Last updated · May 13, 2026
How we protect your data and your customers' data. Read-only access to ad platforms, encryption at every layer, and no data resale — ever.
Floowzy connects to Meta, Google, TikTok, Snap, and X through their official OAuth flows under read-only scopes. We never modify, pause, create, or delete ads, campaigns, audiences, or pixels on your behalf. The scopes we request are the minimum required to render reports and insights — for Meta: ads_read, business_management, read_insights.
TLS 1.2+ in transit between every Floowzy surface and our servers. AES-256-GCM at rest for OAuth tokens. AES-256 at rest for the rest of the database via Supabase-managed encryption. Encryption keys are held in a server-only environment, never shipped to the browser, and rotated quarterly.
Row-level security on every Postgres table — a user can only ever see data scoped to workspaces they belong to. Service-role keys never reach the browser bundle. Internal team access requires hardware-key MFA and SSO with rotating credentials. Access logs are retained for 90 days for forensic review.
Floowzy runs on Vercel (compute, edge, CDN) and Supabase (Postgres, auth, file storage). Stripe handles all card processing in a PCI-DSS Level 1 environment — Floowzy never sees or stores raw card numbers. Anthropic processes opt-in AI commentary on anonymized summaries. No other sub-processors are used at time of writing.
Daily encrypted backups with 30-day retention, managed by Supabase. Point-in-time recovery available for the last 7 days. Backups are stored in the same region as production with cross-region replication for disaster recovery.
We never sell, rent, or trade your data. We never use your ad performance data to train AI models. We never share your data with third parties except the sub-processors listed above (and only the minimum data each needs to provide its function).
The Floowzy app surface does not load Meta Pixel, Google Ads conversion pixels, TikTok Pixel, or similar third-party advertising/retargeting trackers. The marketing site uses privacy-respecting analytics with IP anonymization.
Floowzy is privacy-by-design and aligned with GDPR and CCPA principles even ahead of formal certifications. SOC 2 Type II audit is on the post-launch roadmap. Annual third-party penetration testing is planned once we exit the pre-launch phase.
Material data-impacting incidents are notified to affected customers within 72 hours of confirmation, by email to the primary account address. We commit to publishing post-mortems for outages that affect more than 5% of users.
Responsible disclosure is welcomed. Email security@floowzy.online with reproduction steps. We acknowledge within 2 business days and provide a remediation timeline within 7 days. We don't pursue legal action against researchers who follow this policy in good faith.
Security questions: security@floowzy.online. Privacy questions: privacy@floowzy.online. Both routes are monitored by humans during business days.