Last updated · May 13, 2026
What we collect, why, how we protect it, and the choices you have. We never sell your data, never train AI on it, and never request more access than the surface you use needs.
Floowzy is an AI-powered media intelligence platform operated by Floowzy Labs LLC (company formation in progress). This Privacy Policy explains what we collect, why, how we protect it, and the choices you have. Floowzy is independent — we are not affiliated with, endorsed by, or partnered with Meta, Google, TikTok, Snap, or X.
Account data (name, email, workspace identifiers), platform OAuth tokens (AES-256-GCM encrypted at rest), the ad performance data the connected platforms expose to us under your authorization (campaign / ad-set / ad metadata + insights), billing data processed by Stripe (we never store full card numbers), and product analytics. We never sell personal data and we never request more scopes than the surface you use needs.
To run the service: pull insights from the ad accounts you connect, generate reports and AI commentary, surface anomalies, and let you collaborate with your team. We minimize collection — if a feature doesn't need a field, we don't ask. Where consent is the legal basis, you can withdraw it at any time without affecting the lawfulness of prior processing.
When you connect an ad platform, we receive OAuth tokens scoped to read-only access. The scopes we request are limited to what's necessary to render reports and insights — for Meta: ads_read, business_management, read_insights. We never modify, pause, or create ads on your behalf. Tokens are encrypted with AES-256-GCM before being persisted; the encryption key is held in a server-only environment and rotated quarterly. You can revoke access at any time from your platform's Business Integrations settings or from Floowzy's Integrations page. Platform-initiated deletion webhooks (e.g., Meta's signed-request callback) are honored within seconds.
When you opt into AI commentary, anonymized ad-performance summaries are sent to Anthropic for inference. We never send personally identifiable information, customer lists, or billing data to AI providers. Inference outputs are stored alongside your reports and are deleted when you delete the source report or your account.
We use Stripe to process payments. Card details are entered directly into Stripe's PCI-DSS Level 1 environment and never reach Floowzy's servers. We retain invoice records for the period required by applicable tax law (typically 7 years).
Production data is stored in Supabase (Postgres). All connections use TLS 1.2 or higher. OAuth tokens are encrypted at rest with AES-256-GCM. Daily encrypted backups are retained for 30 days then rotated.
Supabase (database + auth), Vercel (hosting), Anthropic (AI commentary), Stripe (billing). Additional subprocessors may be added with 30-day notice; the current list is maintained on this page and at /security.
Account data: while your account is active and for up to 30 days after deletion request (for audit-log compliance), then permanently purged. OAuth tokens: until you revoke them. Billing records: as required by applicable tax law (commonly 7 years). Backups: 30-day rolling rotation.
Access, correction, export, deletion, restriction, and objection to processing. Where applicable (GDPR, CCPA, similar laws), you also have the right to data portability and to lodge a complaint with a supervisory authority. You can delete your account and all associated data at /data-deletion or by emailing privacy@floowzy.online — both routes complete within minutes for user-initiated deletes, within 24 hours for platform-initiated.
Where personal data is transferred outside its country of origin, we rely on Standard Contractual Clauses or equivalent safeguards. A copy is available on request to privacy@floowzy.online.
Floowzy is not directed to children under 16 and we do not knowingly collect data from them. If you believe a child has provided us with data, contact privacy@floowzy.online and we will delete it.
We update this policy when our practices change. Material changes are announced via email at least 30 days in advance and reflected in the 'last updated' date above. Continued use of Floowzy after the effective date means acceptance.
privacy@floowzy.online — every email is answered by a human within 30 days, usually within 24 hours. For data deletion requests, see /data-deletion. For our Data Processing Addendum, see /dpa.