Back to SnapFlow

Privacy Policy

Effective date: 9 April 2026 — Last updated: 9 April 2026

1. Data Controller

SnapFlow is operated by the entity listed on our Imprint page. If you have questions about this policy or your personal data, contact us at: noreply@snap-flow.org

2. Data We Collect

  • Account data: Email address, full name, hashed password (bcrypt), account type, and chosen subscription plan.
  • Billing data: Billing name and address for invoice purposes; payment processing is handled entirely by our payment providers (Stripe / PayPal) — we never store card numbers.
  • Usage data: Album names, photo metadata (EXIF capture time, resolution, file size), upload timestamps, and post history.
  • Technical data: IP address (used solely for rate limiting and abuse prevention), HTTP request logs retained for 90 days.
  • Consent record: The timestamp at which you accepted these Terms & Conditions and Privacy Policy during registration.

3. Instagram / Meta Integration

When you connect an Instagram account, SnapFlow requests the following Meta permissions:

  • instagram_business_basic — read your Instagram user ID and username.
  • instagram_business_content_publish — publish feed posts and stories on your behalf.

What we store:

  • Your Instagram user ID and username.
  • Your Meta access token — stored encrypted at rest using Fernet symmetric encryption (AES-128-CBC). No plaintext token is ever written to disk or logged.
  • A daily snapshot of your follower count for use in your analytics dashboard.
  • Post performance metrics (likes, comments, impressions, reach, saves) fetched from the Meta Graph API.

What we do with it:

  • Publish content to Instagram on your explicit instruction.
  • Retrieve engagement analytics so you can track your post performance inside SnapFlow.
  • Your Instagram data is used solely for your own account. It is never shared with other SnapFlow users, sold, or used for any profiling or advertising purpose.

Disconnect at any time: Go to Dashboard → Socials → Accounts and click "Disconnect". This immediately revokes our access and deletes your stored access token and all associated Instagram data from our database.

4. Legal Basis (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Account registration, album management, FTP upload, and gallery sharing.
  • Consent (Art. 6(1)(a)): Connecting your Instagram account and publishing content via the Meta API.
  • Legal obligation (Art. 6(1)(c)): Retention of invoices and billing records as required by German commercial law (§ 257 HGB, § 147 AO).
  • Legitimate interests (Art. 6(1)(f)): IP-based rate limiting and abuse prevention to protect platform integrity.

5. Data Retention

  • Account data: Retained for the lifetime of your account plus 30 days after deletion (to allow recovery).
  • Instagram tokens: Deleted immediately upon disconnection or account deletion.
  • Payment records: Retained for 10 years as required by German law (§ 257 HGB).
  • Server logs: Retained for 90 days, then automatically purged.
  • Photos and albums: Deleted within 30 days of your account deletion request.

6. Sub-processors

We use the following third-party services to deliver SnapFlow:

Provider Purpose Location
Meta PlatformsInstagram API (content publishing, analytics)USA
StripePayment processingUSA / EU
PayPalPayment processingUSA / EU
Hetzner Online GmbHCloud hosting & storage infrastructureGermany / EU

Data transfers to the USA are covered by the EU–US Data Privacy Framework and/or Standard Contractual Clauses.

7. Your Rights (GDPR Art. 15–22)

You have the right to:

  • Access (Art. 15): Request a copy of all personal data we hold about you.
  • Rectification (Art. 16): Correct inaccurate data via your profile settings.
  • Erasure (Art. 17): Request deletion of your account and all associated data.
  • Restriction (Art. 18): Request we restrict processing of your data while a dispute is resolved.
  • Portability (Art. 20): Receive your data in a machine-readable format.
  • Objection (Art. 21): Object to processing based on legitimate interests.

To exercise any of these rights, contact us at noreply@snap-flow.org. We will respond within 30 days.

8. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority. In Germany, you may contact the relevant Federal Commissioner for Data Protection and Freedom of Information (BfDI) or the supervisory authority of the German state in which we operate.

9. Changes to This Policy

We will notify registered users by email at least 14 days before any material changes to this Privacy Policy take effect. Non-material changes (e.g. typo corrections, clarifications) may be made without advance notice. The "Last updated" date at the top of this page always reflects the most recent revision.

Terms & Conditions Imprint