GDPR Compliance
Last updated: February 25, 2026
FlowSmartly is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements, your rights as a data subject, and how to exercise those rights.
1. Introduction
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to the processing of personal data of individuals in the European Union (EU) and European Economic Area (EEA).
FlowSmartly processes personal data in accordance with GDPR principles:
- Lawfulness, Fairness, and Transparency: We process data lawfully and provide clear information about our practices.
- Purpose Limitation: We collect data for specific, explicit purposes and do not use it for incompatible purposes.
- Data Minimization: We collect only the data necessary to provide our services.
- Accuracy: We take steps to ensure personal data is accurate and up to date.
- Storage Limitation: We retain personal data only as long as necessary.
- Integrity and Confidentiality: We implement appropriate security measures to protect your data.
- Accountability: We take responsibility for GDPR compliance and can demonstrate it.
2. Legal Basis for Processing
We process your personal data under the following legal bases:
Consent (Article 6(1)(a) GDPR)
When you create an account, connect social media accounts (Facebook, Instagram, Google), or subscribe to marketing communications, you provide explicit consent for us to process your personal data for those specific purposes.
Contract Performance (Article 6(1)(b) GDPR)
Processing is necessary to perform our contract with you, including providing access to our platform, delivering services you purchase (AI content generation, social media scheduling, SMS marketing), and processing payments.
Legitimate Interests (Article 6(1)(f) GDPR)
We may process data based on our legitimate interests, such as fraud prevention, security monitoring, improving our services, and analytics, provided these interests do not override your fundamental rights and freedoms.
Legal Obligations (Article 6(1)(c) GDPR)
We process data when required to comply with legal obligations, such as tax laws, anti-money laundering regulations, and court orders.
3. Data We Collect
We collect and process the following categories of personal data:
Account Information
- Name, email address, username
- Password (stored in hashed form)
- Profile picture, bio, social links
- Country and region
- Account creation date and last login
OAuth/Social Login Data
- OAuth provider ID (Google, Facebook)
- Email address from OAuth provider
- Profile name and picture from OAuth provider
- OAuth access tokens (encrypted)
Payment Information
- Billing address
- Transaction history
- Subscription plan details
- Credit card information (processed by Stripe, not stored by us)
Usage Data
- IP address, browser type, device information
- Pages visited, features used, time spent on platform
- Referring URLs and search terms
- Session logs and activity timestamps
Content You Create
- Social media posts, captions, images, videos
- AI-generated content (text, images)
- SMS campaign messages and contact lists
- Scheduled posts and campaign data
5. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
Right of Access (Article 15)
You have the right to request a copy of all personal data we hold about you, including account information, usage logs, content you created, and data from connected social media accounts.
Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.
Right to Erasure / "Right to be Forgotten" (Article 17)
You can request deletion of your personal data. We will comply unless we have a legal obligation to retain certain data (e.g., tax records, fraud prevention logs).
Right to Restriction of Processing (Article 18)
You can request that we limit how we process your data in certain situations, such as when you contest the accuracy of data or object to processing.
Right to Data Portability (Article 20)
You can request a machine-readable copy of your personal data to transfer to another service provider.
Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent (Article 7(3))
Where processing is based on consent, you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint (Article 77)
You have the right to file a complaint with your local data protection authority if you believe we have violated GDPR.
To exercise any of these rights, contact us at info@flowsmartly.com. We will respond within 30 days.
6. Data Deletion Instructions
You can request deletion of your personal data at any time. Here's how:
Method 1: Self-Service Account Deletion
- Log in to your FlowSmartly account
- Go to Settings → Account
- Scroll to "Delete Account" section
- Click "Delete My Account"
- Confirm deletion (this action cannot be undone)
Method 2: Email Request
Send an email to info@flowsmartly.com with the subject line "GDPR Data Deletion Request" and include:
- Your full name
- Email address associated with your account
- Username (if known)
- A brief statement: "I request deletion of all my personal data under GDPR Article 17."
What Gets Deleted
When you request account deletion, we will permanently delete:
- Your account credentials (email, username, password)
- Profile information (name, bio, avatar)
- OAuth tokens for connected social media accounts
- Content you created (posts, images, campaigns)
- Contact lists and SMS campaign data
- Session logs and usage analytics
Data We Retain (Legal Exceptions)
We may retain certain data for legal or legitimate business reasons:
- Transaction records for tax and accounting purposes (7 years)
- Fraud prevention and security logs (2 years)
- Data required for ongoing legal disputes or investigations
- Aggregated, anonymized analytics data (no personal identifiers)
Processing Time
Deletion requests are processed within 30 days. You will receive a confirmation email once your data has been deleted. Backups may take up to 90 days to be fully purged from our systems.
7. Third-Party Data Sharing
We share personal data with the following third-party service providers to deliver our services:
Facebook / Meta Platforms
Purpose: OAuth login, posting to Facebook Pages and Instagram, fetching engagement metrics
Data Shared: Access tokens, Page IDs, Instagram account IDs, post content
Privacy Policy: facebook.com/privacy/policy
Google LLC
Purpose: OAuth login, Google Ads campaign management
Data Shared: Email, profile name, OAuth tokens, ad campaign data
Privacy Policy: policies.google.com/privacy
Stripe, Inc.
Purpose: Payment processing, subscription management
Data Shared: Email, billing address, payment card information
Privacy Policy: stripe.com/privacy
OpenAI, L.L.C.
Purpose: AI content generation, image generation
Data Shared: Content prompts, generated text and images
Privacy Policy: openai.com/policies/privacy-policy
Twilio Inc.
Purpose: SMS message delivery
Data Shared: Phone numbers, message content, delivery status
Privacy Policy: twilio.com/legal/privacy
All third-party processors are required to comply with GDPR and implement appropriate data protection measures.
8. Data Retention Periods
We retain personal data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion | Service delivery |
| OAuth tokens | Until disconnected | Social media posting |
| Transaction records | 7 years | Tax and legal compliance |
| SMS campaign logs | 3 years | TCPA compliance |
| Session logs | 90 days | Security monitoring |
| Analytics data | 2 years (anonymized) | Service improvement |
| Fraud prevention logs | 2 years | Security and fraud detection |
9. International Data Transfers
FlowSmartly is operated from the United States. If you are located in the EU/EEA, your personal data may be transferred to and processed in the United States or other countries outside the EU/EEA.
We ensure appropriate safeguards for international transfers:
- Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our third-party processors.
- Adequacy Decisions: Where available, we rely on EU adequacy decisions for certain countries.
- Data Processing Agreements: All processors sign GDPR-compliant Data Processing Agreements (DPAs).
10. Contact Our Data Protection Officer
For any questions about GDPR compliance, data processing, or to exercise your rights, please contact our Data Protection Officer:
EU Data Protection Authorities
If you are not satisfied with our response to your GDPR request, you have the right to lodge a complaint with your local supervisory authority:
4. Social Media Data from Facebook & Instagram
When you connect your Facebook, Instagram, or Google accounts to FlowSmartly, we access and process specific data from these platforms to provide our services.
Facebook & Instagram Data We Access
How We Use This Data
Important: We only access data you explicitly grant permission for during OAuth login. We do not access your personal Facebook feed, private messages, or friends list. We only interact with Pages and Instagram accounts you manage.
Revoking Social Media Access
You can revoke FlowSmartly's access to your Facebook or Instagram data at any time:
After revoking access, we will no longer be able to post on your behalf or fetch new data. Existing data will be retained according to our data retention policy unless you request deletion.