Privacy Policy

1. Introduction

OmisFlow (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our content automation platform (“the Service”). Please read this Privacy Policy carefully. By using the Service, you consent to the data practices described in this policy.

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (if provided)
• Password (hashed, never stored in plain text)
• Account creation date and login timestamps

2.2 WordPress Site Credentials

To connect your WordPress sites, you provide site URLs and WordPress Application Passwords. These credentials are encrypted at rest using AES-256-GCM encryption with a server-side encryption key. Credentials are only decrypted at the moment of use (to make WordPress REST API calls on your behalf) and are never logged, displayed in full, or transmitted to any third party.

2.3 Third-Party API Keys (BYOK)

The Service operates on a Bring Your Own Key (BYOK) model for AI providers and image generation services. When you provide API keys for services such as OpenRouter, Fal.ai, Replicate, Together.ai, or Stability AI, these keys are:

• Encrypted at rest using AES-256-GCM encryption, the same standard used for WordPress credentials
• Never logged in application logs, error reports, or analytics
• Never shared with any third party — keys are only used to make API requests to the provider you selected
• Decrypted only at the moment of use to execute AI generation requests on your behalf
• Deletable at any time through your account settings — deletion is immediate and permanent

We do not monitor, meter, or throttle your usage of third-party services. Any charges from third-party AI providers are between you and the provider — OmisFlow does not add markups or intermediary fees on BYOK usage.

2.4 Social Media Credentials

When you connect social media accounts (Pinterest, Facebook, Instagram), OAuth access tokens and refresh tokens are encrypted at rest using the same AES-256-GCM encryption. These tokens are used solely to publish content on your behalf and are never shared with third parties.

2.5 Content Data

We store the following content data that you create or import through the Service:

• WordPress posts mirrored from your connected sites (titles, excerpts, categories, SEO metadata)
• Generated content (articles, pin descriptions, social media posts)
• Generated and uploaded images (stored in your WordPress media library or Supabase Storage)
• Pinterest pin data (titles, descriptions, board assignments, scheduling data)
• Content calendar events and scheduling history

2.6 Usage and Analytics Data

We automatically collect:

• Feature usage metrics (generation counts, export counts) for plan quota enforcement
• Error logs (stripped of credentials and personal content) for debugging
• Session data (managed by Supabase Auth) for authentication purposes

We do not use third-party analytics trackers, advertising pixels, or behavioral profiling tools.

3. How We Use Your Data

We use the collected data exclusively for:

• Providing and maintaining the Service functionality
• Syncing your WordPress content and executing API requests on your behalf
• Processing AI generation requests using your provided API keys
• Managing your subscription and enforcing plan quotas
• Sending transactional emails (account verification, billing notifications, support replies)
• Diagnosing technical issues and improving Service reliability

We do not sell, rent, or trade your personal data to third parties. We do not use your content, API keys, or WordPress credentials for training AI models.

4. Data Storage and Security

Your data is stored in Supabase (hosted PostgreSQL) with the following security measures:

• Encryption at rest: All sensitive credentials (WordPress passwords, API keys, social tokens) are encrypted using AES-256-GCM before storage
• Row-Level Security (RLS): PostgreSQL RLS policies ensure users can only access their own data
• HTTPS only: All data in transit is encrypted via TLS 1.2+
• No plain-text credential storage: Passwords are hashed; API keys and tokens are encrypted
• Minimal access: Only the application server accesses the database — no shared credentials or open ports

5. Third-Party Services

The Service integrates with the following third-party services. Data shared with each is limited to what is necessary for the integration:

6. Cookies

The Service uses minimal cookies:

• Authentication cookies: Session cookies managed by Supabase Auth to keep you logged in (essential, cannot be disabled)
• Affiliate tracking cookie: If you arrive via an affiliate link, a cookie stores the referral code for 90 days to attribute the referral. This cookie contains only the referral code — no personal information

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

7. Data Retention

• Active accounts: Data is retained for the duration of your subscription
• Cancelled accounts: Your data is retained for 30 days after cancellation to allow reactivation, then permanently deleted
• Account deletion: Upon request or self-service deletion, all data (including encrypted credentials, content, and usage history) is permanently removed within 30 days
• Billing records: Paddle retains transaction records as required by tax law. OmisFlow does not store payment card details

8. Your Rights

Depending on your location, you may have the following rights under applicable data protection laws (including GDPR and CCPA):

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data (right to be forgotten)
• Portability: Export your content as CSV files at any time through the Service
• Restriction: Request restriction of processing of your personal data
• Objection: Object to processing of your personal data for specific purposes
• Withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@omisflow.com. We will respond to all requests within 30 days.

9. International Data Transfers

Your data may be processed in countries outside your country of residence. We ensure that appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) where required. Our infrastructure providers (Supabase, Paddle) maintain their own data protection agreements and compliance certifications.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last updated” date. We encourage you to review this Privacy Policy periodically for any changes.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@omisflow.com
• General support: support@omisflow.com