Skip to main content

Privacy Policy

Effective: May 20, 2026Last updated: June 12, 2026

ContentFlow is operated from Singapore. We are the data controller responsible for your personal information. For privacy questions or to exercise your rights, contact us at privacy@contentflow.club.

The short version

  • We collect what you give us (account, content, connected LinkedIn account) and basic usage data — nothing more.
  • We never train AI models on your content. Your drafts and ideas are used only to provide the Service.
  • We don't sell or share your personal information, and we run no advertising or cross-site tracking.
  • You can access, export, correct, or delete your data anytime from your settings or by emailing us.

This Privacy Policy explains how ContentFlow ("we", "our", "us") collects, uses, and shares information when you use our website and product at contentflow.club (the "Service"). We've tried to write it in plain English. If anything is unclear, email privacy@contentflow.club.

1. Information we collect

Information you provide

  • Account information: Email address, name, and password (hashed) when you create an account.
  • Content you create: Posts, drafts, topics, writing style examples, and feedback you enter into the Service.
  • Payment information: Billing details are collected and processed by Stripe. We never see or store your card number.
  • Connected LinkedIn account: When you connect LinkedIn, we receive your basic profile (name, email, LinkedIn ID) and an OAuth access token that allows us to publish posts on your behalf when you schedule them. Tokens are encrypted at rest (AES-256-GCM). We do not read your private messages or feed. We may add support for additional platforms in the future, and will update this policy if we do.

Information collected automatically

  • Usage data: Pages viewed, features used, and basic device information (browser, OS, screen size) via PostHog. We configure PostHog to not capture your IP address.
  • Diagnostic data: Error reports and stack traces via Sentry when something breaks. May include the URL and user ID associated with the error, never the contents of your drafts.
  • Cookies: Strictly-necessary cookies for authentication and session management, plus analytics cookies for product usage. See the Cookies section below.

2. How we use information

  • To operate, maintain, and improve the Service.
  • To generate AI-assisted drafts and suggestions in your account (your content is sent to our AI providers — see Section 4).
  • To publish posts to LinkedIn when you schedule them.
  • To process payments and manage subscriptions.
  • To send transactional emails (welcome, billing receipts, scheduled-post failures, trial reminders).
  • To respond to support requests and feedback.
  • To detect and prevent fraud, abuse, or security incidents.

We do not train AI models on your content. Your drafts, style examples, and posts are used solely to provide you with the Service.

If you're in the EEA, UK, or Switzerland, we process your personal data on the following bases:

  • Performance of a contract — operating the Service you signed up for.
  • Legitimate interests — improving the Service, securing it, and preventing abuse, where these interests are not overridden by your rights.
  • Legal obligation — tax, accounting, and compliance requirements.
  • Consent — marketing emails and optional analytics. You can withdraw consent at any time.

4. Third-party services we share data with

We use the following sub-processors. Each handles your data under their own privacy policies.

  • Supabase — database, authentication, file storage.
  • Vercel — application hosting and CDN.
  • Stripe — payment processing and subscription billing.
  • OpenAI — AI draft and suggestion generation. Your prompts and content are sent to OpenAI's API; OpenAI does not use API data to train its models per their API data usage policy.
  • Google (optional) — Generative AI for optional image generation, where used. Subject to Google's API data policies.
  • Perplexity / Tavily — web search for topic suggestions. When you use these features, your search query is sent to the active provider.
  • PostHog — product analytics.
  • Sentry — error monitoring.
  • Langfuse — LLM call tracing for debugging and quality.
  • Inngest — background job scheduling for post publishing and token refresh.
  • Resend — transactional email delivery.
  • LinkedIn — when you connect your account and publish posts, we send your post content and OAuth token to LinkedIn's API.

We may also share information when required by law, to enforce our terms, to protect the rights and safety of our users or the public, or in connection with a merger, acquisition, or sale of assets (in which case we'll notify you). We do not sell your personal information to third parties.

5. Data retention

  • Account data: retained while your account is active. Deleted within 30 days of an account deletion request.
  • Posts and drafts: retained while your account is active, deleted with the account.
  • Billing records: retained for 7 years as required by tax and accounting regulations.
  • Analytics data: retained for up to 12 months in aggregated form.

6. Your privacy rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and personal data.
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent for optional processing.

If you are in the EEA, UK, or Switzerland and believe we have processed your data unlawfully, you also have the right to lodge a complaint with your local data protection authority. You can find your EU authority via the European Data Protection Board, the UK's Information Commissioner's Office, or Switzerland's Federal Data Protection and Information Commissioner. We'd appreciate the chance to address your concerns first, so please consider contacting us.

7. US state privacy rights

If you are a resident of California or another US state with a comprehensive privacy law (such as Colorado, Connecticut, Texas, Virginia, and others), you may have the right to:

  • Confirm whether we process your personal data and access it.
  • Correct inaccuracies in your personal data.
  • Delete the personal data we hold about you.
  • Obtain a portable copy of the data you provided to us.
  • Opt out of "sale" of personal data, "sharing"/targeted advertising, and certain profiling.
  • Not be discriminated against for exercising any of these rights.

We do not sell or share your personal information, we do not engage in targeted advertising, and we do not run cross-context behavioral profiling. Because of this, there is no sale or targeted-advertising activity for you to opt out of. California residents may also request the categories of personal information we collect, which are described in Section 1.

8. How to exercise your rights

The fastest way to review, export, correct, or delete your data is from your account settings. You can also email privacy@contentflow.club and we'll respond within 30 days (or sooner where the law requires).

  • Verification: to protect your data, we may need to verify your identity before acting on a request — usually by confirming control of the email address on your account.
  • Authorized agents: you may use an authorized agent to submit a request on your behalf. We may ask for proof of authorization and may still verify your identity directly.
  • Appeals: if we decline your request, we'll explain why. Where your state law provides an appeal right, you may appeal by replying to our decision; if we deny the appeal, you may contact your state attorney general.

9. Security

We use industry-standard security practices: TLS in transit, encryption at rest for OAuth tokens (AES-256-GCM), hashed passwords (Supabase Auth uses bcrypt), and row-level security in the database. No system is perfectly secure — if you discover a vulnerability, please email us at hello@contentflow.club.

10. International data transfers

We are operated from Singapore, and our service operates globally. Your data may be processed in countries outside your own — primarily Singapore and the United States, where most of our sub-processors are based. These countries may not have the same data protection laws as your home country. Where required for transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or equivalent safeguards, which can be provided on request.

11. Cookies

We use the following cookie categories:

  • Strictly necessary: authentication sessions, CSRF protection. These cannot be disabled.
  • Analytics: PostHog uses cookies to understand product usage. You can opt out by disabling cookies in your browser or contacting us.

We do not use advertising or third-party tracking cookies.

12. Do-Not-Track signals

Some browsers offer a "Do-Not-Track" (DNT) setting. Because there is still no agreed industry standard for how to interpret DNT signals, we do not currently respond to them. We don't run advertising or cross-site tracking regardless. If a standard is adopted that we're required to follow, we'll update this policy.

13. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have, please contact us and we'll delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via email and on the website. The "Effective" and "Last updated" dates at the top reflect the latest version.

15. How to contact us

ContentFlow is operated from Singapore and is the controller of your personal information. For privacy questions, data requests, or to exercise any of your rights, email privacy@contentflow.club. For general questions or to report a security issue, email hello@contentflow.club.