Privacy Policy

1. Information We Collect

Information you provide directly. When you register, we collect your name, email address, and password. When you subscribe, Stripe collects your payment card details on our behalf (BrandFlow does not store full card numbers). If you contact support, we collect the content of your communications. If you configure brand settings, we collect your brand name, logo, brand voice descriptions, target audience details, and any other brand profile information you enter.

Connected platform data. When you connect third-party accounts (Instagram, Facebook, LinkedIn, X, TikTok, YouTube, Google Ads, Klaviyo, WhatsApp Business, and others), we receive the data necessary to provide the integration, which may include account identifiers, follower counts, post performance metrics, campaign data, email/SMS list statistics, ad spend data, and audience insights. We access only the permissions you explicitly grant and use this data solely to operate the features you use.

Content you create and generate. We store User Content you upload (logos, brand images, media files) and AI-generated outputs (text, images, video, audio) that you create through the Service. This includes published posts, draft campaigns, scheduled content, and generation history.

Agency and team member data. If you use agency or multi-workspace features, we collect information about the team members and agency members you invite, including their names, email addresses, and role assignments within your workspaces.

Device and usage data. We automatically collect information about how you interact with the Service, including your IP address, browser type and version, operating system, referring URLs, pages viewed, features used, session duration, and timestamps. This data is collected via server logs and first-party analytics tools.

Cookies and similar technologies. We use cookies and similar tracking technologies as described in our Cookie Policy.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including AI content generation, campaign planning, scheduling, and publishing
• Process payments and manage your subscription via Stripe
• Authenticate your identity and secure your account
• Send transactional emails (account confirmations, password resets, billing notifications, publishing confirmations)
• Send product updates and marketing communications where you have consented or where permitted by applicable law; you may opt out at any time
• Improve the Service through aggregated and anonymized analytics
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our Terms of Service

We do not use your User Content or AI-generated outputs to train or fine-tune any AI model, including those of our AI provider partners. See our AI Terms for details.

3. How We Share Your Information

BrandFlow does not sell your personal information. We share information only in the following circumstances:

• Service providers. We share data with vendors who help us operate the Service, including Stripe (payment processing), Anthropic (AI language model inference), Runware, Higgsfield, and Replicate (image and video generation), and cloud infrastructure and analytics providers. These vendors are contractually bound to use your data only as directed by us.
• Connected platforms. When you publish content or sync data, we transmit the necessary information to the third-party platforms you have connected.
• Agency members. If you operate an agency workspace, members you invite will have access to the workspace data for the brands you assign them to manage.
• Legal requirements. We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of BrandFlow, our users, or others.
• Business transfers. If BrandFlow is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a notice on the Service before your information is transferred and becomes subject to a different privacy policy.

4. Data Retention

We retain your account information and User Content for as long as your account is active or as needed to provide the Service. After account termination, you may request an export of your data within 30 days; after that period, we may delete your data in accordance with our routine data retention schedules. We may retain certain information for longer periods where required by law, for fraud prevention, or to resolve disputes.

AI-generated media (images, video, audio) stored in the Service is retained for the duration of your subscription plus any applicable post-termination export window, unless you delete it earlier.

5. Security

We implement industry-standard technical and organizational measures to protect your information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit (TLS) and at rest, access controls, and regular security reviews. No system is completely secure; we cannot guarantee the absolute security of your information.

6. Your Rights (EEA, UK, and Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR) or equivalent legislation, including:

• Access. You may request a copy of the personal data we hold about you.
• Rectification. You may request correction of inaccurate or incomplete personal data.
• Erasure. You may request deletion of your personal data, subject to certain exceptions.
• Restriction. You may request that we restrict processing of your personal data in certain circumstances.
• Data portability. You may request a machine-readable export of the personal data you provided to us.
• Objection. You may object to our processing of your personal data where we rely on legitimate interests as the legal basis.
• Withdraw consent. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

Our lawful bases for processing personal data include: performance of a contract (to provide the Service), legitimate interests (security, fraud prevention, product improvement), legal obligation, and consent (marketing communications). To exercise any of the above rights, contact us at support@mybrandflow.io. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

7. California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale or sharing of personal information. BrandFlow does not sell personal information. For details on exercising your California rights, see our CCPA Opt-Out page.

8. International Transfers

BrandFlow operates in the United States. If you are accessing the Service from outside the United States, your information will be transferred to and processed in the United States. We take appropriate safeguards to ensure that such transfers comply with applicable data protection laws, including, where required, entering into Standard Contractual Clauses approved by the European Commission.

9. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without verifiable parental consent, we will delete that information promptly. If you believe we may have collected information from a child, please contact us at support@mybrandflow.io.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to the address associated with your account or by displaying a prominent notice in the Service before the changes take effect. Your continued use of the Service after any update constitutes your acceptance of the revised policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

[BRANDFLOW LEGAL ENTITY]
[COMPANY ADDRESS]
support@mybrandflow.io