← Back to FlowTok

Privacy Policy

Last updated: May 3, 2025

1. Who we are

FlowTok ("we", "our", "us") is a TikTok scheduling service. We are not affiliated with TikTok or ByteDance Ltd. For privacy-related inquiries, contact us at flowtok@asytnyk.com.

2. What data we collect

  • Identity data — your name, email address, and profile picture from Google Sign-In.
  • TikTok tokens — OAuth access and refresh tokens, encrypted at rest with AES-256-GCM, used solely to publish posts on your behalf.
  • TikTok profile data — your TikTok username and avatar URL, fetched at account connection.
  • Video files — videos you upload are stored temporarily and deleted automatically within 48 hours of publication or failure.
  • Post metadata — captions, scheduled times, publish status, and error logs.
  • Technical data — your timezone, collected once on first login to schedule posts correctly.

We do not collect payment information, browsing history, or any data beyond what is needed to operate the service.

3. Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contract performance — to provide the scheduling service you signed up for.
  • Legitimate interests — to detect abuse, improve reliability, and send critical service notifications.
  • Legal obligation — where required by applicable law.

We do not process your data based on consent, so there is no consent to withdraw. You may object to processing based on legitimate interests at any time.

4. How we use your data

  • To authenticate you and maintain your session.
  • To publish scheduled posts to TikTok on your behalf at the requested time.
  • To send transactional emails about failed posts or accounts requiring re-authentication.
  • To operate background jobs (validation, token refresh, storage cleanup).

We do not sell, rent, or share your personal data with third parties for advertising, analytics resale, or any commercial purpose unrelated to operating the service.

5. TikTok API usage

FlowTok uses the official TikTok Content Posting API and requests only the following permissions:

  • user.info.basic — read your TikTok Open ID, display name, and avatar to identify your account within FlowTok.
  • video.publish — publish video content directly to your TikTok profile on your behalf at the time you schedule.
  • video.upload — upload video content as a draft to your TikTok account for further editing before posting.

We do not access your TikTok followers, direct messages, comments, likes, analytics, or any data beyond the permissions listed above.

6. Data sharing

We share your data only with the following sub-processors, strictly to operate the service:

  • Google OAuth — for authentication.
  • TikTok API — for publishing content you explicitly schedule.
  • Cloud infrastructure providers — for hosting, database, and file storage (data processed under DPA agreements).
  • Resend — for transactional email delivery.

7. International data transfers

Your data may be processed in countries outside your own, including outside the EEA. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms.

8. Data retention

  • Video files are deleted within 48 hours after posting or failure.
  • Post records and account data are retained while your account is active.
  • Upon account deletion, all personal data is permanently deleted within 30 days.

9. Security

TikTok tokens are encrypted with AES-256-GCM before storage. All data is transmitted over HTTPS/TLS. Access to production systems is restricted to authorized personnel only.

10. Your rights (EEA / GDPR)

If you are in the EEA, you have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — request that we limit processing of your data.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at flowtok@asytnyk.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

11. Your rights (California / CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete — request deletion of your personal information.
  • Right to Opt-Out of Sale — we do not sell personal information. No opt-out is necessary.
  • Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights.

To submit a CCPA request, contact us at flowtok@asytnyk.com. We will respond within 45 days as required by law.

12. Cookies

We use only a single session cookie required for authentication. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

13. Children's privacy

FlowTok is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, contact us and we will delete it promptly.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users by email of material changes. The "Last updated" date at the top reflects the most recent revision.

15. Contact

For any privacy-related questions or requests, email us at flowtok@asytnyk.com. We aim to respond within 5 business days.