleanup of the shop's data — links, clicks, posts, OAuth tokens, attribution records, and uploaded media — within 30 days.
We honour the Shopify mandatory GDPR webhooks:
customers/data_request — we package and return any data Postli holds about the requested customer.customers/redact — we delete data Postli holds about the requested customer.shop/redact — fired 48 hours after uninstall, we delete all data for the shop.Postli runs on hardened cloud infrastructure with:
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you within 72 hours.
Depending on your jurisdiction, you may have the right to:
To exercise any of these rights, email privacy@usepostli.com. We respond within 30 days.
If you are a Shopify shopper (not a merchant) and want to exercise rights for data Postli holds about you, please contact the merchant whose store you visited — they are the data controller for that interaction. We will support the merchant in fulfilling your request.
Postli's primary infrastructure is hosted in the European Union and United States. Where data is transferred outside your jurisdiction, we rely on Standard Contractual Clauses (SCCs) and equivalent safeguards approved by the relevant data-protection authority.
Postli is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact us and we will delete it.
We may update this Privacy Policy from time to time. Material changes will be announced inside the Postli app and by email to the merchant's account email at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current revision.
For privacy questions, data requests, or to exercise your rights:
If you are not satisfied with our response, you may lodge a complaint with the data-protection authority in your country of residence.