Legal

Privacy Policy

Last updated: May 7, 2026

PromoFlow AI (“PromoFlow”, “we”, “us”) helps creators and agencies manage social media accounts, generate content with AI, and publish posts across multiple platforms. This Privacy Policy explains what information we collect, how we use it, and the choices you have. If you do not agree with this policy, please do not use our service.

1. Information We Collect

1.1 Account information

When you create an account we collect your name, email address, and a hashed password. If you sign up with Google, Facebook, or LinkedIn we receive your name, email, profile picture, and the provider's opaque user ID. We never receive your social provider password.

1.2 Connected social accounts

When you connect a platform (Facebook, Instagram, X / Twitter, LinkedIn, YouTube, TikTok, Pinterest, Reddit, Tumblr, Medium, Threads, Bluesky, Telegram) we store the access tokens, refresh tokens, the platform's user / page ID, your handle, display name, profile picture, and aggregate counts (followers, following, posts). We use these tokens only to read the data you authorized and to publish content you create through PromoFlow.

1.3 Content you create

Posts, captions, scheduled times, uploaded images and videos, AI prompts, and per platform settings (titles, tags, board / subreddit selections, etc.) are stored so we can publish them and show them in your dashboard.

1.4 Security and device data

We log login events (timestamp, IP address, user agent, success / failure reason) and a non reversible device fingerprint derived from your browser headers. We use this to detect new device sign ins, send you alert emails, and lock the account after repeated failed login attempts.

1.5 Communications

If you contact support, invite a teammate, or reset your password we send transactional email through our SMTP provider and keep delivery logs for troubleshooting.

2. How We Use Your Information

  • To create and operate your account, workspaces, and team memberships.
  • To publish posts to the social platforms you have explicitly connected.
  • To generate AI content (text, voiceover, video) on your behalf when you ask.
  • To refresh your platform statistics and surface them in the dashboard.
  • To send transactional email: verification codes, 2FA codes, password resets, new device alerts, workspace invites, and welcome messages.
  • To detect, investigate, and prevent abuse, account takeovers, and platform policy violations.
  • To debug and improve the service. We never sell your data.

3. AI Processing

When you use AI features (caption generation, text to speech, video generation) the prompt and any media you upload are sent to the model provider you selected (OpenAI, Google Gemini, ElevenLabs, Kling AI, Higgsfield AI). We do not use your prompts to train any model ourselves, and we ask providers to honor their own no training defaults for API customers. Generated outputs are stored in your workspace until you delete them.

4. Third Party Sub Processors

We share data only with the providers we need to run the service:

  • Supabase / PostgreSQL — primary application database.
  • Amazon Web Services (S3) — uploaded image / video / audio storage.
  • SMTP provider — transactional email delivery.
  • Twilio — SMS one time codes when you opt in to SMS 2FA.
  • Social platform APIs — to fetch your profile and publish on your behalf.
  • AI providers — OpenAI, Google Gemini, ElevenLabs, Kling AI, Higgsfield AI for the AI features you invoke.
  • ngrok — only in development environments to expose a tunnel for Meta's media fetch crawler.

5. Cookies and Local Storage

We use a single httpOnly session cookie to support OAuth redirects, and your browser's local storage to keep your authentication token and theme preference. We do not use third party advertising cookies or cross site trackers.

6. Data Retention

We keep your account data for as long as your account exists. Login history is retained for 12 months for security review. If you delete a connected social account, the associated tokens and stats are removed immediately. If you delete your PromoFlow account we delete or anonymize your personal data within 30 days, except where we are required to keep it for legal or fraud prevention reasons.

7. Security

Passwords are hashed with bcrypt. Access tokens and refresh tokens are stored encrypted at rest. We support email OTP, authenticator app (TOTP), and SMS based two factor authentication, and we lock accounts after five failed login attempts in a row. No online service is perfectly secure — please choose a strong, unique password and enable 2FA.

8. Your Rights

Depending on where you live (GDPR in the EEA / UK, CCPA in California, and similar laws elsewhere) you may have the right to access, correct, export, or delete your personal data, and to object to certain processing. You can exercise these rights from Settings → Profile or by emailing privacy@promoflowai.com. We respond within 30 days.

9. International Transfers

Our service is operated from infrastructure in the United States and India. By using PromoFlow you consent to your information being processed in those regions. Where required we rely on Standard Contractual Clauses for international transfers.

10. Children

PromoFlow is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us their information, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy as the service evolves. When we make material changes we will update the “Last updated” date and notify you by email or in app. Continued use after the change means you accept the updated policy.

12. Contact

Questions, concerns, or data requests: privacy@promoflowai.com.