Privacy Policy

Flowtive (“Flowtive”, “we”, “us”) is a content scheduling and social media management platform operated from Denmark, EU.

Contact for privacy matters: privacy@flowtive.app.

2.1 Account data

• Email and name — provided when you sign up.
• Authentication — we use Supabase Auth to handle login. Passwords are hashed and never stored in plain text.
• Workspace information — team name, billing tier, and members you invite.

2.2 Connected social accounts

When you connect a social media account (Instagram, Threads, Facebook, LinkedIn, YouTube, Pinterest, Bluesky, TikTok, X), we receive and store:

• OAuth access and refresh tokens, encrypted at rest with AES-256-GCM. We never store your social platform passwords.
• Profile metadata shared by the platform — your handle, display name, avatar URL, and platform user ID.
• Pages, channels, and boards you own (for Facebook Pages, YouTube channels, Pinterest boards), so you can choose where to publish.

2.3 Content you create

• Captions, hashtags, scheduled posts, uploaded media, and AI prompts you submit.
• Analytics metrics (impressions, reach, engagement) returned by the connected platforms about content you have published through Flowtive.

2.4 Technical data

• Standard server logs: IP address, browser, timestamps, error traces. Retained for 30 days.
• Product analytics (page views, feature usage) — anonymized where possible.

We use your data only to:

• Provide the service — schedule and publish your posts, fetch analytics, deliver inbox messages.
• Improve Flowtive — debug errors, measure feature adoption.
• Communicate with you — product updates, billing, support replies.
• Comply with the law — respond to lawful requests, prevent fraud.

We do not sell your data. We do not use the content of your posts or AI prompts to train third-party AI models.

We use the following third parties to operate Flowtive. Each is bound by a Data Processing Agreement and only processes data on our instructions.

• Supabase — database, authentication, file storage (EU region).
• Vercel — web hosting (EU and US edge nodes).
• OpenAI / Anthropic — AI caption rewriting and idea generation. Content sent to these providers is not used to train their models (per their enterprise terms).
• Stripe — payment processing. We never receive your full card number.
• Upstash — rate limiting and caching (no personal data).
• Inngest — background job processing (scheduled publishing, analytics sync).
• The social platforms you connect — Meta, LinkedIn, Google, Pinterest, TikTok, X, Bluesky. Posts you publish are governed by each platform's own privacy policy.

• Account data: kept while your account is active. Deleted within 30 days of account closure.
• Social tokens: revoked and deleted immediately when you disconnect an account.
• Posts and media: kept until you delete them or your account is closed.
• Server logs: 30 days.
• Billing records: 7 years (Danish bookkeeping law).

If you are in the EU/EEA, UK, or Switzerland, you have the right to:

• Access — request a copy of your data.
• Rectify — correct inaccurate data.
• Erase — have your data deleted (“right to be forgotten”).
• Restrict processing.
• Port — export your data in a standard format.
• Object to processing.
• Withdraw consent at any time.
• Lodge a complaint with the Danish Data Protection Agency (Datatilsynet) or your local supervisory authority.

Send requests to privacy@flowtive.app. We respond within 30 days.

You can at any time:

• Disconnect a social account in Flowtive's Accounts page. Tokens are immediately deleted from our database.
• Revoke Flowtive's access directly from each platform's settings:
  • Google (YouTube)
  • Facebook / Instagram / Threads
  • LinkedIn
  • Pinterest
• Delete your account from Settings, or by emailing privacy@flowtive.app.

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. We use Vercel Analytics in aggregate, anonymous mode for product analytics.

Our primary infrastructure is in the EU. Some processors (OpenAI, Anthropic, Stripe, Vercel edge functions) may process data in the United States under the EU–U.S. Data Privacy Framework or Standard Contractual Clauses.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Social platform tokens are additionally encrypted with a separate application key. We follow the principle of least privilege for internal access and log all administrative actions.

Report security issues to security@flowtive.app.

Flowtive is not directed at children under 16. We do not knowingly collect data from anyone under 16. If we learn we have done so, we will delete it.

We'll update the “Last updated” date at the top when this policy changes. Material changes will be notified in-app and by email at least 14 days before they take effect.

Email: privacy@flowtive.app
Postal: Flowtive, c/o the operator listed in the footer at flowtive.app.