Skip to main content

Privacy Policy

Effective Date: February 1, 2026 | Last Updated: February 10, 2026

FloPost ("we", "us", or "our") operates flopost.ai (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. If you do not agree with the terms of this policy, please do not access the Service.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: Email address, name, and authentication credentials when you create a FloPost account
  • Content: Posts, images, videos, captions, hashtags, and scheduling preferences you create within FloPost
  • Payment Information: Billing details processed securely through Stripe (we do not store your full credit card number)
  • Automation Rules: Keyword triggers and response templates you configure for automated engagement
  • Support Communications: Messages you send to our support team

1.2 Information from Connected Social Media Platforms

When you connect your social media accounts via OAuth authorization, we access and store the following data only with your explicit permission:

Meta Platforms (Facebook & Instagram):

  • Profile Information: Username, profile picture URL, account type (Business/Creator), page name and ID
  • Access Tokens: OAuth access tokens for posting and reading content on your behalf (stored encrypted server-side)
  • Post Data: Your published posts' metadata including captions, timestamps, media URLs, and permalink
  • Insights & Analytics: Follower counts, engagement metrics (likes, comments, shares, saves), reach, impressions, profile views, website clicks, and follower demographics (age, gender, city, country)
  • Messages: Instagram Direct Messages sent to your Business account (used for inbox and auto-reply features)
  • Comments: Comments on your posts (used for inbox display and automated engagement)
  • Page Information: Facebook Pages you manage and their linked Instagram Business accounts

TikTok:

  • Profile information (username, display name, avatar)
  • Video upload and publishing permissions
  • Video analytics and engagement data
  • Follower and view statistics

YouTube (Google):

  • Channel information (channel name, ID)
  • Video upload permissions
  • Video metadata and analytics
  • Subscriber and engagement statistics

Threads (Meta):

  • Profile information (username, biography, profile picture)
  • Post content and publishing permissions
  • Post insights (views, likes, replies, reposts, quotes)

1.3 Automatically Collected Information

  • Usage data (features used, pages visited, actions taken within FloPost)
  • Device information (browser type, IP address, operating system)
  • Cookies and similar technologies for session management and preferences

2. How We Use Your Information

We use your data solely to provide and improve our Service:

  • Content Publishing: Schedule and publish posts to your connected social media accounts at times you specify
  • Inbox & Messaging: Display your Instagram DMs and comments in a unified inbox; send replies on your behalf when you choose to respond
  • Automated Engagement: Execute auto-reply rules and auto-like settings that you configure and control
  • Analytics & Insights: Fetch and display performance metrics for your content so you can make data-driven decisions
  • Account Management: Store your connection status, tokens, and preferences to maintain your linked accounts
  • Token Maintenance: Automatically refresh expiring access tokens so your connections remain active
  • Service Improvement: Analyze anonymized usage patterns to improve features and user experience
  • Customer Support: Respond to your inquiries and provide technical assistance
  • Security: Verify webhook signatures, detect fraud, and prevent unauthorized access
  • Legal Compliance: Comply with applicable laws and enforce our Terms of Service

We Do NOT:

  • Sell your personal information or social media data to any third party
  • Share your data with advertisers or data brokers
  • Use your content for purposes other than providing our Service to you
  • Access your social media accounts for any purpose you have not authorized
  • Send unsolicited messages from your accounts — automation only responds to incoming conversations
  • Train AI models on your private data or content

3. Data Sharing and Third-Party Services

3.1 Social Media Platforms

We interact with the following platforms' APIs to provide our core features. Your content is transmitted to these platforms only when you explicitly schedule or publish a post, or when you send a reply through our inbox:

3.2 Service Providers

We use the following third-party services to operate FloPost:

  • Google Cloud / Firebase: Database storage, user authentication, and file storage
  • Vercel: Application hosting and serverless function execution
  • Upstash (QStash): Scheduled task execution for timed post publishing
  • Stripe: Payment processing and subscription management
  • ImgBB: Optional image hosting for post images

Each provider processes data only as necessary to provide their service and under their respective privacy policies and data processing agreements.

3.3 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or governmental request, or to protect our rights, property, safety, or the safety of others.

4. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data is transmitted over TLS/SSL (HTTPS)
  • Server-side token storage: OAuth access tokens are stored in Firebase Firestore, never exposed to the client browser
  • Webhook verification: Instagram and Facebook webhooks are verified using HMAC-SHA256 signatures
  • Authentication: All API endpoints that access user data require Firebase Authentication
  • Scheduled task verification: Scheduled post execution endpoints use cryptographic QStash signature verification
  • CRON job protection: Background jobs are protected by bearer token authentication
  • Security headers: X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers are set on all responses

While we strive to use commercially acceptable means to protect your data, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

5. Your Data Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update or correct inaccurate information
  • Deletion: Request complete deletion of your data (see Section 6)
  • Portability: Request transfer of your data in a machine-readable format
  • Withdrawal of Consent: Disconnect any social media account at any time from the Accounts page — this immediately revokes our access to that platform
  • Objection: Object to processing of your data for specific purposes
  • Restriction: Request that we limit how we process your data

To exercise any of these rights, contact us at privacy@flopost.ai. We will respond within 30 days.

6. Data Deletion

You can request deletion of your data through any of these methods:

  1. Visit our Data Deletion page and follow the instructions
  2. Email us at privacy@flopost.ai with "Data Deletion Request" in the subject line
  3. For Facebook/Instagram users: Data deletion is also initiated automatically through Meta's platform when you remove our app from your Facebook settings. Our callback endpoint at /api/data-deletion processes these requests.

Upon receiving a deletion request, the following data will be permanently removed within 30 days:

  • Your FloPost account information and authentication data
  • All stored OAuth access tokens for connected platforms
  • Scheduled posts, drafts, and post history
  • Analytics data and follower history snapshots
  • Stored messages and comments from the unified inbox
  • Automation rules and settings
  • Uploaded media files (images, videos)

You can check the status of your deletion request at flopost.ai/data-deletion-status using the confirmation code provided.

Note: Deleting data from FloPost does not delete content already published to your social media accounts. To manage content on Facebook, Instagram, TikTok, or YouTube, use those platforms' native tools. To revoke FloPost's access to your accounts, remove the app from each platform's settings.

7. Data Retention

We retain your personal data only as long as necessary:

  • Active accounts: Data is retained while your account remains active and connected
  • Disconnected platforms: When you disconnect a social media account, we delete the associated access token and stop fetching new data. Historical data (posts, analytics) is retained until you request deletion.
  • Deleted accounts: All data is permanently deleted within 30 days of a deletion request
  • Access tokens: Automatically refreshed before expiration (within 20 days of expiry) to maintain functionality. Expired tokens that cannot be refreshed are flagged.
  • Legal requirements: Some data may be retained longer if required by law (e.g., financial records for tax compliance)

8. Children's Privacy

Our Service is not intended for users under 13 years of age (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at privacy@flopost.ai and we will promptly delete such data.

9. International Data Transfers

FloPost is hosted on Vercel (global edge network) and Google Cloud (United States). Your information may be transferred to and maintained on servers located outside your country of residence, where data protection laws may differ. By using our Service, you consent to this transfer. We ensure appropriate safeguards are in place, including data processing agreements with our service providers.

10. Cookies and Tracking

We use cookies and similar technologies for:

  • Authentication: Maintain your login session
  • Preferences: Remember your settings and choices
  • Analytics: Understand usage patterns to improve the Service (anonymized)

We do not use cookies for advertising or cross-site tracking. You can control cookie preferences through your browser settings.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information held by us
  • Right to opt-out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising your CCPA rights

To exercise these rights, contact privacy@flopost.ai.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland:

  • Legal basis: We process your data based on your consent (connecting social media accounts) and contractual necessity (providing the Service)
  • Data Protection Officer: Contact privacy@flopost.ai
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority
  • Data transfers: Transfers outside the EEA are protected by standard contractual clauses or other appropriate safeguards

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to your registered email address
  • Prominent notice within the FloPost dashboard
  • Updating the "Last Updated" date at the top of this policy

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy. If you disagree with the changes, you may delete your account.

14. Contact Us

For privacy-related questions, concerns, or data requests:

Platform-Specific Privacy Policies

Your use of connected social media platforms is also subject to their respective privacy policies:

Last updated: February 10, 2026