Last updated: May 24, 2026
FlowFaze (“we,” “our,” “us”) operates the flowfaze.ai service: an AI-assisted content marketing platform that helps businesses plan, generate, and publish content to their own social media accounts. This policy explains what information we collect, how we use it, and the choices you have.
You provide your name, email address, and password when you sign up. We use these for authentication, billing, and product communications.
The websites, brand guidelines, target audiences, competitors, and content examples you connect or upload — all used to generate content on your behalf.
When you connect Facebook, Instagram, LinkedIn, X (Twitter), Google Search Console, or WordPress, we store OAuth access tokens (and refresh tokens where applicable) so we can publish on your behalf and read the analytics you've authorized. We also store the platform-provided account identifier (Page ID, IG Business Account ID, etc.) and the display name. Tokens are encrypted at rest with AES-256-GCM and are only used by our backend to perform actions you have explicitly initiated or scheduled.
Posts, captions, images, and short stock-video clips selected from third-party stock-media providers (Pexels, Pixabay) and stored against your account.
Standard server and application logs (request paths, response codes, latency, user agent, IP address), product events, and error telemetry. We use Sentry for error tracking and PostHog for product analytics.
If you purchase a paid plan, payment is handled by Stripe. We never see or store full card numbers; we receive a customer ID and metadata about subscription status only.
We use third-party AI providers to generate text, image-placement plans, and content suggestions. Your prompts, site context, and the content we ask the model to produce are sent to those providers under their data-processing terms. We do not use customer data to train any third-party model, and we configure providers to not retain prompts for training where the option is available.
FlowFaze uses Facebook Login solely to connect users' own Facebook Pages and Instagram Business accounts for the purpose of publishing content the user has created or scheduled in FlowFaze. We request only the permissions needed for publishing:
pages_show_list, pages_manage_posts, pages_read_engagement — to list the Pages you manage and publish/read posts on the Page(s) you select.instagram_business_basic, instagram_business_content_publish — to identify the Instagram Business Account linked to your Page and publish feed posts and Reels on your behalf.We do notread private messages, friend lists, or any data not required to publish the content you create. We do not sell or rent Meta-derived data to any third party. You can revoke FlowFaze's access at any time from Facebook's Business Integrations page, or from the Connections tab inside FlowFaze (Settings → Connections → Disconnect). When you disconnect, we delete the stored access token from our database within 24 hours. Any content you previously published to Facebook or Instagram remains on those platforms and is governed by their respective terms; you can delete those posts directly from Facebook/Instagram.
The same principle applies to other connected platforms: we request the minimum scopes required to publish on your behalf (LinkedIn w_member_social, X tweet.write, etc.) or to read the analytics you authorize (Google Search Console webmasters.readonly). Stored tokens are encrypted at rest, used only for actions you initiate, and deleted when you disconnect or delete your account.
When FlowFaze attaches an image or short video to your generated content, it fetches the asset from Pexels (primary) or Pixabay (fallback). These requests carry only a search query — no information about you or your site is sent to those providers beyond what they receive from any client running their public search API.
We do not sell your personal information. We share data only with the service providers needed to operate FlowFaze:
Each provider is bound by its own data-processing terms. We may also disclose data when required by law, to enforce our terms, or to protect the rights, safety, and property of FlowFaze, our users, or others.
We keep account data for as long as your account is active. When you delete your account or disconnect a platform, the corresponding tokens and related metadata are deleted from our active database within 24 hours and from backups within 30 days. Aggregated, fully anonymized analytics may be retained indefinitely.
Depending on where you live, you may have the right to:
To exercise any of these rights, email support@flowfaze.ai. We respond within 30 days. To delete your data directly without contacting us, go to Settings → Account → Delete Account inside FlowFaze.
We use industry-standard safeguards: TLS in transit, AES-256-GCM encryption at rest for tokens and other sensitive credentials, row-level tenant isolation in the database, and least-privilege access controls for engineers. No system is perfectly secure; if you believe your account has been compromised, contact support@flowfaze.ai immediately.
FlowFaze is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
FlowFaze is hosted in the United States. By using the service you understand that your data will be processed there and in any country where our service providers operate. We rely on standard contractual clauses and equivalent safeguards for cross-border transfers where required.
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date and, where appropriate, notify you by email or in-app banner before the change takes effect.
Questions, requests, or complaints? Email support@flowfaze.ai or use the Contact form.