Privacy Policy

Privacy Policy

Last Updated: January 2025
Effective Date: January 2025

Introduction

Welcome to ChannelFlare (“we,” “our,” or “us”). ChannelFlare is a social media content creation and management platform that helps you create, schedule, and publish content across multiple social media platforms. We are committed to protecting your privacy and ensuring transparency about how we collect, use, and safeguard your information.

This Privacy Policy explains:

  • What information we collect about you
  • How we use your information
  • How we share your information
  • Your rights and choices regarding your information
  • How we protect your information
  • Third-party services we use
  • International data transfers
  • How to contact us

By using ChannelFlare, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our service.

1. Information We Collect

1.1 Information You Provide Directly

Account Information

  • Email address: Required for account creation and authentication
  • Password: Securely hashed using Firebase Authentication
  • Display name: Your name as displayed in the application
  • Profile picture: Optional profile image
  • Authentication methods: Methods used to access your account (email/password, OAuth providers)

Team and Collaboration Information

  • Team name and description: Information about teams you create or join
  • Team settings: Preferences such as timezone, notification settings, approval workflows
  • Team membership details: Your role within teams (admin, approver, creator, viewer)
  • Team invitations: Email addresses of users you invite to join teams

Content Information

  • Posts: Text content, captions, comments, and media files you create or upload
  • Media files: Images, videos, and other media you upload or import from external sources
  • Scheduled posts: Post scheduling information, including timestamps and target platforms
  • Tags: Custom tags and categories you assign to posts
  • Post metadata: Publishing status, platform-specific customizations, publishing history

Social Media Account Connections

  • Platform account information: When you connect social media accounts, we collect:
    • Account usernames and display names
    • Profile pictures from connected accounts
    • Account types (personal, business, creator, etc.)
    • Platform-specific capabilities and permissions
  • OAuth tokens: Encrypted access tokens and refresh tokens for social media platforms
  • Connection metadata: Status of connections, last sync times, error details

Media Source Connections

  • Google Drive: Files selected from your Google Drive account
  • Google Photos: Photos selected from your Google Photos account
  • Dropbox: Files selected from your Dropbox account (if applicable)
  • OneDrive: Files selected from your OneDrive account (if applicable)
  • OAuth tokens: Encrypted tokens for accessing your media source accounts

Communication Information

  • Email communications: Emails we send you (verification emails, invitations, notifications)
  • Support communications: Any messages you send to us via support channels

1.2 Information Collected Automatically

Usage Information

  • Login timestamps: When you log in and last login time
  • Activity logs: API requests, actions taken within the application
  • Session information: Refresh tokens and session identifiers
  • Device information: IP address, browser type, operating system (collected through logging)

Technical Information

  • Correlation IDs: Request identifiers for debugging and support
  • Request metadata: HTTP method, path, response status codes, request duration
  • Error logs: Error messages and stack traces (used for debugging and improving the service)

Media Processing Information

  • Media metadata: Automatically extracted from uploaded files:
    • File dimensions (width, height)
    • File duration (for videos)
    • File size and MIME type
    • Thumbnail images (generated automatically)

1.3 Information from Third-Party Services

When you connect social media accounts or import media from external sources, we may receive additional information from those platforms:

Social Media Platforms

  • Instagram (via Facebook): Profile information, account type, media permissions
  • Facebook Pages: Page information, admin permissions
  • X (Twitter): Profile information, tweet permissions
  • LinkedIn: Profile information, organization permissions (for LinkedIn Pages)
  • Pinterest: Board and pin permissions, account information
  • TikTok: Profile information, video publishing permissions
  • YouTube: Channel information, video publishing permissions
  • Google Business Profile: Location information, business details
  • Threads: Profile information, posting permissions
  • Bluesky: Handle and profile information (via AT Protocol)

Media Source Platforms

  • Google Drive/Photos: File metadata, file IDs, sharing permissions
  • Dropbox: File metadata, file paths, sharing permissions
  • OneDrive: File metadata, file paths, sharing permissions

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

  • Account management: Create and manage your account, authenticate your identity
  • Content management: Store, organize, and manage your posts and media files
  • Social media publishing: Publish your content to connected social media platforms
  • Scheduled publishing: Schedule and publish posts at designated times using Google Cloud Tasks
  • Media processing: Generate thumbnails, extract metadata from uploaded files
  • Team collaboration: Enable team-based collaboration, permissions management, and workflows

2.2 Communication

  • Email verification: Send verification emails to confirm your email address
  • Team invitations: Send invitation emails to users you invite to join teams
  • Notifications: Send email notifications based on your preferences (post publishing status, team activities)
  • Service updates: Communicate important service updates, security notices, and policy changes
  • Support: Respond to your inquiries and provide customer support

2.3 Security and Compliance

  • Authentication: Verify your identity when you access the service
  • Authorization: Enforce team permissions and access controls
  • Fraud prevention: Detect and prevent fraudulent or unauthorized activity
  • Security monitoring: Monitor for security threats, unauthorized access, and suspicious activity
  • Compliance: Comply with legal obligations and respond to legal requests

2.4 Service Improvement

  • Analytics: Analyze usage patterns to improve service functionality and user experience
  • Error tracking: Identify and fix bugs, errors, and service issues
  • Performance monitoring: Monitor service performance and optimize resource usage
  • Feature development: Develop new features based on usage patterns and user feedback

If you are located in the European Economic Area (EEA), we process your personal data based on:

  • Contractual necessity: To provide the services you have requested
  • Legitimate interests: To improve our services, ensure security, and prevent fraud
  • Consent: For optional features such as email notifications and marketing communications
  • Legal obligations: To comply with applicable laws and regulations

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

3.1 With Social Media Platforms

  • Content publishing: When you publish posts, we share your content with the selected social media platforms (Instagram, Facebook, X, LinkedIn, etc.)
  • Platform authentication: We use OAuth to authenticate with platforms on your behalf using encrypted tokens

3.2 With Team Members

  • Team data: Team members can see:
    • Team name and description
    • Posts created by team members (based on role permissions)
    • Media files uploaded to the team
    • Team settings (for admins)
    • Team member list and roles
  • User information: Team members can see your display name and profile picture within the team context

3.3 With Service Providers

We use trusted third-party service providers to operate our service:

  • Google Cloud Platform (Firebase):

    • Firebase Authentication: User authentication and account management
    • Cloud Firestore: Database for storing user data, posts, teams, and media metadata
    • Firebase Storage: File storage for uploaded media files
    • Google Cloud Logging: Application logs and monitoring
    • Google Cloud Tasks: Scheduled post publishing
    • Google Cloud Functions: Automated media processing (thumbnail generation, metadata extraction)

  • Mailjet: Email delivery service for sending verification emails, invitations, and notifications

  • Media Source Platforms: When you import media, we access:

    • Google Drive/Photos (via OAuth)
    • Dropbox (via OAuth)
    • OneDrive (via OAuth)

We may disclose your information if required by law or in response to:

  • Legal requests: Court orders, subpoenas, or other legal processes
  • Government requests: Requests from government authorities or law enforcement agencies
  • Compliance: To comply with applicable laws, regulations, or legal obligations
  • Protection of rights: To protect our rights, property, or safety, or that of our users or others
  • Emergency situations: In emergency situations where we believe disclosure is necessary to prevent harm

3.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control.

We may share your information in other ways with your explicit consent.

4. Third-Party Services

4.1 Social Media Platform Integrations

When you connect social media accounts, you authorize us to:

  • Access your accounts: Use OAuth 2.0 to authenticate with platforms
  • Publish content: Post content to your connected accounts on your behalf
  • Manage tokens: Store and refresh OAuth tokens to maintain connections
  • Read account information: Access basic profile information (username, display name, profile picture)

OAuth Scopes: Each platform requires specific permissions (scopes) that you grant during connection:

  • Instagram/Facebook: pages_show_list, pages_read_engagement, instagram_basic, instagram_content_publish
  • X (Twitter): tweet.write, users.read, offline.access
  • LinkedIn: r_organization_social, w_organization_social, w_member_social, r_liteprofile, openid, profile, email
  • Pinterest: boards:read, boards:write, pins:read, pins:write, user_accounts:read
  • TikTok: user.info.basic, video.publish
  • YouTube: Channel management and video upload permissions
  • Google Business Profile: Location management and post publishing permissions
  • Threads: Post publishing permissions
  • Bluesky: Handle and app password authentication (not OAuth)

Token Security: OAuth tokens are encrypted before storage in Firestore and are only decrypted when needed for API calls. We never share tokens with third parties except the respective platform APIs.

4.2 Media Source Integrations

When you import media from external sources, you authorize us to:

  • Access your files: Read files from Google Drive, Google Photos, Dropbox, or OneDrive
  • Import files: Copy or reference files for use in your posts
  • Generate thumbnails: Create thumbnail images from imported media
  • Store metadata: Store file metadata for organization and search

4.3 Firebase Services

We use Google Firebase services for core functionality:

  • Firebase Authentication: Handles user authentication securely
  • Cloud Firestore: Stores all application data (users, teams, posts, media metadata)
  • Firebase Storage: Stores uploaded media files with team-based organization
  • Google Cloud Logging: Collects application logs for monitoring and debugging
  • Google Cloud Tasks: Manages scheduled post publishing
  • Google Cloud Functions: Processes uploaded media (generates thumbnails, extracts metadata)

Data Location: Firebase data is stored in Google Cloud data centers. See Section 8 (International Data Transfers) for more information.

4.4 Email Service (Mailjet)

We use Mailjet to send transactional emails:

  • Email verification: Confirmation emails for account registration
  • Team invitations: Invitation emails to join teams
  • Notifications: Post publishing status notifications (if enabled)
  • Service updates: Important service announcements

Mailjet processes your email address and may collect metadata about email delivery (open rates, click rates) for their own analytics. We do not use this data for marketing purposes.

4.5 Analytics and Monitoring

We use Google Cloud Logging for:

  • Application monitoring: Track errors, performance metrics, and system health
  • Usage analytics: Understand how features are used (anonymized and aggregated)
  • Security monitoring: Detect unauthorized access and suspicious activity

We do not use third-party advertising or tracking services. We do not sell your data or use it for advertising purposes.

5. Data Security

We implement industry-standard security measures to protect your information:

5.1 Authentication and Authorization

  • Password security: Passwords are hashed using Firebase Authentication (bcrypt)
  • OAuth tokens: Encrypted before storage in Firestore using encryption keys
  • Session management: Secure session tokens with expiration
  • Multi-factor authentication: Supported via Firebase Authentication (if enabled)

5.2 Data Encryption

  • In transit: All data transmitted over the internet is encrypted using TLS/SSL
  • At rest: Sensitive data (OAuth tokens) is encrypted before storage
  • Firebase Storage: Media files stored in Firebase Storage with access controls

5.3 Access Controls

  • Team-based isolation: Data is organized by teams with role-based access controls
  • Firestore security rules: Enforced at the database level to prevent unauthorized access
  • Storage security rules: Firebase Storage rules restrict access to authenticated team members
  • API authentication: All API requests require valid authentication tokens

5.4 Infrastructure Security

  • Google Cloud Platform: Hosted on Google Cloud Platform with enterprise-grade security
  • Regular security updates: Infrastructure and dependencies are regularly updated
  • Monitoring: Continuous monitoring for security threats and vulnerabilities
  • Backup and recovery: Regular backups of critical data

5.5 Limitations

While we implement strong security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information. You are responsible for:

  • Keeping your password secure: Do not share your password with anyone
  • Protecting your account: Log out when using shared devices
  • Reviewing permissions: Regularly review connected social media accounts and revoke access if needed

If you suspect unauthorized access to your account, please contact us immediately.

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

6.1 Active Accounts

  • Account data: Retained while your account is active
  • Posts and media: Retained until you delete them or delete your account
  • Team data: Retained while you are a member of the team or until the team is deleted

6.2 Deleted Accounts

When you delete your account, we:

  • Delete user data: Remove your user profile, preferences, and team memberships
  • Delete content: Remove posts and media you created (unless shared with teams)
  • Delete connections: Remove all connected social media accounts and stored OAuth tokens
  • Delete sessions: Invalidate all active sessions and refresh tokens

Team content: If you created posts or media within a team, this content may remain accessible to other team members after you leave. Team admins can delete team content.

Retention period: Some data may be retained for a limited period after account deletion for:

  • Legal compliance: To comply with legal obligations or respond to legal requests
  • Fraud prevention: To prevent fraud and abuse
  • Dispute resolution: To resolve disputes and enforce agreements
  • Backup recovery: Backups may retain data for up to 30 days before permanent deletion

6.3 Logs and Analytics

  • Application logs: Retained for up to 90 days for debugging and monitoring
  • Error logs: Retained for up to 1 year for service improvement
  • Analytics data: Aggregated and anonymized data may be retained indefinitely

6.4 OAuth Tokens

  • Active connections: Tokens are retained while social media accounts are connected
  • Disconnected accounts: Tokens are deleted immediately when you disconnect an account
  • Expired tokens: Expired tokens are refreshed automatically; refresh tokens are retained until you disconnect

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access and Portability

  • View your data: Access your account information, posts, media, and team memberships through the application
  • Export your data: Request a copy of your data in a machine-readable format
  • Data portability: Export your posts and media for use in other services

7.2 Correction and Updates

  • Update account information: Modify your display name, profile picture, and preferences in account settings
  • Correct inaccurate data: Request correction of inaccurate personal information

7.3 Deletion

  • Delete your account: Delete your account and all associated data through account settings
  • Delete content: Delete individual posts and media files
  • Disconnect accounts: Remove connected social media accounts at any time
  • Leave teams: Leave teams you no longer wish to be part of

7.4 Restriction and Objection

  • Restrict processing: Request restriction of processing of your personal information
  • Object to processing: Object to processing based on legitimate interests
  • Email preferences: Unsubscribe from email notifications in account settings
  • OAuth permissions: Revoke OAuth permissions by disconnecting social media accounts
  • Cookie preferences: Manage cookie preferences through browser settings

7.6 Exercising Your Rights

To exercise your rights:

  1. Through the application: Most rights can be exercised through account settings
  2. By email: Contact us at [privacy@ChannelFlare.com] (or your support email) with your request
  3. Verification: We may require verification of your identity before processing requests

Response time: We will respond to your request within 30 days (or as required by applicable law).

Right to appeal: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

7.7 California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

  • Right to know: Request information about personal information we collect, use, and disclose
  • Right to delete: Request deletion of your personal information (subject to exceptions)
  • Right to opt-out: Opt-out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

8. Cookies and Tracking Technologies

8.1 Cookies

We use cookies and similar technologies for:

  • Authentication: Session management and authentication tokens
  • Security: CSRF protection and security measures
  • Functionality: Remembering your preferences and settings

Session cookies: We use session cookies that expire when you close your browser.

Persistent cookies: We may use persistent cookies for authentication tokens (with expiration dates).

8.2 Third-Party Cookies

We do not use third-party advertising or tracking cookies. However, social media platforms may set cookies when you use their OAuth flows. These cookies are governed by the respective platform’s privacy policies.

8.3 Managing Cookies

You can control cookies through your browser settings:

  • Disable cookies: Most browsers allow you to disable cookies, though this may affect functionality
  • Delete cookies: Clear cookies at any time through browser settings
  • Private browsing: Use private/incognito mode to prevent cookie storage

9. International Data Transfers

9.1 Data Location

Your information may be stored and processed in:

  • Google Cloud Platform data centers: Located in multiple regions worldwide
  • Firebase services: Data may be stored in data centers in the United States, European Union, or other regions
  • Backup locations: Backups may be stored in additional regions for disaster recovery

9.2 Transfer Mechanisms

For transfers outside the European Economic Area (EEA), we rely on:

  • Standard Contractual Clauses (SCCs): Approved by the European Commission
  • Google Cloud Platform: Uses SCCs and other appropriate safeguards for international transfers
  • Adequacy decisions: Where applicable, transfers to countries with adequacy decisions

By using our service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.

10. Children’s Privacy

ChannelFlare is not intended for users under the age of 13 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children under 13.

If you believe we have collected information from a child under 13, please contact us immediately. We will delete such information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices or services
  • Legal or regulatory requirements
  • Industry standards and best practices

Notification of changes: We will notify you of material changes by:

  • Email: Sending an email to your registered email address
  • In-app notification: Displaying a notice in the application
  • Updated date: Updating the “Last Updated” date at the top of this policy

Continued use: Your continued use of ChannelFlare after changes become effective constitutes acceptance of the updated Privacy Policy.

Review: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: [privacy@ChannelFlare.com] (replace with your actual email)
Support: [support@ChannelFlare.com] (replace with your actual support email)

Data Protection Officer (if applicable):
[DPO contact information]

Mailing Address (if applicable):
[Company Name]
[Address]
[City, State, ZIP]
[Country]

13. Additional Information

13.1 Data Controller

[Company Name] is the data controller responsible for your personal information. If you have questions about data processing, please contact us using the information above.

13.2 Regional Variations

This Privacy Policy is designed to comply with:

  • GDPR: General Data Protection Regulation (European Union)
  • CCPA: California Consumer Privacy Act (California, USA)
  • Other applicable laws: We comply with privacy laws in jurisdictions where we operate

If you are located in a jurisdiction with specific privacy requirements, additional provisions may apply.

Our service may contain links to third-party websites or services (e.g., social media platforms). We are not responsible for the privacy practices of third parties. We encourage you to review their privacy policies.

Document Version: 1.0
Last Updated: January 2025
Effective Date: January 2025

This Privacy Policy is effective as of the date stated above and applies to all users of ChannelFlare. By using our service, you acknowledge that you have read and understood this Privacy Policy.