Privacy Policy

Last updated: May 5, 2026

1. What data we collect

  • Account data: email address, display name, hashed password (for email accounts), OAuth provider ID (for Google/GitHub sign-in).
  • OAuth tokens: when you connect a social account (Instagram, Twitter, LinkedIn, etc.), we store the access token and refresh token needed to fetch your feed. These are encrypted at rest.
  • Widget configuration: the settings you apply to each widget (layout, colors, content filters).
  • Embed analytics: page load events from widgets embedded on third-party sites — we log the widget ID, timestamp, and approximate country. We do not log visitor IP addresses beyond what is required for rate-limiting.
  • Billing data: processed entirely by Stripe. We store only your Stripe customer ID and subscription status. We never see your card number.

2. How we use your data

  • To operate and improve the Service
  • To send transactional emails (receipts, password resets, plan changes)
  • To enforce plan limits (view counts, project limits)
  • To detect abuse

We do not sell your data. We do not use your data to train AI models.

3. Where data is stored

Our database is hosted on Neon (AWS us-east-1). Our application is hosted on Vercel (global edge network). Backups are encrypted and retained for 30 days.

4. Retention

We retain your data as long as your account is active. When you delete your account, data is removed within 30 days. Billing records are retained for 7 years as required by law.

5. Third-party processors

See our Subprocessor List for the full list of services that process customer data on our behalf.

6. GDPR / CCPA rights

If you are located in the EU, UK, or California, you have the right to:

  • Access: export your data from Settings → Export data
  • Rectification: update your profile in Settings
  • Erasure: delete your account from Settings → Danger Zone
  • Portability: your data export is in machine-readable JSON
  • Opt-out of sale: we do not sell data, so this does not apply

To exercise any right not covered by the self-serve tools, email privacy@getfeedflow.io.

7. Cookies

We use a session cookie for authentication (required, not optional) and no advertising or tracking cookies. Analytics (if enabled) uses cookieless methods.

8. Security

Passwords are hashed with bcrypt (cost 12). OAuth tokens are encrypted at rest. All connections use TLS 1.2+. We perform regular security audits.

9. Contact

Privacy questions: privacy@getfeedflow.io

Terms of ServiceDPASubprocessors