Privacy Policy

1. Introduction

Flowctory ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website and services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

This Privacy Policy should be read alongside our Terms of Service.

2. Information We Collect

2.1 Account Information

When you register for a Flowctory account, we collect and store:

• Email Address: Your email address, used for account identification and communication
• Password: If you register with email, your password is securely hashed (we never store plaintext passwords)
• Display Name: Your name, either provided by you or obtained from your social login provider (Google)
• Avatar URL: Your profile picture URL, if provided by your social login provider
• Timezone: Your timezone preference for scheduling posts

You can register and log in using email and password, or through Google OAuth. Your social media channels (TikTok, YouTube) are connected separately (see section 2.2) and are not used for login authentication.

2.2 Social Media Channel Information

When you connect your social media channels to Flowctory (a separate step from registration), we receive and store the following information from each platform:

TikTok

When you connect your TikTok channel, we receive:

• TikTok Open ID: A unique identifier for your TikTok channel (not your username)
• Display Name: Your TikTok display name
• Avatar URL: The URL of your TikTok profile picture

YouTube

When you connect your YouTube channel, we receive:

• YouTube Channel ID: Your YouTube channel identifier
• YouTube Channel Title: Your YouTube channel name
• YouTube Channel Thumbnail: The URL of your YouTube channel thumbnail

You can connect multiple channels across platforms to your Flowctory account to manage content across different profiles.

2.3 Platform Authentication Tokens

We store OAuth access tokens and refresh tokens required to communicate with each platform's API on your behalf. These tokens allow us to upload content to your connected channels (TikTok, YouTube) without storing your platform passwords. Tokens are encrypted and stored per connected channel.

2.4 Media Content

We handle several types of media content through the Service:

• When you upload a video or image for publishing, the file is temporarily stored on our servers solely for the purpose of transferring it to the target platform (TikTok, YouTube). Uploaded files are automatically deleted from our servers after successful publishing or within 24 hours, whichever occurs first.
• You may upload images and videos to a persistent library stored in Supabase cloud storage. These files are retained until you delete them and can be used as inputs for AI content generation workflows.
• Images and videos generated through our Canvas AI features are stored in Supabase cloud storage and linked to your account. Generated content is retained until you delete it or your account is closed.

2.5 Cloud Storage Connections

When you connect a cloud storage provider (Google Drive, Dropbox), we collect and store:

• Email Address: The email address associated with your cloud storage account
• Display Name: Your display name on the cloud storage provider
• Storage Provider: OAuth access and refresh tokens (encrypted) to access your cloud storage on your behalf
• Your folder preferences for file browsing and auto-save destinations

Cloud storage connections are used to import files into Flowctory and optionally auto-save generated content to your preferred cloud folder.

2.6 AI-Generated Content Data

When you use our Canvas AI features to generate images or videos, we collect and process:

• Text prompts and generation parameters you provide
• Images you select from your library or upload for AI processing
• The resulting generated images and videos, stored in Supabase cloud storage

Your prompts and images are transmitted to our AI provider solely for the purpose of generating the requested content. Generated outputs are stored in your account until you delete them.

2.7 Post Metadata

We store information about your posts, including:

• Video captions and descriptions
• Privacy settings you select (public, friends, private, followers only)
• Interaction settings (Duet, Stitch, and Comment enable/disable preferences)
• Scheduled posting times
• Upload timestamps
• Post status (pending, processing, published, failed)
• Platform publish IDs for successful posts
• The platform channel selected for each post

2.8 Technical and Usage Data

We automatically collect certain technical information when you use the Service:

• IP address
• Browser type and version
• Device information
• Access timestamps
• Error logs and diagnostic data

We do not use third-party analytics services or tracking tools.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

3.1 Contract Performance

Processing is necessary to provide you with the Service, including:

• Creating and managing your Flowctory account
• Connecting and authenticating your social media channels (TikTok, YouTube)
• Uploading and scheduling your media content to connected platforms
• Connecting your cloud storage accounts (Google Drive, Dropbox) for file import and auto-save
• Generating images and videos through Canvas AI features using your prompts and media
• Processing payments and managing subscriptions
• Displaying your posting history

3.2 Legitimate Interests

We process certain data based on our legitimate interests, including:

• Improving and securing the Service
• Troubleshooting technical issues
• Preventing fraud and abuse

3.3 Legal Obligations

We may process your data when required by law, such as responding to legal requests or complying with applicable regulations.

3.4 Consent

Where required, we will obtain your explicit consent before processing your data. You may withdraw your consent at any time.

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate you and manage your Flowctory account
• Connect your social media channels (TikTok, YouTube) and communicate with their APIs
• Upload and schedule media content to connected platforms on your behalf
• Generate images and videos using AI through our Canvas features
• Connect your cloud storage accounts for file import and auto-save of generated content
• Process payments and manage your subscription
• Display your posting history and status within the application
• Troubleshoot issues with failed uploads
• Communicate with you about the Service (service announcements, security alerts)
• Detect, prevent, and address technical issues, fraud, or abuse
• Comply with legal obligations

Platform API Interactions

In addition to uploading content, the Service makes the following API calls to connected platforms on your behalf:

• Before each posting session, we query TikTok's API to retrieve your current channel capabilities, including available privacy options, interaction settings (Duet, Stitch, Comment availability), and maximum video duration. This data is used in real time to configure your posting options and is not stored beyond the session.
• After submitting content to TikTok, we periodically check the publishing status of your post to provide you with updates on whether your content was successfully published or encountered an error.
• We receive automated notifications (webhooks) from TikTok when your post's status changes (e.g., published, failed, or removed from public view). These notifications contain post identifiers and status information used to update your posting history within the Service.
• We periodically refresh your platform authentication tokens to maintain your connection without requiring you to re-authorize.

We do not use your personal information for advertising purposes or sell it to third parties.

5. How We Share Your Information

We share your information only in the following circumstances:

5.1 Social Media Platforms

Your media content and associated metadata are transmitted to the platforms you choose to publish to:

TikTok

Video content and metadata are transmitted to TikTok through their Content Posting API. TikTok's handling of your data is governed by TikTok's Privacy Policy.

YouTube

Video content and metadata are transmitted to YouTube through the YouTube API Services. YouTube's handling of your data is governed by Google's Privacy Policy.

5.2 Cloud Storage Providers

When you connect a cloud storage service, we share necessary authentication data with the provider to access your files on your behalf:

Google Drive

We use Google Drive APIs to browse your files and optionally save generated content. Google's handling of your data is governed by Google's Privacy Policy.

Dropbox

We use Dropbox APIs to browse your files and optionally save generated content. Dropbox's handling of your data is governed by Dropbox's Privacy Policy.

5.3 AI Content Generation Providers

When you use Canvas AI features, your prompts and images are transmitted to our AI processing provider:

AI Generation Provider

We use a third-party AI provider for image and video generation. Your text prompts, generation parameters, and images are sent to this provider for processing. Generated content is returned to us and stored in your account. Our AI provider processes your data solely to fulfill generation requests.

5.4 Service Providers

We use trusted third-party service providers to help operate the Service:

• Payment Processor: We use Stripe to process payments and manage subscriptions. Stripe receives your payment information (card details, billing address) directly. We do not store your full card details. Stripe's handling of your data is governed by Stripe's Privacy Policy.
• We use Supabase for cloud file storage. Your library files and AI-generated content are stored on Supabase infrastructure. Supabase's handling of your data is governed by their privacy policy.
• Hosting Provider: Our servers are hosted on infrastructure that may have access to server logs and technical data necessary to provide hosting services.
• Database Provider: We use PostgreSQL for data storage. All data is encrypted at rest.

These providers are contractually obligated to protect your information and may only use it to provide services to us.

5.5 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal requests by public authorities (e.g., court orders, subpoenas).

5.6 Business Transfers

If Flowctory is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.7 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

YouTube Data: You can revoke Flowctory's access to your YouTube data at any time through Google's security settings at security.google.com/settings/security/permissions.

When you disconnect a YouTube channel in Flowctory, associated YouTube data is deleted within 7 days. If you revoke access via Google's security settings, YouTube data is deleted within 30 days.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

7.9 Exercising Your Rights

To exercise any of these rights, please contact us at contact@flowctory.com. We will respond to your request within 30 days.

8. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

8.1 Right to Know

You have the right to request that we disclose:

• The categories of personal information we have collected about you
• The categories of sources from which we collected the information
• The business or commercial purpose for collecting the information
• The categories of third parties with whom we share the information
• The specific pieces of personal information we have collected about you

8.2 Right to Delete

You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.

8.3 Right to Opt-Out of Sale

You have the right to opt-out of the sale of your personal information. However, Flowctory does not sell personal information.

8.4 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, or provide you with a different level of service for exercising your rights.

8.5 Exercising Your Rights

To exercise your CCPA rights, please contact us at contact@flowctory.com. We will verify your identity before processing your request.

9. International Data Transfers

Flowctory is based in France (European Union). If you access the Service from outside the EU, please be aware that your information may be transferred to, stored, and processed in the EU.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Transfers to countries with an EU adequacy decision
• Standard Contractual Clauses approved by the European Commission
• Other legally recognized transfer mechanisms

Third-party services we integrate with (TikTok, YouTube/Google, Dropbox) may transfer your data internationally according to their own privacy policies.

10. Cookies

We use strictly necessary cookies to operate the Service. All cookies are essential for authentication and security. We do not use tracking, advertising, or analytics cookies.

10.1 Cookie Overview

The following table lists all cookies used by Flowctory:

Note: In production, authentication cookies use the __Secure- prefix and other cookies use the __Host- prefix for enhanced security, requiring HTTPS and preventing cross-site access.

10.2 Session Cookies

The authjs.session-token cookie maintains your authenticated session. This cookie:

• Is HTTP-only (not accessible via JavaScript) and secure (HTTPS-only in production)
• Uses SameSite=lax for CSRF protection
• Expires after 30 minutes of inactivity (sliding session)
• Contains a signed JWT with your user ID, email, timezone, and platform connection status
• Is strictly necessary for the Service to function

10.3 OAuth Flow Cookies

When connecting a social media channel or cloud storage service, we temporarily store OAuth state and verification data in cookies. These include platform-specific cookies (e.g., tiktok_oauth_state, tiktok_code_verifier, flowctory_pending_youtube_connection, youtube_code_verifier, gdrive_oauth_state, gdrive_code_verifier, dropbox_oauth_state, dropbox_code_verifier, flowctory_pending_connection). These cookies:

• Are HTTP-only and secure (in production)
• Expire after 10 minutes
• Are automatically deleted after the OAuth flow completes
• Protect against CSRF attacks and ensure OAuth security (PKCE)

10.4 No Tracking Cookies

We do not use tracking cookies, advertising cookies, or third-party analytics.

10.5 Cookie Preferences

Since we only use strictly necessary cookies required for the Service to function, cookie consent is not required under GDPR. However, you can configure your browser to reject cookies, but this will prevent you from using the Service.

11. Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

• Encryption in Transit: All communications use HTTPS/TLS encryption
• Encryption at Rest: Sensitive data is encrypted in our database
• Secure Authentication: OAuth tokens are securely stored and managed
• Access Controls: Limited access to personal data on a need-to-know basis
• Regular Updates: Infrastructure and dependencies are regularly updated

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.

12. Children's Privacy

The Service is not intended for children under the age of 16 in the European Union or 13 in other jurisdictions. We do not knowingly collect personal information from children under these ages.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at contact@flowctory.com. If we become aware that we have collected personal information from a child without verification of parental consent, we will take steps to delete that information.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes:

• We will update the "Last updated" date at the top of this policy
• For material changes, we will provide notice through the Service or via email
• We will obtain your consent where required by applicable law

We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: