Privacy Policy

NeeFlow ("we," "us," or "our") operates an AI-powered social media management platform at neeflow.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you use our Service.

This policy applies to all users of the NeeFlow platform, including administrators, team members, and end-users who access the Service through any device or interface. By using NeeFlow, you agree to the collection and use of information in accordance with this policy.

NeeFlow is operated by the company behind the platform. Our registered business address is Richmond, VA, United States. For privacy inquiries, contact us at privacy@neeflow.com.

2.1 Account & Identity Data

• Registration Information: Name, email address, and password (stored as bcrypt hash — we never store plain-text passwords).
• Profile Information: Avatar, display name, language and theme preferences.
• Billing Information: Subscription plan tier; payment card details are processed and stored exclusively by Stripe and are never stored on NeeFlow servers.

2.2 Connected Platform Credentials

When you connect social media accounts (Facebook, Instagram, TikTok, YouTube, LinkedIn, X/Twitter, Pinterest), we receive and store OAuth access tokens issued by those platforms. These tokens are encrypted at rest using AES-256 encryption. We use these tokens solely to publish content, retrieve analytics, and manage messages on your behalf — never for any other purpose.

2.3 Content Data

• Posts, captions, images, and videos you create or upload through NeeFlow.
• AI-generated content created using our AI tools (OpenAI, Gemini, Runware, etc.) at your request.
• Scheduling configurations, calendar entries, and content queues.

2.4 Usage & Technical Data

• Log data: IP address, browser type, operating system, pages visited, actions taken, timestamps.
• Device information: screen resolution, device type.
• Feature usage patterns (which tools you use, how often) — used to improve the Service.

2.5 Inbox & Communication Data

Comments, messages, and replies received from social media platforms via our Inbox feature. These are processed to display your conversations and, optionally, to generate AI-suggested responses.

2.6 Information We Do NOT Collect

• We do not collect your social media followers' personal data beyond what is provided to us by platform APIs for analytics purposes (aggregate, anonymized).
• We do not use advertising cookies or sell data to ad networks.

We use the collected information for the following purposes:

• Service Delivery: Publishing posts to connected social media accounts, displaying analytics dashboards, managing your content calendar and inbox.
• AI Features: Processing your content requests through AI providers (OpenAI, Google Gemini, Runware) to generate captions, images, and content suggestions. Your prompts are transmitted to these providers under their respective privacy policies.
• Account Management: Creating and maintaining your account, authenticating your identity, managing team role permissions.
• Communication: Sending transactional emails (account confirmation, password reset, billing notifications, post approval requests) via our SMTP infrastructure.
• Security & Fraud Prevention: Monitoring for unauthorized access, detecting abuse, and enforcing our Terms of Service.
• Service Improvement: Analyzing aggregated usage patterns to improve features, fix bugs, and prioritize development.
• Legal Compliance: Fulfilling obligations under applicable laws and regulations.

We do not use your content to train AI models without your explicit consent. Content you create is yours.

We do not sell, rent, or broker your personal information to any third party.

4.1 Service Providers

We share data with trusted third-party providers strictly to operate the Service:

• Social Media Platforms: Facebook, Instagram, TikTok, YouTube, LinkedIn, X, Pinterest — content published on your behalf.
• AI Providers: OpenAI, Google Gemini, Runware, OpenRouter, Synthetic.new — for AI content generation features you enable.
• Stripe: Payment processing and subscription management.
• Google Drive: Media storage integration (only if you connect Google Drive).
• Robolly: Template-based image generation (only if you enable this integration).
• SMTP Provider: Sending transactional emails.

4.2 Legal Requirements

We may disclose your information where required by law, court order, or governmental authority, or to protect the rights, property, or safety of NeeFlow, our users, or the public.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. You will be notified via email before your data is subject to a different privacy policy.

We implement industry-standard security measures to protect your data:

• Encryption at Rest: OAuth tokens and sensitive credentials are encrypted using AES-256.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Password Security: User passwords are hashed using bcrypt with a work factor of 12 — passwords are never stored in plain text.
• Access Control: Role-based access control (RBAC) ensures team members can only access resources within their assigned permissions. Admin actions are logged.
• Security Headers: Our web application enforces HSTS, X-Frame-Options, X-Content-Type-Options, and Content-Security-Policy headers.
• Infrastructure: Hosted on reputable cloud infrastructure with firewall protection and regular security updates.

While we implement robust safeguards, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying users of any confirmed data breach affecting their personal information.

• Account Data: Retained as long as your account is active. Upon account deletion, personal data is purged within 30 days, except where retention is required by law.
• Content & Posts: Retained until you delete them or your account is closed.
• OAuth Tokens: Deleted immediately when you disconnect a social media account from NeeFlow.
• Billing Records: Retained for 7 years as required by financial regulations.
• Server Logs: Retained for up to 90 days for security and debugging purposes.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
• Data Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing of your data for specific purposes.
• Withdrawal of Consent: Withdraw consent at any time where processing is consent-based.
• Disconnect Integrations: Disconnect any social media platform from within the NeeFlow dashboard to revoke our access to those platform APIs.

To exercise any of these rights, contact us at privacy@neeflow.com. We will respond within 30 days.

NeeFlow uses only essential cookies required for the Service to function:

• Session Cookies: Authentication session tokens (httpOnly, Secure, SameSite=Strict) to keep you logged in.
• CSRF Tokens: Cross-site request forgery protection tokens.

We do not use: advertising cookies, cross-site tracking cookies, Google Analytics, Facebook Pixel, or any third-party behavioral tracking scripts on authenticated pages.

NeeFlow is operated from the United States. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using the Service, you consent to this transfer.

For users in the European Economic Area (EEA) or United Kingdom, we ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) where applicable.

NeeFlow is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@neeflow.com and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

• Sending an email to your registered address, and/or
• Displaying a prominent notice within the NeeFlow dashboard.

The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

For any privacy-related questions, requests, or concerns, please contact us:

• Email: privacy@neeflow.com
• Support: support@neeflow.com
• Address: Richmond, VA, United States