Privacy Policy

1. Introduction

CaptureFlow ("we," "our," or "us") is operated by Web3 Doers Krystian Koronowski, located at 23 Lutego 4/6/27, 61-741 Poznan, Poland (Registry number: PL7792306496). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and protect your information when you use our platform at captureflow.ai and any associated subdomains.

2. Information We Collect

Account Information

• Email address, name, and profile photo (via email signup, Google, or LinkedIn sign-in)
• Professional role, company name, and LinkedIn profile data (imported during onboarding)
• Language preference and timezone

LinkedIn Data (when you connect your LinkedIn account)

• Profile information: name, headline, profile photo URL, vanity URL
• OAuth access and refresh tokens (stored encrypted with AES-256)
• Profile data used for content strategy generation: experience, education, skills, about section
• Post engagement data (reactions, comments) for analytics purposes

Content You Create

• Video and audio recordings made in our studio
• AI-generated content (posts, scripts, strategies, infographics)
• Uploaded documents, images, PDFs, and videos
• Edited text, hashtags, and scheduling preferences

Usage Data

• Pages visited, features used, and interactions within the platform
• Device information, browser type, and IP address
• Analytics data collected via Vercel Analytics and PostHog

Workspace Data (for agency/team plans)

• Workspace membership, roles, and permissions
• Whitelabel branding settings (logos, colors, subdomains)
• Activity history and content calendars

3. How We Use Your Information

• Content Creation: Generate AI-powered content strategies, posts, scripts, and infographics based on your profile and preferences
• LinkedIn Publishing: Publish posts to LinkedIn on your behalf when you explicitly approve and schedule them
• Analytics: Track post performance and engagement metrics to provide insights
• Account Management: Authenticate your identity, manage your subscription, and maintain your workspace
• Platform Improvement: Analyze usage patterns to improve features and user experience
• Communications: Send transactional emails (password resets, invitations, publishing notifications) and product updates

4. LinkedIn Data Handling

We access your LinkedIn account only through official LinkedIn OAuth 2.0 authorization. Specifically:

• We never post without your explicit approval. All content is reviewed by you before publishing.
• OAuth tokens are encrypted at rest using AES-256 encryption and stored in our database.
• You can disconnect your LinkedIn account at any time from Settings, which immediately invalidates our access.
• Profile data imported during onboarding is used solely to generate your personalized content strategy and is not shared with third parties.
• We do not scrape LinkedIn or access data beyond what you explicitly authorize.

LinkedIn OAuth scopes we request:

• openid, profile, email — for authentication
• w_member_social — to publish posts on your behalf when you approve them

5. Data Storage and Security

• Database: Supabase (PostgreSQL with Row Level Security ensuring workspace-level data isolation)
• File Storage: Supabase Storage (images, PDFs, documents) and Mux (video processing and hosting)
• Encryption: OAuth tokens encrypted with AES-256; all data transmitted over HTTPS/TLS
• Access Control: Role-based permissions (owner, admin, member, viewer) with workspace isolation
• Data Residency: Data is stored in Supabase and AWS infrastructure

6. Third-Party Services

We use the following services to operate our platform:

Each third-party service processes data in accordance with their own privacy policies. We only share the minimum data necessary for each service to function.

7. Data Retention

• Account data: Retained while your account is active. Deleted upon account deletion request.
• Content and media: Retained while your account is active. Videos, images, and documents are deleted from storage when you delete them or when your account is deleted.
• LinkedIn tokens: Deleted immediately when you disconnect your LinkedIn account or delete your account.
• Analytics data: Retained for the duration of your subscription.
• Logs: Server logs retained for up to 30 days for debugging purposes.

8. Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate personal data
• Erase your personal data ("right to be forgotten")
• Restrict processing of your personal data
• Port your data to another service
• Object to processing based on legitimate interests
• Withdraw consent at any time

To exercise any of these rights, contact us at hello@captureflow.ai. We will respond within 30 days.

9. Cookies

We use essential cookies for authentication and session management. We use PostHog for product analytics, which may set analytics cookies. You can manage cookie preferences through your browser settings.

10. Children's Privacy

CaptureFlow is not intended for users under 18 years of age. We do not knowingly collect personal data from children.

11. International Data Transfers

Your data may be processed in countries outside your country of residence. We ensure appropriate safeguards are in place for international transfers in accordance with applicable data protection laws.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the platform after changes constitutes acceptance.

13. Contact Us

If you have any questions about this privacy policy or our data practices:

• Company: Web3 Doers Krystian Koronowski
• Address: 23 Lutego 4/6/27, 61-741 Poznan, Poland
• Registry number: PL7792306496
• Email: hello@captureflow.ai
• Website: https://captureflow.ai