Privacy Policy

Effective date: January 30, 2025

1) Who we are & how to contact us

This Privacy Policy explains how ContentFlight (“we,” “us,” “our”) collects, uses, shares, and safeguards information when you use our website and web application (the “Service”).

• Legal entity: ContentFlight
• Contact (privacy requests): privacy@contentflight.io
• Mailing address: 4900 Woodway Dr, Ste 1050, Houston, TX 77056
• Intended audience: Business users (B2B)

If you are in the EU/UK, the data controller is ContentFlight. If you use ContentFlight on behalf of a company, your company is typically the controller for the business content you connect, and ContentFlight acts as a processor.

2) Scope

This policy applies to the Service and any features that allow you to create, schedule, publish, or analyze social content (e.g., LinkedIn) and to collaborate with teammates. We do not knowingly target or collect data from children under the age of 16.

3) What we collect

A. Information you provide

• Account & identity: name, email, profile image, role, basic account flags (e.g., product tours viewed), timestamps.
• Workspace & content: show/series names, episode/clip titles and descriptions, thumbnails and media you upload, transcripts you provide or generate, social post copy, posting metadata (platform, who posted).
• Collaboration: invitations, team membership, comments/approvals.
• Optional voice-related content: audio you upload for transcription and any voice “signatures” you choose to generate.

B. Information from your use of the Service

• Device/technical: IP address, browser/user agent, session/authentication data required to keep you signed in securely.
• Usage & analytics (social performance): engagement metrics (e.g., impressions, views, clicks, reactions, comments, shares, watch time) fetched from connected platforms at your request.

C. Information from integrated services (you connect)

• Social/API data (LinkedIn): with your authorization, we obtain the access permissions you grant, plus related identifiers (e.g., pages you manage, post IDs) and analytics for posts you create/manage via the Service.
• Tokens & connection data: OAuth tokens/refresh tokens required to operate the integration.

We do not collect payment/billing data within the app at this time.

4) How we collect it

• Directly from you when you create an account, upload content, or invite teammates.
• From connected platforms (e.g., LinkedIn) via their official APIs, under the permissions you grant.
• From our application via authentication, logging, and analytics necessary to provide the Service.
• Cookies/local storage: essential auth/session cookies and local/session storage for sign-in state and OAuth flows. We do not use cross-site behavioral advertising cookies.

5) How we use information

• Provide and operate the Service (create, schedule, publish, analyze social content; manage workspaces and roles).
• Account administration & support (teammate invites, status notifications, service messages).
• Analytics & product improvement (understand feature adoption and performance to improve reliability and UX).
• Security & abuse prevention (detect fraud/misuse, protect accounts).
• Marketing communications (if you opt in or as permitted by law; you can unsubscribe at any time).
• AI-assisted features (e.g., transcription and copy assistance) as described below.

Legal bases (EU/UK): contract performance; legitimate interests (e.g., security, service analytics); consent where required (e.g., certain marketing/AI uses). You can withdraw consent at any time.

6) AI & automated decision-making

• Services used: AI model providers for text generation and transcription.
• Inputs: content you submit for those features (e.g., transcripts, titles/descriptions).
• Model training: We configure AI vendors so that customer content is not used to train their models for our use unless clearly disclosed and consented.
• Automations: Scheduling, ranking, and analytics rollups do not produce legal or similarly significant effects. You may request human review.

7) Sharing & processors

We share personal information with service providers that help us run the Service. They are bound by contracts to use data only on our instructions and to protect it.

Categories of providers: hosting & infrastructure, authentication & email delivery, AI & transcription, and social platforms (to publish posts you authorize and retrieve analytics you request).

We do not “sell” personal information and we do not “share” it for cross-context behavioral advertising as defined by the CPRA.

We may disclose information if required by law, to protect safety, or in connection with a corporate transaction (e.g., merger or acquisition).

8) International transfers

We may process and store information in countries different from where you reside (e.g., the United States and other regions where our infrastructure or providers operate). When we transfer personal data from the EU/UK/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (and the UK Addendum). Where applicable, we also rely on the EU–US Data Privacy Framework (and UK Extension) for certified providers.

9) Security

• Encryption in transit and at rest
• Account security with role- and workspace-based access controls
• Row-level/data-level access policies within our data layer
• Audit logging and rate limiting appropriate to the Service
• Restricted secrets/keys and least-privilege access for staff and systems

No system is 100% secure. If we learn of a breach affecting your information, we will notify you and regulators as required by law.

10) Retention

We keep personal information for as long as necessary to provide the Service and for legitimate business needs (e.g., security, analytics, compliance), then delete or de-identify it when no longer needed. Examples:

• Account & workspace content: retained until you delete it or close the account.
• Social connections/tokens: retained until you revoke or they expire.
• Invitations: retained until they expire.
• Analytics: retained indefinitely for business intelligence and long-term trend analysis, subject to your privacy rights and applicable law (and may be aggregated or de-identified over time).

11) Your privacy choices & rights

A. Global choices

• Marketing emails: unsubscribe via the link in any message.
• Connected accounts: disconnect social integrations at any time in the Service or via the social platform.

B. EU/UK (GDPR/UK GDPR)

You have the right to access, correct, delete, restrict, object, and port your personal data, and to withdraw consent where processing is based on consent.

C. California (CCPA/CPRA)

California residents have rights to know, correct, delete, and to opt-out of “sale” or “sharing” of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising. You may also limit the use/disclosure of sensitive personal information; we only use sensitive items (e.g., OAuth tokens) to provide the Service.

D. Canada (PIPEDA)

You have rights to access and correct personal information and to file complaints with the OPC.

How to exercise rights: email notifications@notifications.contentflight.io. We may need to verify your identity. Until in-app export is available, we will fulfill access/export/deletion via a secure manual process.

12) Cookies & local storage

We use essential cookies and storage to: keep you signed in, maintain OAuth state/flow, and support core app functionality and security.

We do not use third-party cross-site advertising cookies. You can control cookies via your browser; however, essential cookies are required for the Service to function.

13) Children’s privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will take appropriate steps to remove it.

14) Controller/processor roles with social platforms

For most workspace content and social publishing you configure, your organization is the controller; ContentFlight acts as a processor to operate the features you request. For our own website operations, account management, security, and direct marketing, ContentFlight is the controller.

15) Changes to this policy

We may update this policy to reflect changes to our practices or legal requirements. We will post the updated policy and change the Effective date above. If changes are material, we will provide additional notice (e.g., in-app banner or email) at least 7 days before they take effect.

16) Contact

Questions, requests, or complaints about this policy or your personal information:

privacy@contentflight.io
4900 Woodway Dr, Ste 1050, Houston, TX 77056