Privacy Policy

1. Information We Collect

We collect the following categories of information:

• Account information. When you register, we collect your name, email address, and (if applicable) your Google OAuth identity. We store your password as an irreversible hash using bcrypt; we never store plaintext passwords.
• Brand and workspace data. We store the brand name, slug, and any workspace descriptions or AI-generated content you create through the platform.
• Connected platform tokens. When you connect a social media account (e.g. Instagram, LinkedIn, TikTok), we store OAuth tokens on your behalf through our publishing partner, Post for Me. These tokens are encrypted at rest using AES-256-GCM.
• Content you generate. Captions, media files, and other content assets you create or upload are stored in Cloudflare R2 object storage and associated with your account.
• Usage and analytics data. We collect page views, feature usage events, and error logs to improve the product. This data is aggregated and is not used to build individual advertising profiles.
• Billing information. Payments are processed by Stripe. We store only your Stripe customer ID and subscription status; we do not store raw payment card details.

2. How We Use Your Information

• Providing the service. We use your account data, connected tokens, and content to operate the platform: scheduling posts, running AI agents, and delivering approval flows.
• Billing and subscription management. We use your billing information to process subscription payments and send invoices via Stripe.
• Abuse prevention and security. We may analyse usage patterns to detect and prevent fraud, spam, and other misuse of the platform.
• Product improvement. Aggregated, anonymised usage data helps us understand which features are most valuable and prioritise future development.
• Communications. We may send you transactional emails (e.g. account confirmation, billing receipts, approval notifications). You may opt out of marketing emails at any time via the unsubscribe link.

3. Third-Party Services

We work with the following third-party processors:

• Post for Me. Social publishing partner. When you connect a social account, Post for Me stores and manages the OAuth tokens on your behalf in order to publish content to supported platforms.
• Anthropic.AI inference provider. Content you submit for AI-assisted generation is processed by Anthropic’s Claude models. Anthropic processes data according to their own privacy policy and enterprise data agreements.
• Stripe. Payment processor. Stripe handles all payment card data under their own PCI-DSS compliance programme. We share only what is necessary to create and manage your subscription.
• Cloudflare R2.Media storage. Uploaded images, videos, and other media assets are stored in Cloudflare’s R2 object storage. Data is stored in Cloudflare’s infrastructure and is subject to Cloudflare’s data protection terms.
• Neon.Database hosting. Structured data (accounts, workspaces, content metadata) is stored in Neon’s managed PostgreSQL service.

We do not sell your personal data to third parties for advertising purposes.

4. Data Retention

We retain your data for as long as your account is active. If you delete your account:

• We will begin deletion of your personal data within 30 days of receiving a confirmed deletion request.
• Some data may be retained for longer in anonymised or aggregated form for analytics purposes, or where required by law (e.g. billing records for tax compliance).
• Media files stored in Cloudflare R2 will be purged as part of the account deletion process within the same 30-day window.

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access. You can request a copy of the personal data we hold about you.
• Correction. You can update your account information directly in the platform settings, or contact us to request corrections.
• Deletion (GDPR right of erasure). You can request that we delete your personal data. We will action deletion requests within 30 days. Note that some data may be retained where required by law.
• Portability. You can request an export of your data in a machine-readable format.
• Objection and restriction. You may object to certain types of processing or request that we restrict processing of your data while a dispute is resolved.

To exercise any of these rights, contact us at privacy@cfw.social.

6. Cookies and Tracking

We use essential cookies to maintain your authenticated session. We do not use third-party advertising cookies or cross-site tracking. Analytics data (if any) is collected in a first-party context and is not shared with advertising networks.

7. Security

We apply industry-standard security measures including encrypted data transmission (TLS), encryption of sensitive fields at rest (AES-256-GCM), and regular access reviews. No system is perfectly secure; if you become aware of a security issue, please contact us immediately at privacy@cfw.social.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the application at least 14 days before changes take effect. Continued use of the service after changes take effect constitutes your acceptance of the updated policy.

9. Contact Us

For privacy-related questions or requests, contact us at: