This Privacy Policy describes how Thoughtfluence, Inc. (“Thoughtfluence,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use our website at www.thoughtfluence.io, our embeddable widget, our bio-link pages, and related services (collectively, the “Service”). By using the Service, you agree to the practices described here.
1. Information We Collect
1.1 Information you provide directly
- Account information: email address, display name, password (hashed), and profile details.
- Creator profile content: links, handles, bio, theme settings, and uploaded media.
- Billing information when you subscribe to a paid plan (processed by Stripe; we do not store full card numbers).
- Communications you send to us, including support requests.
1.2 Information from third-party platforms (OAuth)
When you connect a third-party platform (such as Google/YouTube, Meta/Facebook, Instagram, X, Twitch, Spotify, GitHub, Substack, Patreon, Bluesky, Mastodon, or TikTok), we receive information that platform shares with us based on the scopes you authorize. This may include account identifiers, public profile details, page or channel metadata, follow/subscription status, and short-lived OAuth access and refresh tokens. We never request scopes broader than necessary for the feature you are using.
1.3 Information collected automatically
- Device and connection data: IP address, user agent, referrer, language, and approximate location derived from IP.
- Usage data: widget loads, click events on platform tiles, follow events (including whether the follow was completed via OAuth or initiated via deep-link), session timestamps, and page views.
- Cookies and similar technologies for authentication, security, and analytics. See “Cookies” below.
2. How We Use Information
- To operate, maintain, and provide features of the Service you have requested.
- To authenticate your account and protect against fraud, abuse, and unauthorized access.
- To execute follow, subscribe, and similar actions on third-party platforms when and only when you direct us to.
- To compute aggregated analytics (such as audience overlap and conversion rates) for the creator whose Service you are using.
- To send transactional messages (account, security, billing) and, with your consent, product updates.
- To comply with law and enforce our Terms of Service.
3. Legal Bases (EEA / UK)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we process personal data on the following legal bases: (a) performance of a contract when you use the Service; (b) your consent for optional features such as marketing emails or non-essential cookies; (c) legitimate interests in operating, securing, and improving the Service; and (d) compliance with legal obligations.
4. Provider-Specific Disclosures
4.1 Google API Services User Data — Limited Use
4.2 Meta Platform Data (Facebook, Instagram, Threads)
Information we receive from Meta platforms is used solely to provide the Thoughtfluence features you have authorized. We do not sell or license Meta Platform Data, do not use it to make decisions that produce legal or similarly significant effects, and delete it within thirty (30) days when you disconnect a Meta account, delete your Thoughtfluence account, or revoke our access via Facebook Settings → Apps and Websites. See /deletion for instructions.
4.3 X (Twitter) Developer Data
Content and information we receive via the X API is used only for the Thoughtfluence features you have authorized and is handled in accordance with X’s Developer Agreement and Policy. We do not redistribute X content beyond what those terms permit, and we honor user deletions and protected-status changes by purging affected records on next sync.
4.4 TikTok, Twitch, Snap, Spotify, Substack, Patreon, GitHub, Bluesky, Mastodon
For each of these providers, we use data we receive only for the user-authorized feature, retain only what is necessary to operate that feature, and delete it on disconnect or account deletion subject to the timelines in “Data Retention” below. Our use complies with each provider’s developer terms.
5. How We Share Information
- Service providers / sub-processors: Supabase (database, authentication, storage), our hosting provider (Vercel or equivalent), Stripe (billing), email-delivery providers, Google (Tag Manager and Google Analytics, for aggregate usage analytics), PostHog (product analytics), and our cookie-consent provider (Cookiebot). These parties access information only to perform services for us under contract.
- Third-party platforms you connect: when you authorize a follow or subscribe action, we send the necessary request to that platform.
- Creators whose Service you visit: aggregated, non-identifying analytics about widget interactions are visible to the creator. We do not share individual fan identities with creators unless you opt in via a fan account or email-capture form.
- Legal & safety: when required by law, subpoena, or to protect rights, property, or safety.
- Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to you.
We do not sell personal information, and we do not share it for cross-context behavioral advertising.
6. Cookies and Similar Technologies
We use a small number of cookies and similar technologies, grouped into the categories below. On your first visit from the EEA, the United Kingdom, or Switzerland, a consent banner (provided by our consent-management platform, Cookiebot) asks you to accept or reject non-essential cookies before any are set. We honor that choice through Google Consent Mode, which keeps analytics and advertising storage disabled until you opt in.
- Strictly necessary — authentication, session, and security cookies (for example, our Supabase login session). These are always active and cannot be disabled, because the Service cannot function without them.
- Analytics — set only after you consent, these help us understand aggregate, non-identifying usage such as page views and navigation paths. We use Google Tag Manager, Google Analytics, and PostHog (product analytics) for this.
- Advertising — we do not currently set advertising or cross-site tracking cookies.
You can change or withdraw your consent at any time using the Cookie settings link in the site footer, and you can review the full, automatically-updated list of cookies in our Cookie Declaration. You can also control cookies through your browser settings; disabling strictly necessary cookies will prevent the Service from functioning.
7. Data Retention
- Active account data: retained while your account is active.
- Deleted account data: purged within 30 days of deletion, except where law requires longer retention (e.g., tax or fraud records, up to 7 years).
- OAuth tokens: revoked on disconnect; deleted within 24 hours.
- Aggregated and de-identified analytics: retained indefinitely.
8. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of your personal information, and to object to certain processing. Residents of California have additional rights under the CCPA, including the right to know the categories of personal information collected and the right to opt out of any “sale” or “sharing” (we do not sell or share for targeted advertising). To exercise any of these rights, see /deletion or email privacy@thoughtfluence.io. We will respond within the time required by applicable law (typically 30–45 days).
9. Children’s Privacy
The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction; 16 in much of the EEA). We do not knowingly collect personal information from children. If we learn we have collected information from a child without verifiable parental consent, we will delete it promptly.
10. International Data Transfers
We are based in the United States and may transfer, process, and store information in the United States and other countries. Where required, we use Standard Contractual Clauses or other lawful transfer mechanisms.
11. Security
We use industry-standard safeguards including TLS in transit, encryption at rest for sensitive fields (including OAuth refresh tokens), least-privilege access controls, and audit logging. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced through the Service or by email at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
13. Contact
Questions, requests, or complaints can be sent to privacy@thoughtfluence.io, or by mail to Thoughtfluence, Inc., c/o Privacy, Delaware, USA.