Privacy Policy

• Business Name: To personalize your AI content generation
• Industry Type: To tailor AI content suggestions to your market
• Business Description: To create relevant, on-brand content
• Website URL: To understand your brand and include relevant links

• Facebook Page ID: Identifies which page to post to
• Facebook Page Name: Displays which page is connected
• Page Access Token: Secure permission to post on your behalf (encrypted)

Note: We only access pages you own or manage. We never see your personal Facebook profile or private messages.

• Instagram Business Account ID: Identifies your connected business account
• Instagram Username: Displays which account is connected
• Publishing Permissions: Secure access to post content (encrypted)

Note: Only Instagram Business accounts connected to your Facebook page can be used. Personal Instagram accounts are not supported.

• TikTok User ID: Identifies your TikTok account for posting content
• TikTok Username: Displays which account is connected
• Access Token: Secure permission to publish videos on your behalf (encrypted)
• Refresh Token: Maintains long-term access without re-authentication (encrypted)

Note: We only access posting capabilities. We never see your private messages, followers, or personal TikTok activity.

• LinkedIn Member ID: Identifies your LinkedIn profile or organization page
• Profile/Organization Name: Displays which account is connected
• Access Token: Secure permission to post content and access analytics (encrypted)
• Company Page Access: If applicable, permissions to post to company pages you manage

Note: We only access posting and analytics capabilities. We never see your private connections, messages, or personal profile activities.

• OAuth Scopes Requested: calendar.events (create, update, delete events) and calendar.readonly (read events for availability)
• Event Data Accessed: Event title, description, location, start/end times, time zones, attendee emails, RSVP status, meeting links, and event status
• Creator/Organizer Info: Email and display name of event creators and organizers
• OAuth Tokens: Access and refresh tokens stored with AES-256-GCM encryption at rest
• Connection Metadata: Calendar connection status, calendar ID, and webhook subscription details
• Event References: Event IDs and links for appointments created through our platform

What we do NOT access: We do not access your Google Contacts, Gmail, Google Drive, or any other Google services. We only access the calendar you explicitly connect (defaults to your primary calendar).

• Appointment Sync: We create, update, and delete calendar events to keep your schedule in sync between our platform and Google Calendar
• Availability Checking: We read existing events to show accurate availability and prevent double-booking
• Real-time Sync: Webhook notifications detect changes made directly in Google Calendar and reflect them in our app
• Token Security: OAuth tokens encrypted using AES-256-GCM with a 256-bit encryption key; never stored in plain text
• Webhook Security: Secured with cryptographically random tokens (32 bytes) validated on every notification
• State Validation: OAuth flows use cryptographic nonces and time-limited state tokens (10-minute expiry) to prevent CSRF attacks
• Multi-tenant Isolation: Each business account's calendar tokens and data are isolated by tenant ID

• Disconnect via App: Disconnect anytime from within the app; we revoke tokens with Google, delete webhook subscriptions, and remove all stored tokens
• Disconnect via Google: Revoke access from your Google Account at myaccount.google.com under Security > Third-party apps
• Data Deletion: Contact legal@flomaticai.com to request complete deletion of all Google Calendar integration data; confirmed within 30 days
• Post-Disconnection: Events already created on your Google Calendar remain; our app can no longer access your calendar until you reconnect

Microsoft Graph API Scopes Requested:

• Calendars.ReadWrite: Create, read, update, and delete appointment events and meetings on your Outlook Calendar; list upcoming events; subscribe to change notifications; fetch incremental changes via delta queries
• Mail.Read: Monitor incoming email replies to detect reschedule requests from appointment attendees via Microsoft Graph webhook subscriptions — we do not read the full content of unrelated emails
• User.Read: Retrieve basic profile information (email address, display name, user ID) to identify the connected Microsoft account — used one time during initial connection
• offline_access: Maintain long-term access via refresh tokens so you don't need to re-authorize when your session expires

Event Data Accessed:

• Event subject (title), body/description, and location
• Event start/end times and time zones
• Attendee email addresses and RSVP response status
• Event web links and online meeting join URLs (e.g., Microsoft Teams)
• Event organizer information and event status (confirmed, cancelled, tentative)
• OData ETags for conflict resolution during updates

Basic Profile Data Accessed:

• User ID (internal Microsoft identifier), User Principal Name, mail address, and display name

What we do NOT access: We do not access your OneDrive, SharePoint, Microsoft Teams chats, or any other Microsoft 365 services beyond Calendar and limited Mail. We do not read the full body of your emails — mail monitoring is limited to detecting appointment-related reply notifications. We do not access calendars other than the one you explicitly connect. We do not access your Microsoft contacts or address book.

How We Use Your Data:

• Appointment Sync: We create, update, and delete calendar events and meetings to keep your schedule in sync between our platform and Outlook Calendar
• Meeting Invitations: When appointments include attendees, we create them as Outlook meetings, triggering Outlook's native invitation and cancellation email flow
• Availability Checking: We read existing events via calendar view to show accurate availability and prevent scheduling conflicts
• Real-time Sync: Microsoft Graph webhook subscriptions detect changes you make directly in Outlook Calendar and reflect them in our app; subscriptions are renewed every 3 days
• Incremental Sync: Delta queries efficiently fetch only changed events since the last sync, minimizing data transfer
• Email Reschedule Detection: Inbox notifications detect when attendees reply to appointment emails with reschedule requests

How We Store Your Data:

• OAuth Tokens: Access and refresh tokens encrypted at rest using AES-256-GCM encryption; never stored in plain text in production
• Token Metadata: Non-sensitive metadata (scope granted, token type, expiry time) stored to manage refresh cycles
• Account Information: Email address and account ID of the connected Microsoft account for display and identification
• Connection Status: Calendar connection status, calendar ID, and webhook subscription details (subscription ID, resource path, expiration date)
• Event References: Event IDs and web links for appointments created through our platform — we do not bulk-download or permanently store the full contents of your Outlook Calendar

How We Protect Your Data:

• Encryption at Rest: All OAuth tokens encrypted using AES-256-GCM with a 256-bit encryption key before storage
• Encryption in Transit: All communication with Microsoft Graph API uses HTTPS/TLS encryption
• State Validation: OAuth flows use cryptographic nonces (16 bytes) and random state tokens (32 bytes) with 10-minute expiry to prevent CSRF attacks
• User & Tenant Verification: During OAuth callback, we verify both user ID and tenant ID match the original request, preventing cross-account token injection
• Webhook Security: Webhook subscriptions use the tenant ID as client state, validated on every incoming notification
• Subscription Lifecycle: Webhook subscriptions expire every 3 days and are automatically renewed, limiting the window of exposure
• Least Privilege: We only request the minimum scopes needed for the app's functionality
• Multi-tenant Isolation: Each business account's calendar tokens and data are isolated by tenant ID, preventing cross-account data access

• Disconnect via App: Disconnect anytime from within the app; we delete webhook subscriptions (calendar and mail), remove all stored tokens (access token, refresh token, account email, account ID, token metadata), and update your connection status
• Disconnect via Microsoft: Revoke access from your Microsoft account at account.microsoft.com under Privacy > App access or Security > Apps and services — this immediately revokes all tokens
• Other Providers Unaffected: If you have other calendar providers connected (e.g., Google Calendar), those remain unaffected — only Outlook data is removed
• Data Deletion: Contact legal@flomaticai.com to request complete deletion of all Outlook Calendar integration data, including webhook subscriptions, tokens, account identifiers, and event references; confirmed within 30 days
• Post-Disconnection: Events already created on your Outlook Calendar remain; meetings with attendees may have already sent cancellation notices via Outlook's normal lifecycle; email reschedule detection stops immediately; future appointments will not sync until you reconnect

• Content Goals: What you want to achieve with each post
• Tone Preferences: Professional, casual, friendly, etc.
• Generated Posts: AI-created content and publishing status
• Uploaded Media: Temporarily stored for AI analysis, then deleted