Privacy Policy

PostFlow AI ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use our Service at postflowaim.netlify.app.

By using the Service, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service.

Information you provide directly:

• Account data: Full name, email address, and password when you register.
• Content: Posts, captions, images, and hashtags you create or upload.
• Billing data: Payment information processed securely by Stripe. We do not store your full card details.
• Social media tokens: OAuth access tokens for connected Facebook and Instagram accounts, stored encrypted using AES-256.

Information collected automatically:

• Usage data: Pages visited, features used, and actions taken within the Service.
• Log data: IP address, browser type, and timestamps of requests.
• Cookies: Session cookies used to keep you logged in. We do not use advertising or tracking cookies.

• To provide, operate, and improve the Service.
• To publish content to your connected social media accounts on your behalf.
• To process payments and manage your subscription.
• To send transactional emails (account confirmation, billing receipts).
• To respond to your support requests.
• To detect and prevent fraud or abuse.
• To comply with legal obligations.

We do not sell your personal data to third parties. We do not use your content to train AI models.

PostFlow AI uses the following third-party AI providers to power content and image generation:

• Anthropic (Claude): Used for generating post captions and hashtags. Your topic prompts and settings are sent to Anthropic's API. See Anthropic's Privacy Policy.
• Replicate (Flux by Black Forest Labs): Used for AI image generation. Your image prompts are sent to Replicate's API. See Replicate's Privacy Policy.

When you connect your Facebook or Instagram accounts, we receive an OAuth access token which is encrypted and stored securely. We use this token solely to publish content you explicitly approve. We do not read your followers, messages, or private data beyond what is necessary to publish posts.

You can disconnect your accounts at any time from the Settings → Connected Accounts page. This immediately revokes our stored access token.

• Your data is stored in Supabase (PostgreSQL), hosted on AWS infrastructure in the EU.
• Social media access tokens are encrypted at rest using AES-256-GCM.
• All data in transit is protected by TLS/HTTPS.
• We implement row-level security (RLS) to ensure users can only access their own data.
• Passwords are hashed by Supabase Auth and never stored in plain text.

Despite our best efforts, no security measure is 100% foolproof. If you discover a security vulnerability, please contact us immediately at support@postflowai.com.

• We retain your account data for as long as your account is active.
• If you delete your account, your personal data is deleted within 30 days, except where retention is required by law.
• Post content and analytics data are deleted with your account.
• Billing records may be retained for up to 7 years for legal and accounting purposes.

If you are in the European Economic Area or UK, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Portability: Request an export of your data in a machine-readable format.
• Objection: Object to processing of your data for certain purposes.
• Restriction: Request that we restrict processing of your data.

To exercise any of these rights, email support@postflowai.com. We will respond within 30 days.

We use the following third-party services:

• Supabase — Database and authentication
• Stripe — Payment processing
• Netlify — Hosting and deployment
• Anthropic — AI text generation
• Replicate — AI image generation
• Meta (Facebook/Instagram) — Social media publishing

Each of these services has their own privacy policy. We encourage you to review them.

We use only essential session cookies to keep you logged in. We do not use advertising cookies, tracking pixels, or analytics cookies from third parties. You can disable cookies in your browser settings, but doing so may affect your ability to use the Service.

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 14 days before the change takes effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

For any privacy-related questions, requests, or complaints, please contact us:

• Email: support@postflowai.com
• Company: PostFlow AI