Privacy Policy

Last updated: March 30, 2026

The Short Version

• Your social media tokens are stored locally on your machine in ~/.sfeed/tokens.json, and also encrypted on our servers if you use cloud scheduling.
• We don't track you. No analytics on the CLI. No telemetry. No usage data sent anywhere.
• We don't sell your data.
• Your post content passes through our servers only for scheduled posts. Immediate posts go directly from your machine to Facebook/Instagram.

1. What sfeed is

sfeed is a CLI tool and MCP server that posts to Facebook Pages and Instagram on your behalf. It runs on your machine.

2. The auth proxy

When you run sfeed auth facebook, your browser opens a page on auth.sfeed.dev. This is a Cloudflare Worker that handles the Facebook OAuth flow:

1. Redirects you to Facebook's login page
2. Facebook redirects back with an authorization code
3. The proxy exchanges that code for access tokens (using the app secret, which lives on the server)
4. The proxy stores your tokens in a Cloudflare D1 database so cloud scheduling works
5. The proxy redirects to your local machine with the tokens

3. What we store

On your machine (always):

• ~/.sfeed/tokens.json -- your Facebook/Instagram OAuth tokens and a random user ID
• ~/.sfeed/profile.md -- your brand voice profile
• ~/.sfeed/history.md -- log of posts you made
• ~/.sfeed/.env -- self-hosted credentials (optional)

On our servers (Cloudflare D1 database):

• Your Facebook/Instagram page access tokens (needed to post on your behalf for scheduled posts)
• Your scheduled posts (content, platform, scheduled time) until they are posted or cancelled
• A random user ID that ties your tokens to your scheduled posts. We don't store your name, email, or any personal information.

We don't store your brand voice profile, post history, or any data from sfeed init. That stays local.

4. Cloud scheduling

When you schedule a post with sfeed post "content" --at "2026-04-01T09:00:00Z", the post content and your user ID are sent to our server. A Cloudflare Cron Trigger checks every minute for due posts and fires them using your stored tokens. After a post is published, the scheduled post record is marked as complete.

If you don't use scheduling, your tokens are still stored server-side (from the auth flow), but no post content ever reaches our servers.

5. Self-hosted option

If you don't want tokens stored on our servers, you can self-host by creating your own Facebook App and setting SFEED_FB_APP_ID and SFEED_FB_APP_SECRET in ~/.sfeed/.env. In self-hosted mode, the CLI uses direct OAuth and all data stays local. Scheduling requires running sfeed daemon on your machine.

6. Third-party services

• Facebook/Meta Graph API -- to post to your Facebook Page and Instagram.
• Cloudflare -- hosts the auth proxy, D1 database, and cron scheduler. Subject to Cloudflare's privacy policy.

7. The website

This website (sfeed.dev) is a static site. No cookies, no analytics, no tracking scripts.

8. Changes

If this policy changes, the "Last updated" date at the top will change.

9. Contact

Questions about privacy: n.stojanovic035@gmail.com