Privacy Policy

1. Introduction

Flowctory ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website and services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

This Privacy Policy should be read alongside our Terms of Service.

2. Information We Collect

2.1 Account Information

When you register for a Flowctory account, we collect and store:

• Email Address: Your email address, used for account identification and communication
• Password: If you register with email, your password is securely hashed (we never store plaintext passwords)
• Display Name: Your name, either provided by you or obtained from your social login provider (Google or Facebook)
• Avatar URL: Your profile picture URL, if provided by your social login provider
• Timezone: Your timezone preference for scheduling posts

You can register and log in using email and password, or through Google or Facebook OAuth. Your TikTok account is connected separately (see section 2.2) and is not used for login authentication.

2.2 TikTok Account Information

When you connect your TikTok account to Flowctory (a separate step from registration), we receive and store the following information from TikTok:

• TikTok Open ID: A unique identifier for your TikTok account (not your username)
• Display Name: Your TikTok display name
• Avatar URL: The URL of your TikTok profile picture

You can connect multiple TikTok accounts to your Flowctory account to manage content across different profiles.

2.3 TikTok Authentication Tokens

We store OAuth access tokens and refresh tokens required to communicate with TikTok's API on your behalf. These tokens allow us to upload content to your TikTok account without storing your TikTok password. Tokens are stored per connected TikTok account.

2.4 Video Content

When you upload a video through the Service, the video file is temporarily stored on our servers solely for the purpose of transferring it to TikTok. Videos are automatically deleted from our servers after successful upload to TikTok or within 24 hours, whichever occurs first.

2.5 Post Metadata

We store information about your posts, including:

• Video captions and descriptions
• Privacy settings you select (public, friends, private, followers only)
• Interaction settings (Duet, Stitch, and Comment enable/disable preferences)
• Scheduled posting times
• Upload timestamps
• Post status (pending, processing, published, failed)
• TikTok publish IDs for successful posts
• The TikTok account selected for each post

2.6 Technical and Usage Data

We automatically collect certain technical information when you use the Service:

• IP address
• Browser type and version
• Device information
• Access timestamps
• Error logs and diagnostic data

We do not use third-party analytics services or tracking tools.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

3.1 Contract Performance

Processing is necessary to provide you with the Service, including:

• Creating and managing your Flowctory account
• Connecting and authenticating your TikTok account(s)
• Uploading and scheduling your video content
• Processing payments and managing subscriptions
• Displaying your posting history

3.2 Legitimate Interests

We process certain data based on our legitimate interests, including:

• Improving and securing the Service
• Troubleshooting technical issues
• Preventing fraud and abuse

3.3 Legal Obligations

We may process your data when required by law, such as responding to legal requests or complying with applicable regulations.

3.4 Consent

Where required, we will obtain your explicit consent before processing your data. You may withdraw your consent at any time.

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate you and manage your Flowctory account
• Connect your TikTok account(s) and communicate with TikTok's API
• Upload and schedule video content to TikTok on your behalf
• Process payments and manage your subscription
• Display your posting history and status within the application
• Troubleshoot issues with failed uploads
• Communicate with you about the Service (service announcements, security alerts)
• Detect, prevent, and address technical issues, fraud, or abuse
• Comply with legal obligations

We do not use your personal information for advertising purposes or sell it to third parties.

5. How We Share Your Information

We share your information only in the following circumstances:

5.1 TikTok

Your video content and associated metadata are transmitted to TikTok through their Content Posting API. TikTok's handling of your data is governed by TikTok's Privacy Policy.

5.2 Service Providers

We use trusted third-party service providers to help operate the Service:

• Payment Processor: We use Stripe to process payments and manage subscriptions. Stripe receives your payment information (card details, billing address) directly. We do not store your full card details. Stripe's handling of your data is governed by Stripe's Privacy Policy.
• Hosting Provider: Our servers are hosted on infrastructure that may have access to server logs and technical data necessary to provide hosting services.
• Database Provider: We use PostgreSQL for data storage. All data is encrypted at rest.

These providers are contractually obligated to protect your information and may only use it to provide services to us.

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal requests by public authorities (e.g., court orders, subpoenas).

5.4 Business Transfers

If Flowctory is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.5 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

7.9 Exercising Your Rights

To exercise any of these rights, please contact us at contact@flowctory.com. We will respond to your request within 30 days.

8. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

8.1 Right to Know

You have the right to request that we disclose:

• The categories of personal information we have collected about you
• The categories of sources from which we collected the information
• The business or commercial purpose for collecting the information
• The categories of third parties with whom we share the information
• The specific pieces of personal information we have collected about you

8.2 Right to Delete

You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.

8.3 Right to Opt-Out of Sale

You have the right to opt-out of the sale of your personal information. However, Flowctory does not sell personal information.

8.4 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, or provide you with a different level of service for exercising your rights.

8.5 Exercising Your Rights

To exercise your CCPA rights, please contact us at contact@flowctory.com. We will verify your identity before processing your request.

9. International Data Transfers

Flowctory is based in France (European Union). If you access the Service from outside the EU, please be aware that your information may be transferred to, stored, and processed in the EU.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Transfers to countries with an EU adequacy decision
• Standard Contractual Clauses approved by the European Commission
• Other legally recognized transfer mechanisms

TikTok, as a third-party service, may transfer your data internationally according to their own privacy policy.

10. Cookies

We use strictly necessary cookies to operate the Service. All cookies are essential for authentication and security. We do not use tracking, advertising, or analytics cookies.

10.1 Cookie Overview

The following table lists all cookies used by Flowctory:

Note: In production, authentication cookies use the __Secure- prefix and other cookies use the __Host- prefix for enhanced security, requiring HTTPS and preventing cross-site access.

10.2 Session Cookies

The authjs.session-token cookie maintains your authenticated session. This cookie:

• Is HTTP-only (not accessible via JavaScript) and secure (HTTPS-only in production)
• Uses SameSite=lax for CSRF protection
• Expires after 30 minutes of inactivity (sliding session)
• Contains a signed JWT with your user ID, email, timezone, and TikTok connection status
• Is strictly necessary for the Service to function

10.3 OAuth Flow Cookies

When connecting your TikTok account, we temporarily store OAuth state and verification data in cookies (flowctory_pending_connection, tiktok_oauth_state, tiktok_code_verifier). These cookies:

• Are HTTP-only and secure (in production)
• Expire after 10 minutes
• Are automatically deleted after the OAuth flow completes
• Protect against CSRF attacks and ensure OAuth security (PKCE)

10.4 No Tracking Cookies

We do not use tracking cookies, advertising cookies, or third-party analytics.

10.5 Cookie Preferences

Since we only use strictly necessary cookies required for the Service to function, cookie consent is not required under GDPR. However, you can configure your browser to reject cookies, but this will prevent you from using the Service.

11. Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

• Encryption in Transit: All communications use HTTPS/TLS encryption
• Encryption at Rest: Sensitive data is encrypted in our database
• Secure Authentication: OAuth tokens are securely stored and managed
• Access Controls: Limited access to personal data on a need-to-know basis
• Regular Updates: Infrastructure and dependencies are regularly updated

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.

12. Children's Privacy

The Service is not intended for children under the age of 16 in the European Union or 13 in other jurisdictions. We do not knowingly collect personal information from children under these ages.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at contact@flowctory.com. If we become aware that we have collected personal information from a child without verification of parental consent, we will take steps to delete that information.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes:

• We will update the "Last updated" date at the top of this policy
• For material changes, we will provide notice through the Service or via email
• We will obtain your consent where required by applicable law

We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: