AutoFlow, Inc. ("AutoFlow," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our marketing automation platform and related services (the "Service").

This policy applies to all users of AutoFlow, including individual users, organizations, and administrators. By using our Service, you consent to the data practices described herein.

2.1 Information You Provide Directly

• Account Registration: Name, email address, password, organization name
• Profile Information: Job title, company size, industry, contact preferences
• Brand Information: Business descriptions, target audiences, brand guidelines, logos
• Content Data: Marketing materials, social media content, brand assets you upload
• Payment Information: Billing address, payment method details (processed securely by third parties)
• Communication Data: Messages, support requests, feedback, and survey responses

2.2 Automatically Collected Information

• Usage Analytics: Features used, automation runs, time spent, click patterns
• Device Information: IP address, browser type, device identifiers, operating system
• Log Data: Server logs, error reports, performance metrics
• Location Data: General geographic location based on IP address
• Cookies and Tracking: Session cookies, preference cookies, analytics cookies

2.3 Third-Party Integrations

• Social Media Platforms: When you connect Facebook, Instagram, LinkedIn, Twitter accounts
• OAuth Tokens: Access tokens for social media publishing (encrypted and secure)
• Profile Data: Public profile information from connected social accounts
• Publishing Analytics: Performance data from published content

3.1 Primary Service Functions

• Provide access to marketing automation tools and features
• Generate AI-powered content based on your brand information
• Schedule and publish content to connected social media platforms
• Analyze and report on marketing performance and engagement
• Store and organize your content library and brand assets

3.2 Platform Operations

• Authenticate your identity and manage your account
• Process payments and manage billing
• Provide customer support and respond to inquiries
• Monitor system performance and troubleshoot issues
• Ensure security and prevent fraud or abuse

3.3 Service Improvement

• Analyze usage patterns to improve features and user experience
• Train and improve our AI content generation algorithms
• Develop new features and automation capabilities
• Conduct research and analytics for product development

3.4 Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract Performance: To provide our services as agreed
• Legitimate Interests: For security, fraud prevention, and service improvement
• Consent: For marketing communications and non-essential cookies
• Legal Obligations: To comply with applicable laws and regulations

4.1 When We Share Information

• With Your Explicit Consent: When you authorize specific sharing or integrations
• Service Providers: Trusted vendors who help operate our platform (under strict agreements)
• Social Media Platforms: When you connect accounts for content publishing
• Legal Requirements: When required by law, court order, or government investigation
• Business Transfers: In connection with mergers, acquisitions, or asset sales
• Safety and Security: To protect rights, property, or safety of users and the public

4.2 Third-Party Services

We work with trusted partners who help deliver our services:

• Cloud Infrastructure: AWS, Google Cloud for hosting and data storage
• Payment Processing: Stripe, PayPal for secure payment handling
• Analytics Services: Google Analytics for usage insights (anonymized)
• Communication: Email service providers for system notifications
• AI Services: OpenAI, Anthropic for content generation capabilities

5.1 Security Measures

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based permissions and multi-factor authentication
• Infrastructure: Secure cloud hosting with regular security audits
• Monitoring: 24/7 security monitoring and threat detection
• Regular Updates: Software updates and security patches applied promptly

5.2 Data Breach Response

In the unlikely event of a data breach, we will notify affected users and relevant authorities within 72 hours as required by law. We maintain an incident response plan and conduct regular security training for our team.

6.1 Data Access and Export

• Account Access: View and update your profile and account settings
• Data Export: Download a complete copy of your data at any time via your account settings
• Export Format: Data is provided in machine-readable JSON format
• Export Contents: Includes all personal data, automation runs, generated content, and activity history

6.2 Data Deletion Rights

• Self-Service Deletion: Delete your account directly through your settings page
• Complete Data Removal: All personal data, automation runs, generated content, and activity logs are permanently deleted
• Deletion Timeline: Data is permanently removed from our systems within 30 days
• Confirmation Process: Password confirmation required for security
• Deletion Verification: You receive a deletion confirmation ID for your records
• Facebook Integration: Supports Facebook's data deletion callbacks for connected accounts

6.3 Account Management

• Profile Updates: Modify your personal information and preferences
• Integration Control: Connect and disconnect social media accounts
• Brand Ownership: Transfer or delete brand profiles you've created
• Organization Management: Manage team members and permissions (for admins)

6.4 Communication Preferences

• Opt out of marketing emails via unsubscribe links
• Control notification settings in your account preferences
• Request to be removed from all marketing communications

6.5 Cookie Controls

• Essential cookies required for platform functionality
• Analytics cookies can be disabled in your browser settings
• Marketing cookies require explicit consent

6.6 How to Exercise Your Rights

7.1 Retention Periods

• Account Data: Retained while your account is active
• Generated Content: Stored for service improvement, can be deleted on request
• Usage Analytics: Aggregated data retained for 2 years
• Support Communications: Retained for 3 years for quality assurance
• Legal Hold: Data may be retained longer if required by legal proceedings

7.2 Deletion Process

When you delete your account, we remove your personal information within 30 days, except for data we're legally required to retain. Some anonymized usage data may be retained for statistical purposes.

AutoFlow is based in the United States. If you access our services from outside the US, your information may be transferred to, stored, and processed in the US or other countries where we or our service providers operate.

8.1 EU/EEA Data Transfers

For users in the EU/EEA, we ensure adequate protection through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for certain countries
• Additional safeguards as required by GDPR

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request details about personal information we collect
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We don't sell personal information, so this doesn't apply
• Non-Discrimination: We won't discriminate for exercising CCPA rights

To exercise these rights, contact us at privacy@autoflow.com with "California Privacy Request" in the subject line.

11.1 Connected Accounts

When you connect social media accounts to AutoFlow:

• We receive limited profile information (name, email, profile picture)
• We store encrypted access tokens for content publishing
• We can post content to your accounts only with your explicit permission
• We collect analytics data about published content performance

11.2 Supported Platforms

• Facebook/Meta: Pages posting, insights, audience data
• Instagram: Content publishing, story management, analytics
• LinkedIn: Company page posting, professional content scheduling
• Twitter/X: Tweet scheduling, thread management, engagement metrics

11.3 Revoking Access

You can revoke social media permissions at any time through:

• Your AutoFlow account settings
• The social media platform's privacy settings
• Contacting our support team

If you are in the EU/EEA, you have these additional rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to certain types of processing
• Right to Withdraw Consent: Withdraw consent for data processing
• Right to Lodge a Complaint: File complaints with data protection authorities

To exercise these rights, contact us at gdpr@autoflow.com. We will respond within 30 days.

Data Protection Officer:

• Email: dpo@autoflow.com
• Privacy Team: privacy@autoflow.com

Mailing Address:

• AutoFlow, Inc.
• Attn: Privacy Officer
• [Your Business Address]

EU Representative:

• Email: eu-representative@autoflow.com
• [EU Representative Details]

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.

14.1 Notification Process

• Email notification for material changes
• In-app notifications for significant updates
• 30-day advance notice for major policy changes

Continued use of our Service after changes take effect constitutes acceptance of the updated Privacy Policy.