Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

When you create an account with MsgFlow, we collect:

• Account Information: Email address and password (hashed and encrypted)
• Authentication Data: If you sign in with Google OAuth, we receive your email address and basic profile information from Google
• Profile Information: Display name, avatar URL, and timezone preferences
• Payment Information: Processed securely through Stripe (we do not store your credit card details)
• Communication Data: When you contact our support team via contact@msgflow.app
• Marketing Preferences: Your consent to receive promotional emails (opt-in only, not required)

1.2 Information from Connected Social Media Accounts

When you connect Instagram or Facebook accounts to MsgFlow via OAuth 2.0, we access and store the following data through official Meta Graph APIs:

• Account Credentials: Access tokens and refresh tokens (encrypted, 60-day expiry with automatic refresh)
• Profile Data: Platform username, user ID, avatar URL, and display name
• Messages: Direct messages, sender/recipient information, message content, timestamps, read status, reactions, and attachments (images, videos, voice messages)
• Comments: Comments on your posts, commenter information, comment content, timestamps, likes, replies, and attachments
• Conversation Data: Participant information, unread counts, conversation status (active/archived)
• Media Content: Images, videos, and URLs from messages and comments (cached temporarily from Meta CDN)
• Engagement Metadata: Message reactions (emojis), edit history, deletion markers, and interaction timestamps

1.3 Automatically Collected Information

When you use MsgFlow, we automatically collect:

• Usage Analytics: Features accessed, pages viewed, button clicks, and time spent in the application (via Vercel Analytics)
• Event Logs: Actions performed (account connections, message sends, comment replies, searches) with timestamps for security and audit purposes
• Technical Data: Browser type, operating system, IP address (for authentication and security only)
• Error Reports: Application errors, stack traces, and diagnostic information via Sentry (does not include message content)
• Webhook Events: Real-time notifications from Instagram and Facebook about new messages, comments, and interactions
• Cookies: Session cookies (Supabase authentication) and analytics cookies (Vercel Analytics, Google Analytics if enabled)

2. Legal Basis and How We Use Your Information

Under UK GDPR, we must have a lawful basis to process your personal data. We process your information for the following purposes and legal bases:

2.1 Performance of Contract (Providing Our Service)

• Account Management: Creating, maintaining, and authenticating your MsgFlow account
• Service Delivery: Syncing, storing, and displaying messages and comments from connected Instagram and Facebook accounts
• Real-time Updates: Processing webhook notifications for instant message and comment delivery
• Message Operations: Enabling you to send replies, manage conversations, and interact with your social media audience
• Search Functionality: Indexing and searching your messages and comments
• Platform Integration: Managing OAuth tokens and maintaining connections to Instagram and Facebook

2.2 Legitimate Interests

• Service Improvement: Analyzing usage patterns to optimize features and develop new functionality
• Security and Fraud Prevention: Monitoring for unauthorized access, detecting abuse, and protecting user accounts
• Error Tracking: Logging errors via Sentry to identify and fix technical issues
• Audit Logging: Recording events for security, troubleshooting, and compliance purposes (retained for 2 years, then anonymized)
• Customer Support: Responding to inquiries and resolving technical issues

2.3 Legal Obligations

• Compliance: Meeting UK GDPR, Data Protection Act 2018, and other legal requirements
• Payment Processing: Processing subscription payments via Stripe in accordance with tax and financial regulations
• Legal Requests: Responding to valid legal processes, court orders, and government requests

2.4 Consent (Where Required)

• Marketing Communications: Sending promotional emails, product updates, and tips (only if you opt-in via checkbox during signup)
• Analytics Cookies: Using cookies for usage analytics (you can manage cookie preferences in your browser)
• Social Media Access: Accessing your Instagram and Facebook data via OAuth authorization

Note: You can withdraw consent at any time through your account settings or by contacting contact@msgflow.app. This will not affect the lawfulness of processing based on consent before withdrawal.

3. Data Storage and Security

3.1 Data Storage Infrastructure

• Primary Database: PostgreSQL hosted by Supabase (ISO 27001 certified, SOC 2 Type II compliant)
• Authentication: Managed by Supabase Auth with enterprise-grade security and session management
• File Storage: Media attachments are referenced via URLs from Meta's CDN (not permanently stored on our servers)
• Error Tracking: Sentry.io for application error logging (does not include message content)
• Hosting: Application hosted on Vercel with global edge network and DDoS protection

3.2 Security Measures

• Encryption in Transit: All data transmitted between your browser and our servers uses TLS 1.3 encryption (HTTPS)
• Encryption at Rest: Database contents encrypted using AES-256 encryption via Supabase
• Password Security: Passwords are hashed using bcrypt with salting (never stored in plain text)
• Token Encryption: Instagram and Facebook access tokens are encrypted before storage and automatically expire after 60 days
• Session Management: Secure, httpOnly cookies with automatic expiration and CSRF protection
• Authentication: JWT-based authentication with signature validation and token expiry checking
• Access Control: Row-level security policies ensure users can only access their own data
• Webhook Verification: All Instagram and Facebook webhooks are verified using signature validation before processing
• API Security: All API endpoints require valid bearer token authentication
• Data Isolation: User data is isolated by user_id with database-level enforcement
• Monitoring: Real-time error tracking and security event logging via Sentry
• Automated Backups: Daily automated backups retained for 7 days

3.3 Payment Security

Payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We do not store credit card numbers, CVV codes, or full payment details on our servers. Stripe handles all sensitive payment information in compliance with PCI standards.

Important Security Notice: While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously monitor and update our security practices to protect your data.

4. Third-Party Services and Data Sharing

4.1 Social Media Platforms (Meta/Facebook)

MsgFlow integrates with Instagram and Facebook via Meta's official Graph API. When you connect these accounts:

• Authorization: You explicitly authorize MsgFlow via OAuth 2.0 to access specific permissions (messages, comments, profile data)
• Data Access: We only access data you grant permission to, in accordance with Meta Platform Terms and Instagram Platform Policy
• Third-Party Policies: Your use of Instagram and Facebook is governed by their respective privacy policies and terms of service
• Revocation: You can revoke MsgFlow's access anytime via your Instagram/Facebook settings or by disconnecting accounts in MsgFlow
• Platform Approval: MsgFlow operates under Meta's App Review process. Features may be limited during development mode until full approval is granted.
• API Limitations: Service functionality is subject to Meta's API rate limits and platform availability

We are not responsible for Meta's data practices or changes to their platform that may affect MsgFlow's functionality.

4.2 Essential Service Providers

We use the following trusted third-party service providers to operate MsgFlow:

These service providers are contractually obligated to protect your data, use it only for the purposes we specify, and comply with applicable data protection laws. We conduct due diligence to ensure they maintain appropriate security measures.

4.3 International Data Transfers

Some of our service providers are located outside the UK/EEA (particularly in the US). When we transfer your data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Data Processing Agreements with all third-party processors
• Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework)
• Technical and organizational security measures (encryption, access controls)

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We never have, and we never will.

We only share your personal data in the following limited circumstances:

• With Your Explicit Consent: When you authorize us to share specific information (e.g., connecting Instagram/Facebook accounts)
• Service Providers: With third-party processors listed in Section 4 who help operate MsgFlow (under strict data processing agreements and confidentiality obligations)
• Legal Obligations: When required by law, court order, subpoena, or valid legal process (we will notify you unless legally prohibited)
• Protection of Rights: To enforce our Terms of Service, detect fraud, protect the security of MsgFlow, or protect the rights and safety of our users
• Business Transfers: If MsgFlow is acquired or merged, your data may be transferred to the new owner (we will notify you and ensure the same privacy protections apply)
• Anonymized Data: We may share aggregated, anonymized statistics that cannot identify you personally

6. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation and Data Protection Act 2018, you have the following rights regarding your personal data:

6.1 Right of Access (Subject Access Request)

You have the right to request a copy of all personal data we hold about you. We will provide this information free of charge in a commonly used electronic format within 30 days. Contact contact@msgflow.app with "Subject Access Request" in the subject line.

6.2 Right to Rectification

You can update or correct inaccurate information directly in your account settings (profile name, avatar, timezone). For corrections requiring our assistance, contact contact@msgflow.app.

6.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated personal data. Your account will be marked for deletion and permanently removed after 30 days, along with all messages, comments, conversations, and connected account data. Anonymized usage statistics (which cannot identify you) may be retained for analytics.

To delete your account: Go to Settings → Account → Delete Account, or contact contact@msgflow.app.

6.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV). Contact contact@msgflow.app to request a data export, and we will provide it within 30 days.

6.5 Right to Restriction of Processing

You can request that we restrict processing of your data in certain circumstances (e.g., while we verify accuracy or process a deletion request). During this period, we will store your data but not actively process it.

6.6 Right to Object

You have the right to object to processing based on legitimate interests. You can object to marketing communications at any time by clicking unsubscribe in emails or updating your preferences in account settings.

6.7 Right to Withdraw Consent

Where processing is based on your consent (e.g., marketing emails, social media account connections), you can withdraw consent at any time:

• Marketing emails: Click unsubscribe or update account settings
• Instagram/Facebook access: Disconnect accounts in MsgFlow settings or revoke access via Instagram/Facebook app settings
• Analytics cookies: Adjust browser cookie settings

6.8 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We encourage you to contact us first at contact@msgflow.app so we can address your concerns directly.

6.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: contact@msgflow.app
• Response Time: We will respond within 30 days (1 month)
• Verification: We may need to verify your identity before processing requests to protect your data security
• Free of Charge: Exercising these rights is free, unless requests are manifestly unfounded or excessive

7. Data Retention and Deletion

We retain your personal data only for as long as necessary to provide our services and comply with legal obligations. Under UK GDPR's data minimization principle, we have implemented the following retention schedule:

7.1 Active Account Data

• Account Information: Retained while your account is active
• Messages and Comments: Retained while your account is active and social media accounts remain connected
• Access Tokens: Automatically refreshed every 60 days; expired tokens are deleted
• Connected Accounts: When you disconnect a social media account, all associated messages, comments, conversations, and media references are permanently deleted via cascade deletion

7.2 Account Deletion (30-Day Grace Period)

When you request account deletion or delete your account:

• Grace Period: Your account is marked for deletion and enters a 30-day grace period during which you can still recover it
• Permanent Deletion: After 30 days, your account and ALL associated personal data are permanently deleted, including:
  • Account credentials and profile information
  • All messages, comments, and conversations
  • Connected social media account tokens and data
  • Message reactions and engagement metadata
  • Search history and preferences
• Payment Data: Subscription and billing data handled by Stripe is deleted in accordance with financial record-keeping requirements (typically 7 years for tax purposes)

7.3 Event Logs and Audit Data (2-Year Retention + Anonymization)

Important: For security, fraud prevention, and legal compliance, we retain event logs with identifiers for 2 years. After 2 years, all personally identifiable information is automatically anonymized. Anonymized data (which cannot identify you) may be retained indefinitely for usage analytics and service improvements.

• 0-2 Years: Event logs contain user IDs, account IDs, and timestamps for security auditing and troubleshooting
• After 2 Years: All personal identifiers (user ID, email, IP address, account ID) are automatically removed via scheduled job
• Anonymized Forever: Only aggregated, anonymized statistics remain (e.g., "100 messages sent on January 15" without any user identification)
• GDPR Compliance: Anonymized data is not considered personal data under UK GDPR and can be retained for historical analytics

7.4 Backup Retention

• Daily Backups: Automated database backups are created daily
• 7-Day Retention: Backups are retained for 7 days, then automatically deleted
• Account Deletion in Backups: If you delete your account, it may still appear in backups for up to 7 days before being permanently removed

7.5 Legal and Financial Retention

• Financial Records: Payment and billing data (processed by Stripe) retained for 7 years to comply with UK tax law
• Legal Holds: If data is subject to legal proceedings, court orders, or investigations, retention may be extended until the matter is resolved
• Regulatory Requirements: Data may be retained longer if required by law, regulation, or valid legal process

8. Cookies and Tracking Technologies

MsgFlow uses cookies and similar technologies to provide and improve our service:

8.1 Essential Cookies (Always Active)

• Supabase Session Cookies: Required for authentication and maintaining your logged-in state (httpOnly, secure, SameSite)
• Security Tokens: JWT tokens for API authentication and CSRF protection

8.2 Analytics Cookies (Optional)

• Vercel Analytics: Anonymous usage statistics (page views, performance metrics, geographic data)
• Google Analytics (if enabled): Website traffic analysis and user behavior patterns

8.3 Managing Cookies

You can control cookies through your browser settings:

• Block all cookies (may prevent you from using MsgFlow)
• Delete existing cookies
• Allow only first-party cookies (blocks third-party tracking)
• Receive notifications when cookies are set

Note: Disabling essential cookies will prevent you from logging in and using MsgFlow. Analytics cookies are optional and can be blocked without affecting functionality.

9. Children's Privacy and Age Restrictions

Age Requirement: 13+
MsgFlow is intended for users aged 13 and above, in accordance with Instagram and Facebook's Terms of Service. We do not knowingly collect or process personal data from children under 13.

9.1 Compliance with Children's Privacy Laws

• UK GDPR: We comply with special protections for children under the Data Protection Act 2018
• Age Verification: By creating an account, you represent that you are at least 13 years old
• Platform Requirements: Instagram requires users to be 13+; Facebook requires 13+

9.2 If We Discover Underage Accounts

If we become aware that we have collected personal data from a child under 13, we will:

• Immediately delete the account and all associated data
• Notify the email address on file (if applicable)
• Remove data from backups within 7 days

If you believe we have inadvertently collected data from a child under 13, please contact contact@msgflow.app immediately.

10. Regional Privacy Rights

10.1 UK/EEA Residents (UK GDPR)

All rights outlined in Section 6 apply to UK and EEA residents, including:

• Right of access and data portability
• Right to rectification and erasure
• Right to restriction and objection
• Right to withdraw consent
• Right to lodge a complaint with ICO or your local data protection authority

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of personal information collected, used, and shared in the past 12 months
• Right to Delete: Request deletion of your personal information (subject to legal exceptions)
• Right to Opt-Out: We do not sell or share personal information for cross-context behavioral advertising
• Right to Correct: Request correction of inaccurate personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Limit Sensitive Data: We do not use sensitive personal information for purposes requiring opt-out rights

Important: We do NOT sell your personal information. We do NOT share your data for cross-context behavioral advertising.

10.3 Australian Residents (Privacy Act 1988)

Australian residents can request access to and correction of personal information under the Australian Privacy Principles (APPs). Contact contact@msgflow.app to exercise these rights.

10.4 Other Jurisdictions

We respect privacy rights worldwide. If you are located in a jurisdiction with specific privacy laws, contact contact@msgflow.app to exercise your rights.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

11.1 Notification of Changes

When we make material changes to this Privacy Policy:

• We will update the "Last Updated" date at the top of this page
• We will notify you via email to the address associated with your account
• We may display a prominent notice within the MsgFlow application
• For significant changes affecting your rights, we may require you to review and accept the updated policy before continuing to use MsgFlow

11.2 Effective Date and Acceptance

• Minor Changes: Take effect immediately upon posting
• Material Changes: Take effect 30 days after notification (you may delete your account within this period if you disagree)
• Continued Use: Your continued use of MsgFlow after changes take effect constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

12. Contact Us and Data Protection Officer

If you have questions, concerns, or requests regarding this Privacy Policy, your personal data, or wish to exercise your rights under UK GDPR, please contact us:

12.1 Response Times

• Subject Access Requests: Within 30 days (1 month) under UK GDPR
• Data Deletion Requests: Processed within 30 days, permanent deletion after 30-day grace period
• General Inquiries: We aim to respond within 5-7 business days
• Complaints: Acknowledged within 48 hours, resolved within 30 days

For urgent security or privacy concerns, please mark your email as "URGENT" in the subject line.