Internal Log Policy

Last updated: January 2025

1. Introduction

This Internal Log Policy describes how PostZona collects, stores, and uses log data to maintain service quality, security, and compliance. This policy is designed to be transparent about our internal logging practices while protecting user privacy.

Log data is technical information automatically generated by our systems during normal operations. It helps us diagnose issues, prevent fraud, improve performance, and ensure platform security.

2. Types of Logs We Collect

2.1 Application Logs

Our application logs capture:

  • Request Logs: HTTP requests, endpoints accessed, request methods (GET, POST, PUT, DELETE), response status codes, and response times
  • User Actions: Campaign creation, content generation, post scheduling, and account modifications (actions only, not detailed content)
  • Error Logs: Application errors, stack traces, exception messages, and failed operations
  • Performance Metrics: API response times, database query durations, and resource utilization

2.2 Security Logs

Security-related logging includes:

  • Authentication Events: Login attempts (successful and failed), logout events, password changes, and session creation/termination
  • Authorization Checks: Access control decisions, permission denials, and privilege escalation attempts
  • Security Incidents: Rate limiting triggers, SQL injection attempts, XSS attempts, CSRF token violations, and suspicious activity patterns
  • API Token Usage: External API calls (Facebook, Instagram, OpenAI, Stripe) without logging sensitive token values

2.3 System Logs

Infrastructure and system-level logs:

  • Server Logs: ASP.NET Core hosting logs, server startup/shutdown events, and configuration changes
  • Database Logs: PostgreSQL connection events, slow queries (queries exceeding 1 second), and deadlocks
  • Background Jobs: Hangfire job execution logs, scheduled post processing, and job failures
  • External Service Logs: AWS S3 operations, SendGrid email delivery, Stripe payment events, and OpenAI API usage

2.4 Network Logs

Network and infrastructure data:

  • IP Addresses: Source IP addresses for requests (hashed after 90 days)
  • User Agents: Browser type, operating system, and device information
  • Geographic Data: Approximate location based on IP (city/country level only)
  • CDN Logs: Content delivery and caching statistics

3. What We Do NOT Log

To protect your privacy and security, we explicitly do NOT log:

  • Passwords: User passwords (only hashed versions are stored, never logged)
  • Payment Information: Credit card numbers, CVV codes, or full payment details (processed by Stripe, not logged by us)
  • Access Tokens: Facebook/Instagram access tokens in plain text (encrypted tokens only)
  • Personal Message Content: Full content of user-generated campaigns, posts, or communications
  • Biometric Data: We do not collect or log any biometric information
  • Health Information: We do not collect or log health-related data

4. Log Storage and Retention

4.1 Storage Infrastructure

Logs are stored using:

  • Application Logs: Stored in PostgreSQL database and file system
  • Error Tracking: Sent to Sentry for real-time monitoring and alerting
  • Analytics: Google Analytics 4 for anonymized usage patterns
  • Security Logs: Dedicated security log database with restricted access

4.2 Retention Periods

Log TypeRetention Period
Application Logs90 days (active), 1 year (archived)
Security Logs2 years (compliance requirement)
Error Logs90 days (Sentry retention)
Performance Metrics180 days
Audit Logs7 years (legal requirement)
Analytics Data26 months (Google Analytics)

After retention periods expire, logs are automatically purged or anonymized.

5. How We Use Log Data

5.1 Service Operations

  • Debugging: Identify and fix bugs, errors, and performance issues
  • Monitoring: Track system health, uptime, and resource utilization
  • Optimization: Improve response times, database query performance, and caching strategies
  • Capacity Planning: Forecast infrastructure needs and scale resources

5.2 Security and Fraud Prevention

  • Threat Detection: Identify suspicious activity patterns, brute force attacks, and unauthorized access attempts
  • Incident Response: Investigate security incidents and data breaches
  • Fraud Prevention: Detect fraudulent accounts, payment fraud, and abuse of service
  • Compliance: Meet regulatory requirements for security logging and auditing

5.3 Product Improvement

  • Feature Usage: Understand which features are used most frequently
  • User Experience: Identify pain points and areas for improvement
  • A/B Testing: Measure effectiveness of new features and changes
  • Analytics: Generate anonymized usage statistics and trends

6. Access Control

Access to log data is strictly controlled:

  • Role-Based Access: Only authorized personnel (engineering, security, operations teams) can access logs
  • Audit Trail: All log access is itself logged and monitored
  • Principle of Least Privilege: Users only have access to logs necessary for their role
  • Multi-Factor Authentication: Required for all production system access
  • Encryption: Logs containing sensitive data are encrypted at rest and in transit

7. Data Minimization

We practice data minimization in our logging:

  • Redaction: Sensitive data in logs is automatically redacted (e.g., email addresses shown as e***@example.com)
  • Sampling: High-frequency events may be sampled rather than logging every occurrence
  • Aggregation: Detailed logs are aggregated into summary statistics where possible
  • Anonymization: IP addresses and identifiers are hashed after retention periods

8. Third-Party Log Processors

We use the following third-party services for log processing:

  • Sentry: Error tracking and performance monitoring (errors only, with PII redacted)
  • Google Analytics 4: Anonymized usage analytics (IP anonymization enabled)

These services are bound by their own privacy policies and data processing agreements. We ensure all third-party processors meet GDPR and CCPA compliance standards.

9. User Rights

You have the following rights regarding log data:

  • Access: Request information about what log data we have about you
  • Correction: Request correction of inaccurate log entries
  • Deletion: Request deletion of log data, subject to legal retention requirements
  • Opt-Out: Opt out of analytics tracking (does not affect operational or security logs)

To exercise these rights, contact us at privacy@postzona.com.

10. Security Incident Logging

In the event of a security incident:

  • We may preserve relevant logs beyond normal retention periods for investigation
  • Logs may be shared with law enforcement or regulatory authorities as required
  • Affected users will be notified in accordance with breach notification laws
  • Post-incident analysis may be published (anonymized) to improve industry security

11. Changes to This Policy

We may update this Internal Log Policy as our logging practices evolve or as required by law. Material changes will be communicated via email and reflected in the "Last updated" date above. Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Information

For questions about our logging practices or to exercise your rights:

Privacy Team: privacy@postzona.com

Security Team: security@postzona.com

Website: https://postzona.com

Subscribe to our newsletter

Get the latest updates on AI marketing, tips, and exclusive offers.