GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union law (Regulation (EU) 2016/679) that governs how organizations collect, store, use, and protect personal data of individuals in the European Economic Area (EEA) and United Kingdom.

NeeFlow is committed to full compliance with GDPR requirements. This page explains our data processing practices, your rights as an EU/EEA/UK data subject, and how to exercise those rights.

If you have any GDPR-related concerns, contact our privacy team at privacy@neeflow.com.

2.1 Data Controller

NeeFlow acts as the Data Controller for personal data collected from users of our platform. As the Data Controller, we determine the purposes and means of processing your personal data.

• Entity: NeeFlow
• Address: Richmond, VA, United States
• Privacy Contact: privacy@neeflow.com

2.2 Data Processors

NeeFlow engages the following third-party processors who process data on our behalf under data processing agreements:

• Stripe: Payment processing — Stripe DPA
• OpenAI: AI content generation — subject to OpenAI's data processing terms
• Google (Gemini): AI content generation — subject to Google's data processing terms
• Social Media Platforms: Facebook, Instagram, TikTok, YouTube, LinkedIn, X, Pinterest — content published on your behalf via their APIs

Under GDPR Article 6, NeeFlow processes your personal data on the following lawful bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the NeeFlow service you have subscribed to — including publishing posts, managing your calendar, processing payments, and account management.
• Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement through aggregated analytics, and ensuring platform integrity.
• Legal Obligation (Art. 6(1)(c)): Retaining billing records and responding to lawful government requests as required by applicable law.
• Consent (Art. 6(1)(a)): Optional features such as AI content improvement feedback (where applicable). You may withdraw consent at any time.

As an EU/EEA/UK data subject, you have the following rights under GDPR:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you, including the categories, purposes, and recipients of processing.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / Right to be Forgotten (Art. 17): Request deletion of your personal data where there is no overriding legal reason to retain it.
• Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another controller.
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
• Rights related to Automated Decision-Making (Art. 22): NeeFlow does not engage in automated decision-making or profiling that produces legal or similarly significant effects.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, submit a written request to privacy@neeflow.com. We will respond within 30 days (or 90 days for complex requests, with notification). We may need to verify your identity before processing the request.

NeeFlow is based in the United States. As the US is not considered an "adequate" country under GDPR, transfers of personal data from the EEA/UK to the US are governed by appropriate safeguards:

• Standard Contractual Clauses (SCCs): We rely on EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers to NeeFlow's servers in the US.
• Processor SCCs: Our third-party processors (Stripe, OpenAI, Google, etc.) also implement SCCs or other approved transfer mechanisms.

You may request a copy of the applicable SCCs by contacting privacy@neeflow.com.

We retain personal data only as long as necessary for the purposes it was collected:

• Account data: Retained while your account is active. Deleted within 30 days of account closure (except as required by law).
• Content & posts: Retained until you delete them or close your account.
• OAuth tokens: Deleted immediately upon disconnecting the relevant social platform.
• Billing records: Retained for 7 years to comply with tax and financial regulations.
• Security logs: Retained for up to 90 days.

NeeFlow does not currently meet the GDPR threshold requirements that mandate a formal Data Protection Officer (DPO) under Article 37. However, we treat privacy as a core responsibility and have designated a privacy contact who handles all data protection queries:

• Privacy Contact: privacy@neeflow.com

If you believe NeeFlow has violated your GDPR rights and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority:

• EU Users: Contact the data protection authority in your EU member state. A full list is available at edpb.europa.eu.
• UK Users: Contact the Information Commissioner's Office (ICO) at ico.org.uk.

We encourage you to contact us first at privacy@neeflow.com so we can attempt to resolve your concern directly.

NeeFlow implements appropriate technical and organizational measures under GDPR Article 32 to ensure a level of security appropriate to the risk:

• Encryption at Rest: OAuth tokens and sensitive credentials encrypted with AES-256.
• Encryption in Transit: All data transmitted over TLS 1.2+.
• Access Control: Role-based access control (RBAC) limiting data access to authorized personnel.
• Password Security: bcrypt hashing with work factor 12 — no plain-text passwords.
• Breach Notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (Art. 33) and affected users without undue delay (Art. 34) where required.