DATA // PRIVACY

Privacy Policy

Effective: April 3, 2026

1. Introduction

FluxEngine ("we," "us," or "our") operates the FluxEngine platform at fluxengine.app (the "Service"). This Privacy Policy describes how we collect, use, store, share, and delete your information when you use our Service, including through integrations with third-party social media platforms.

By using the Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

  • Email address, name, and authentication credentials (password hash or OAuth provider identity)
  • Account preferences and settings

2.2 Platform Data (via OAuth)

When you connect a social media account, we collect and process:

  • OAuth access tokens and refresh tokens (encrypted at rest)
  • Platform user identifiers (open ID, channel ID, page ID)
  • Public profile information (display name, avatar URL)
  • Account statistics (follower count, engagement metrics, video/post counts)
  • Video and content metadata (titles, descriptions, view counts, like counts)

2.3 Content You Upload

  • Video files and media uploaded through the Service
  • Captions, descriptions, and metadata you provide
  • Content fingerprints (SHA-256 hashes) for duplicate detection

2.4 Usage and Technical Data

  • IP address, browser type, device information
  • Pages visited, features used, and timestamps
  • Error logs, stack traces, and performance data (via Sentry)
  • Product usage events such as sign-ups, platform connections, and publish actions, tied to your internal account identifier (via PostHog)

Our product analytics tool (PostHog) operates in cookieless mode — it does not set cookies, use local storage, or persist identifiers across browser sessions. Events are linked to your internal account identifier (a UUID) so we can analyze usage patterns per user; your email, name, and other personal details are not sent to PostHog. We do not enable automatic pageview or click tracking; only the specific events listed above are captured. Our error tracking tool (Sentry) captures technical error data only and is configured to minimize personally identifiable information (PII) collection. Both tools process data exclusively in the European Union (see Section 11).

3. How We Use Your Information

We use your information solely to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your account
  • Execute publishing, scheduling, and analytics features you initiate
  • Display your social media metrics and growth history within the dashboard
  • Detect duplicate content and prevent accidental re-posting
  • Communicate with you about your account, security alerts, and policy changes
  • Monitor errors, diagnose issues, and improve Service reliability (via Sentry)
  • Understand aggregate product usage patterns to improve features (via PostHog)
  • Comply with legal obligations

We do not use your data for advertising, profiling, or any purpose unrelated to providing the Service.

4. Legal Basis for Processing

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

Processing ActivityLegal Basis (GDPR Art. 6)
Account creation and authenticationContract performance (Art. 6(1)(b))
Connecting social media accounts via OAuthConsent (Art. 6(1)(a))
Publishing, scheduling, and managing contentContract performance (Art. 6(1)(b))
Displaying analytics and growth metricsContract performance (Art. 6(1)(b))
Error tracking and performance monitoring (Sentry)Legitimate interest (Art. 6(1)(f))
Product usage analytics (PostHog, cookieless)Legitimate interest (Art. 6(1)(f))
Duplicate content detection (fingerprinting)Legitimate interest (Art. 6(1)(f))
Security, fraud prevention, and abuse detectionLegitimate interest (Art. 6(1)(f))
Service-related communications (security alerts, policy changes)Legitimate interest (Art. 6(1)(f))
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing conducted prior to withdrawal. Where we rely on legitimate interest, you have the right to object (see Section 8).

5. Third-Party Platform Integrations

The Service integrates with third-party social media platforms. Your use of each integration is also governed by that platform's own terms and privacy policies. We encourage you to review them:

TikTok

We access TikTok data through the TikTok API, including your public profile, video list, engagement statistics, and the ability to publish videos or save drafts on your behalf. We collect only the data necessary to provide these features and honor deletion requests within 30 days.

See: TikTok Privacy Policy / TikTok Terms of Service

YouTube (Google)

The Service uses YouTube API Services to access your channel information, video metadata, analytics, and to publish and manage content on your behalf. Our use of YouTube API Services is subject to the YouTube API Services Terms of Service.

We request the following YouTube/Google OAuth scopes:

  • youtube (sensitive) — Manage your YouTube account, including playlists, channel settings, and video metadata
  • youtube.upload (sensitive) — Upload videos to your YouTube channel
  • yt-analytics.readonly — View YouTube Analytics reports for your channel (read-only)

The youtube scope grants full account management access, which we use to manage video metadata (titles, descriptions, tags, privacy status) and playlist operations on your behalf. We do not use this scope to modify channel settings or perform actions beyond what you explicitly initiate through FluxEngine.

Google's Privacy Policy applies: Google Privacy Policy.

You may revoke FluxEngine's access to your Google account at any time via Google Security Settings. Upon revocation, we will delete your YouTube-related data within 7 days for in-app revocation or 30 days for Google Security Settings revocation.

Google API Services — Limited Use Disclosure

FluxEngine's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide and improve user-facing features of FluxEngine.
  • We do not transfer Google user data to third parties except as necessary to provide the Service, for security purposes, or to comply with applicable law.
  • We do not use Google user data for advertising, retargeting, or interest-based profiling.
  • We do not sell Google user data to data brokers, information resellers, or any third party.
  • We do not use Google user data for credit-worthiness determinations or lending qualifications.
  • We do not use Google user data to train generalized artificial intelligence or machine learning models.
  • No human reads your Google user data unless: (a) you provide affirmative consent, (b) it is necessary for security or abuse investigation, (c) it is required by law, or (d) the data is aggregated and anonymized for internal operations.

Meta (Facebook & Instagram)

We access Facebook and Instagram data through the Meta Graph API, including Business and Creator account profiles, page information, and the ability to publish content on your behalf. Only Business and Creator accounts are supported; personal Instagram accounts cannot be connected.

We process Meta platform data only as described in this policy. When you disconnect your Meta account or request data deletion, we delete your Meta-related data without undue delay. We also provide a Data Deletion Request Callback endpoint registered with Meta, which processes deletion requests automatically.

See: Meta Privacy Policy / Meta Platform Terms

Threads

We access Threads data through the Threads API (separate from the Meta Graph API), including your Threads profile, posts, and engagement metrics. We request the following scopes: threads_basic, threads_content_publish, threads_manage_insights, and threads_manage_replies.

Threads uses a separate OAuth app and token from Facebook and Instagram. When you disconnect your Threads account or request data deletion, we delete your Threads-related data and revoke the associated token without undue delay.

See: Threads Terms of Use / Threads Supplemental Privacy Policy

LinkedIn

We access LinkedIn data through the LinkedIn API to retrieve your profile information and publish content on your behalf. We do not commingle LinkedIn member data with data from other sources, sell or rent LinkedIn data, or use it for advertising, recruiting, or data brokerage purposes.

Upon disconnection or account closure, we immediately delete all LinkedIn content, member tokens, and OAuth credentials.

See: LinkedIn Privacy Policy / LinkedIn User Agreement / LinkedIn Cookie Policy

X (formerly Twitter)

We access X data through the X API to retrieve your profile information and post content on your behalf with your express consent. If content is deleted or modified on X, we update or delete our copy within 24 hours. We do not use X content to target users with advertising outside of X.

This policy is no less protective than the X Privacy Policy. See also: X Terms of Service

6. How We Share Your Information

We do not sell, rent, lease, or trade your personal data.

We may share your information only in these circumstances:

  • Platform APIs: We transmit data to and from the third-party platforms you connect (e.g., publishing a video to TikTok) solely to execute actions you initiate.
  • Infrastructure providers: We use third-party hosting, storage, database, analytics, and error monitoring services that process data on our behalf under contractual obligations to protect your information:
    • Vercel — hosting and serverless compute (EU region: Dublin)
    • Supabase — database, authentication, and storage (EU region: Frankfurt)
    • Sentry — error tracking and performance monitoring (EU region: Frankfurt). Captures stack traces and request metadata; configured to minimize PII collection.
    • PostHog — product analytics (EU region: Frankfurt). Operates in cookieless mode with no session replay. Collects usage events (e.g., sign-ins, publishes, feature interactions) tied to your internal account identifier and post identifiers. Your email, name, and platform credentials are never sent to PostHog.
  • Legal compliance: We may disclose data if required by law, regulation, legal process, or governmental request.
  • Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you via email and/or prominent notice on the Service before any transfer and before your data becomes subject to a different privacy policy.

7. Data Retention & Deletion

We retain your data only as long as necessary to provide the Service and fulfill the purposes described in this policy. When you disconnect a platform or delete your account, we delete the associated data immediately. The timelines listed below are maximum bounds required by each platform's API terms — in practice, deletion is typically instant.

PlatformDeletion Timeline
X (formerly Twitter)Within 24 hours
YouTube (Google) — in-app revocationWithin 7 days
LinkedInImmediately upon disconnection
Meta (Facebook & Instagram)Without undue delay
ThreadsWithout undue delay
TikTokWithin 30 days
YouTube (Google) — via Google Security SettingsWithin 30 days
FluxEngine account deletionWithin 30 days
PostHog analytics dataPurged monthly for deleted accounts
Sentry error dataAutomatically expired after 90 days

Deletion includes: OAuth tokens, platform profile data, analytics and growth history, content fingerprints, uploaded media files, scheduled posts, delivery records, and associated analytics events in PostHog. Anonymized, aggregated data that cannot identify you may be retained for service improvement.

8. Your Rights

All users have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data. You can disconnect individual platforms from your dashboard, or delete your entire account.
  • Revocation: Revoke OAuth access to any connected platform at any time, either through the FluxEngine dashboard or through the platform's own settings (e.g., Google Security Settings, TikTok authorized apps, Meta app settings).
  • Portability: Request your data in a structured, machine-readable format.
  • Withdraw consent: Withdraw consent for data processing at any time, without affecting the lawfulness of processing conducted prior to withdrawal.

Additional Rights for EEA, UK, and Swiss Residents

Under the GDPR and UK GDPR, you additionally have the right to:

  • Object: Object to processing of your personal data based on legitimate interest (GDPR Art. 21). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Restrict processing: Request that we restrict processing of your personal data in certain circumstances (GDPR Art. 18), such as while we verify the accuracy of your data or assess an objection.
  • Automated decision-making: FluxEngine does not make automated decisions that produce legal or similarly significant effects on you. All publishing and scheduling actions require your explicit initiation.
  • Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. For the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. For EU member states, find your authority at edpb.europa.eu.

Additional Rights for California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (as amended by the CPRA), you have the right to:

  • Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
  • Delete: Request deletion of your personal information, subject to certain exceptions.
  • Opt out of sale or sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. We do not sell personal information to third parties, data brokers, or information resellers. We do not share personal information for cross-context behavioral advertising.
  • Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of personal information collected in the past 12 months: identifiers (email, name), internet activity (usage logs), professional information (social media account data), and sensory data (video content you upload). See Section 2 for details.

Additional US State Privacy Rights

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and Montana have similar rights under their respective state privacy laws, including rights to access, delete, correct, and opt out of certain processing. We honor these rights for all users regardless of location. We do not process sensitive personal data (as defined by these laws) without your explicit consent.

To exercise any of these rights, contact us at privacy@fluxengine.app. We will verify your identity and respond within 30 days (or 45 days if an extension is necessary, with notice). You may also designate an authorized agent to make requests on your behalf.

9. Security

We implement industry-standard administrative, organizational, and technical safeguards to protect your data, including:

  • Encryption of OAuth tokens at rest using server-side encryption keys
  • All data transmitted over HTTPS (TLS 1.2+)
  • Row-level security policies ensuring users can only access their own data
  • Secure environment variable management for all secrets and API credentials
  • Regular access control reviews and monitoring

No system is completely secure. If we become aware of a security breach affecting your personal data, we will notify you and any applicable regulator as follows: EEA/UK residents within 72 hours of becoming aware (per GDPR Art. 33), and all other users without unreasonable delay in accordance with applicable law.

10. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children under 16 (or under 13 where applicable under local law). If you believe a child has provided us with personal data, please contact us at privacy@fluxengine.app and we will promptly delete it.

11. International Data Transfers

Your data may be processed in countries other than your country of residence, including the United States. When we transfer personal data outside the EEA, UK, or Switzerland, we ensure it is protected by appropriate safeguards:

  • EU data residency: Our analytics (PostHog) and error monitoring (Sentry) services are configured to process and store data exclusively within the European Union (Frankfurt, Germany). No analytics or error data is transferred outside the EU.
  • Standard Contractual Clauses (SCCs): Our infrastructure providers (Supabase and Vercel) maintain EU Standard Contractual Clauses approved by the European Commission for data transfers to the United States.
  • Adequacy decisions: Where the European Commission has determined that a country provides an adequate level of data protection, we may rely on that adequacy decision.
  • EU-U.S. Data Privacy Framework: Where applicable, our providers participate in and have certified compliance with the EU-U.S. Data Privacy Framework.

You may request a copy of the safeguards we rely on by contacting privacy@fluxengine.app.

12. Cookies & Local Storage

We use essential cookies and browser local storage to maintain your authenticated session and remember your preferences. We do not use tracking cookies or advertising cookies. Our product analytics tool (PostHog) operates in cookieless mode — it uses in-memory persistence only and does not set cookies, write to local storage, or track users across sessions. Our error monitoring tool (Sentry) does not set any cookies. As we use only strictly necessary cookies, no consent banner is required under the ePrivacy Directive; however, we provide this disclosure for transparency.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via your registered email address and post a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If we change how we use data obtained through platform APIs, we will obtain your consent before using your data in the new way.

All prior versions of this policy are available via the version history above.

14. Contact & Data Protection

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

  • Privacy inquiries: privacy@fluxengine.app
  • Security incidents: security@fluxengine.app
  • General legal: legal@fluxengine.app

For EEA/UK data protection matters, our designated point of contact for data protection inquiries is reachable at privacy@fluxengine.app. We will respond to all data protection requests within 30 days.