Back to Photog Flow

Draft — not legal advice. This page was generated from a starter template and has not been reviewed by an attorney. Landon, please replace this copy with text reviewed by your own counsel before opening public signups.

Privacy Policy

Effective April 22, 2026

1. What we collect

To provide the service, Photog Flow collects a few categories of information. Account data includes your email address, name, business name, timezone, and email signature. Business content is whatever you upload or create inside the app: client contacts, leads, projects, messages, photos uploaded to galleries, invoices, and contracts. Usage data includes page views, feature interactions, IP address, and user-agent strings captured via PostHog. Error data includes stack traces and diagnostic metadata captured via Sentry when something goes wrong.

2. Why we collect it

We use this information to operate the service, to send you transactional email (billing notices, password resets, security alerts), to prevent abuse, to improve the product, and to bill you. We do not use your business content to train AI models.

3. Subprocessors

Photog Flow relies on a small number of third-party subprocessors. Supabase hosts our primary database, authentication, and file storage in the US-East region. Stripe processes payments and is PCI-compliant. Resend delivers transactional email. Sentry captures application errors. PostHog provides product analytics on its US instance. Anthropic powers AI drafting: when you click “Draft with AI,” the prompt and relevant context are sent to Anthropic’s API, processed, and returned as a suggested reply. Vercel will host the production application and will apply as a subprocessor once deployment is live.

4. Data we do not sell

We do not sell your data, your clients’ data, or your business content. We do not share it with advertisers or data brokers.

5. Client data responsibility

For information you upload about your own clients — contacts, communications, photographs, contracts, invoices — Photog Flow acts as a processor and you act as the data controller. You are responsible for telling your clients that you use Photog Flow, for collecting any consent your local laws require, and for handling access, correction, and deletion requests from them.

6. Cookies and tracking

Photog Flow sets essential cookies for authentication and session handling. PostHog sets analytics cookies to help us understand how the product is used. We do not yet ship a cookie consent banner, so visitors in the EU, UK, and similarly-regulated jurisdictions should assume analytics is active until we add one (flagged for Landon). You can opt out of PostHog analytics at any time by clearing cookies or using browser-level Do Not Track equivalents.

7. Your rights

Depending on where you live, you may have rights to access, export, correct, or delete your personal data, and to object to certain kinds of processing. To exercise any of these rights, email privacy@photogflow.app. We’ll respond within the timeframe your local law requires.

8. Data retention

We retain your account data and business content for as long as your account is active. After account deletion we keep the data in a dormant, recoverable state for 30 days — enough time for you to change your mind or export — and then permanently delete it from our primary systems. Encrypted backups age out on their own rotation.

9. Security

We apply row-level security policies on every database table so one business can never read another’s rows. All traffic runs over HTTPS. Data at rest is encrypted by Supabase’s default-provisioned infrastructure. Service-role credentials that bypass row-level security are kept server-side only and are never exposed to the browser.

10. International transfers

Our data is stored in the United States. If you’re in the European Union, the United Kingdom, or another jurisdiction outside the US, using the service means your data crosses borders. We’ll add Standard Contractual Clauses and related safeguards before actively onboarding EU-based businesses (flagged for Landon).

11. Children's data

Photog Flow is a tool for adult professionals. Do not create an account if you are under 16. Photographers who serve minor clients — school portraits, graduation, family shoots involving children — are responsible for obtaining parental or guardian consent before uploading information about those minors to the platform.

12. Changes

We may update this policy as the product evolves. For material changes we’ll send notice to the email address on file before the change takes effect. Continued use of the service after that date counts as acceptance of the updated policy.

13. Contact

Questions, concerns, or data requests? Email privacy@photogflow.app.