Privacy Policy

This Privacy Policy explains how Flutrbot (“Flutrbot,” “we,” “us,” or “our”) collects, uses, stores, and shares personal data when you use our website, applications, and related services (collectively, the “Service”).

Flutrbot is an AI-powered content engine that helps professionals adapt a single piece of content into platform-native posts for LinkedIn, X/Twitter, and Facebook. We take privacy seriously, and this policy is written to be readable — not just defensible.

This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the Nigeria Data Protection Regulation 2019 (NDPR) and the Nigeria Data Protection Act 2023 (NDPA), and the developer policies of the social platforms we integrate with, including the X Developer Agreement and Policy.

Flutrbot is the data controller for the personal data we process about you. If you are a resident of Nigeria, Flutrbot is registered as a Data Controller with the Nigeria Data Protection Commission (NDPC).

Our Data Protection Officer (DPO) is responsible for overseeing compliance with this policy and with applicable data protection laws. You can reach the DPO at privacy@flutrbot.com.

Information you provide directly

• Account details: name, email address, password (stored as a salted hash), and, if you sign in with Google, your Google profile identifier.
• Brand voice configuration: tone preferences and custom style descriptions you supply to guide content generation.
• Source content: the text, images, and videos you submit to be adapted for each platform. This content belongs to you — we only process it to deliver the Service.
• Billing information: if you subscribe to a paid plan, payment is processed by our payment provider. Flutrbot never stores full card numbers on its own systems.

Information from connected social accounts

• OAuth access and refresh tokens for LinkedIn, X/Twitter, and Facebook, encrypted at rest using AES-256.
• Platform user identifiers required to publish on your behalf, and the identifiers of posts we publish so we can show you their status.
• Your explicit consent timestamps for automated posting on each connected platform.

Information collected automatically

• Device and connection information (browser, operating system, truncated IP address) for security, abuse prevention, and product analytics.
• Usage events (e.g. posts generated, edits applied, publish outcomes) used to improve the Service.
• Cookies and similar technologies — see Cookies below.

We use personal data for the following purposes:

• To deliver the Service — authenticating you, adapting your source content into platform-native variants, scheduling, publishing, and showing you publishing results.
• To keep the Service secure — detecting abuse, preventing fraud, rate-limiting, and responding to security incidents.
• To communicate with you — sending service notifications, responding to support requests, and (only with your consent) marketing messages you can unsubscribe from at any time.
• To comply with our legal obligations — including responding to lawful requests from regulators and retaining records required by law.
• To improve Flutrbot — measuring which features users find valuable and debugging issues. See AI and your content for important limits on how we use your content for model improvement.

Under GDPR and the Nigeria Data Protection Act, we process your personal data on the following bases:

• Performance of a contract — to provide the core Service you sign up for, including generating adaptations, publishing to connected accounts, and billing.
• Explicit consent — for automated posting on your behalf, for optional product improvement contributions, and for marketing communications. You can withdraw consent at any time in your account settings.
• Legitimate interests — to secure the Service, prevent abuse, and conduct limited analytics. We only rely on legitimate interests where your rights do not override ours.
• Compliance with legal obligations — where applicable law requires us to retain or disclose data.

We maintain an internal Register of Processing Activities (RoPA) that records the lawful basis for each processing activity.

Flutrbot uses third-party large language models (currently OpenAI models) to adapt the content you provide. Your source content is sent to the model, together with platform-specific instructions, and the adapted text is returned to you for review.

We do not use your X/Twitter adaptations to train AI models. Consistent with the X Developer Policy, all content generated for X/Twitter — and any edits you make to it — is permanently excluded from any model training pipeline. This exclusion is enforced at the database layer, not just in code, so it cannot be bypassed by a future change.

For LinkedIn and Facebook adaptations, we may use anonymised, aggregated signals (such as whether you edited a generated post) to improve prompt quality. You can opt out of any product improvement contributions at any time in Settings → Privacy.

Our AI subprocessors do not retain your content for training under the data processing agreements we have in place with them. All AI output is passed through a content safety check before being shown to you.

Because X/Twitter imposes specific obligations on developers, we want to be explicit about what we do and do not do with X-related data:

• We never use X data for ad targeting. Flutrbot does not sell, rent, or share X API data with advertising networks or data brokers, regardless of your plan tier.
• We never train AI models on X content. X/Twitter variant text and any user edits to it are permanently excluded from training datasets.
• We never post on your behalf without your explicit approval. Every post requires a deliberate per-post confirmation, and every scheduled post is clearly disclosed to you as automated before it is queued.
• We do not redistribute X content to third parties. Post identifiers are stored only for audit and status display.
• We do not post to trending topics automatically, post identical content across multiple accounts, or send unsolicited automated replies.

Flutrbot does not sell your personal data. We share information only in the following situations:

• Service sub-processors that help us operate the Service under contractual data protection obligations, including:
  • Amazon Web Services (hosting and storage)
  • OpenAI (AI content adaptation)
  • Our payment provider (billing and subscriptions)
  • Sentry (error monitoring)
  • Email delivery providers (transactional email)
• Connected social platforms — LinkedIn, X/Twitter, and Facebook — when you choose to publish or schedule content to those platforms through Flutrbot.
• Legal and safety reasons — where we are required by law to respond to a valid request from a regulator, court, or law enforcement authority, or where disclosure is necessary to protect the rights, property, or safety of users or the public.
• Business transfers — if Flutrbot is involved in a merger, acquisition, or sale of assets, personal data may be transferred. You will be notified before your data becomes subject to a different privacy policy.

Flutrbot operates globally. Personal data may be processed in countries other than the one you reside in — for example, in the United States (where our cloud and AI providers are located) or in the European Union.

Where data is transferred out of the EEA, UK, or Nigeria, we rely on recognised transfer mechanisms such as the European Commission's Standard Contractual Clauses, adequacy decisions, or equivalent safeguards required under the Nigeria Data Protection Act. Our Data Processing Agreements with sub-processors incorporate these safeguards.

We retain personal data only for as long as it is needed:

• Account data: for as long as your account is active, and for a limited period after closure to handle chargebacks, disputes, and legal obligations.
• Source content and adapted variants: up to 24 months after your last activity, unless you delete them sooner.
• OAuth tokens: deleted immediately when you disconnect a social account or close your account.
• AI generation logs: retained for up to 12 months for cost and performance auditing, then anonymised.
• Consent records: retained for regulatory accountability. When you exercise your right to erasure, consent records are anonymised rather than deleted so we can prove that consent was properly obtained at the time.

You have the following rights under GDPR and the Nigeria Data Protection Act. You can exercise most of them directly from Settings → Privacy.

• Right of access. Request a copy of the personal data we hold about you.
• Right to rectification. Correct any personal data that is inaccurate or incomplete.
• Right to erasure. Ask us to delete your personal data. We will hard-delete or fully anonymise it, subject to limited legal retention obligations.
• Right to portability. Receive your posts, settings, and consent records in a machine-readable JSON format that you can move to another service.
• Right to object. Object to processing based on legitimate interests, including opting out of product improvement contributions.
• Right to restrict processing in certain circumstances.
• Right to withdraw consent at any time where consent is the lawful basis for processing.

We respond to verified requests within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with the data protection authority in your country — for example, the NDPC in Nigeria, or your local supervisory authority in the EEA or UK.

We apply layered technical and organisational measures to protect your data, including:

• TLS/HTTPS enforced on every endpoint, with strict transport security headers.
• AES-256 encryption at rest for OAuth tokens and other sensitive credentials, backed by a dedicated secrets manager.
• Role-based access controls inside Flutrbot and mandatory multi-factor authentication for employee access to production systems.
• Automated dependency scanning and regular security audits.
• Structured, tamper-resistant audit logs for consent events, data subject requests, and access to production data.

No system is ever perfectly secure. If a breach affects your personal data, we will notify you and the relevant regulator in accordance with applicable law — including the 72-hour notification requirement under GDPR and the Nigeria Data Protection Act.

Flutrbot uses a minimal set of cookies and similar technologies:

• Strictly necessary cookies required for authentication and security. These cannot be disabled if you want to use the Service.
• Preference cookies that remember your theme (light or dark mode) and recent settings.
• Analytics cookies for privacy-respecting product analytics. These are only set with your consent via the cookie banner, and you can withdraw consent at any time.

We do not use third-party advertising cookies and do not sell access to your browsing behaviour.

Flutrbot is not intended for use by children under 16 (or the age required by your local law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@flutrbot.com and we will delete it.

We may update this Privacy Policy from time to time to reflect changes in our Service, in applicable law, or in industry practice. Where changes are material, we will notify you in advance by email or via an in-product notice.

The “Last updated” date at the top of this page tells you when this policy was last revised. Prior versions are available on request.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

• Data Protection Officer: privacy@flutrbot.com
• General support: support@flutrbot.com