Skip to content
Shaflex
Shaflex

Last updated: March 18, 2026

Privacy Policy

This Privacy Policy explains how Shaflex ("we", "our", or "us") collects, uses, and protects your information when you use our content publishing platform. It applies to all users of the Shaflex website, applications, and related services (collectively, the "Service"). By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Introduction

Shaflex is a platform that helps creators publish and manage content across multiple social media platforms from one place. We respect your privacy and are committed to protecting your personal data and being transparent about how it's used. This Privacy Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data protection laws.

2. Information We Collect

2.1 Personal Information

When you create an account or use our Service, we may collect:

  • Email address
  • Name or username
  • Account credentials
  • Payment information (processed securely through third-party payment providers; we do not store full credit card numbers)
  • Social media account tokens (OAuth tokens used to connect your accounts for publishing)
  • Profile information you choose to provide

2.2 Usage Data

We may collect information about how you use Shaflex, including:

  • Pages visited and navigation paths
  • Features used and interaction patterns
  • Posting activity and scheduling history
  • Device type, operating system, and browser information
  • IP address and approximate geographic location
  • Referring URLs and search terms

2.3 Social Media Integration Data

When you connect your social media accounts to Shaflex, we may collect and process:

  • OAuth tokens and authentication credentials required to post on your behalf
  • Content you create, draft, and publish through the Service
  • Analytics and engagement data from your connected platforms (such as likes, shares, impressions, and follower counts)
  • Profile information from connected accounts (such as display name and profile picture)

We only access the permissions you explicitly grant during the OAuth authorization flow. You may revoke access at any time through your Shaflex account settings or directly through the connected platform.

2.4 Cookies and Tracking Technologies

We use cookies and similar technologies on our Service. The categories of cookies we use are:

  • Necessary Cookies: Essential for the Service to function properly. These include session cookies for maintaining your login state and authentication cookies for securing your account. These cannot be disabled.
  • Analytics Cookies: We use PostHog to collect anonymized usage data and understand how users interact with our platform. This helps us improve features and identify issues. Analytics cookies are only set with your consent.

We do not use marketing or advertising cookies. We do not serve third-party advertisements or track you across other websites. You can manage your cookie preferences at any time through our cookie consent banner or your browser settings.

3. Legal Basis for Processing

Under the GDPR and other applicable data protection laws, we process your personal data on the following legal bases:

  • Consent: For analytics cookies and optional data collection. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Performance of a Contract: Processing necessary to deliver the Service you have signed up for, including account management, content publishing, and social media integration.
  • Legitimate Interest: For platform security, fraud prevention, abuse detection, and improving the Service. We balance our interests against your rights and freedoms and only rely on this basis where the impact on you is minimal.
  • Legal Obligation: Where we are required to process your data to comply with applicable laws or regulations.

4. How We Use Your Information

We use the collected information to:

  • Provide, operate, and maintain the Shaflex Service
  • Authenticate your identity and manage your account
  • Publish and schedule content to your connected social media accounts
  • Display analytics and engagement data from your connected platforms
  • Improve features, performance, and user experience
  • Communicate with you about your account, updates, and support requests
  • Ensure platform security, prevent abuse, and detect fraud
  • Comply with legal obligations and enforce our Terms of Service

5. How We Share Information

We may share your information with the following categories of service providers, solely for the purposes of operating and improving the Service:

  • Hosting: Vercel, for website and application hosting
  • Analytics: PostHog, for anonymized usage analytics
  • Email: Resend, for transactional and account-related emails
  • Database: Secure cloud database providers for data storage and authentication
  • Payments: Processed through third-party payment providers for subscription and billing management

We require all service providers to process your data only on our instructions and in accordance with applicable data protection laws. We may also share information when required by law, in response to valid legal process, or to protect the rights, property, or safety of Shaflex and its users.

We do not sell or share personal data for advertising purposes.

6. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy. Specific retention periods are as follows:

  • Account data: Retained while your account is active. After you request account deletion, your data will be permanently removed within 30 days, unless retention is required by law.
  • Analytics data: Anonymized usage data is retained for up to 26 months to identify trends and improve the Service.
  • Necessary cookies: Session cookies expire when you close your browser. Authentication cookies expire after your session ends or after a reasonable inactivity period.
  • Analytics cookies: Expire after 12 months from the date they are set.
  • Legal obligations: Certain data may be retained longer if required to comply with applicable laws, resolve disputes, or enforce our agreements.

7. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it. These measures include:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
  • Encryption at rest: Personal data stored in our databases is encrypted at rest.
  • OAuth token security: Social media OAuth tokens are stored securely using encryption and are never exposed to client-side code.
  • Security practices: We review and improve our security measures on an ongoing basis as the platform evolves.
  • Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.

However, no method of transmission over the internet or method of electronic storage is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law without undue delay.

8. Your Rights

All Users: Regardless of your location, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your personal data
  • Withdraw consent for data processing where consent is the legal basis

GDPR Rights (EU/EEA Users): If you are located in the European Union or European Economic Area, you additionally have the right to:

  • Data portability — receive your personal data in a structured, commonly used, machine-readable format
  • Restriction of processing — request that we limit how we use your data
  • Object to processing — object to processing based on legitimate interests
  • Lodge a complaint with your local data protection supervisory authority

CCPA/CPRA Rights (California Residents): If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of your personal information
  • Opt out of the sale or sharing of personal information (note: we do not sell or share your personal data for advertising)
  • Non-discrimination — we will not discriminate against you for exercising your privacy rights

How to Exercise Your Rights: To exercise any of these rights, please contact us at support@shaflex.com. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

9. Third-Party Services

Shaflex integrates with third-party social media platforms to enable content publishing and analytics. These platforms include, but are not limited to:

  • X (formerly Twitter)
  • LinkedIn
  • Threads
  • Bluesky
  • Mastodon

Each of these platforms is governed by its own privacy policy and terms of service. When you connect a social media account to Shaflex, we access only the data and permissions you explicitly authorize through the OAuth flow. We encourage you to review the privacy policies of any third-party platforms you connect to Shaflex.

We are not responsible for the privacy practices, data collection, or content policies of these third-party services.

10. Children's Privacy

Shaflex is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16 years of age, in compliance with GDPR requirements. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information as quickly as possible. If you believe a child under 16 has provided us with personal data, please contact us at support@shaflex.com.

11. International Data Transfers

Your information may be processed and stored in countries outside your place of residence, including countries outside the European Economic Area (EEA), where data protection laws may differ from those in your jurisdiction.

When we transfer personal data outside the EEA, we take steps to ensure appropriate safeguards are in place. Our third-party service providers (such as Vercel) maintain their own data protection commitments, which may include Standard Contractual Clauses or reliance on adequacy decisions by the European Commission.

For questions about how we protect your data during international transfers, please contact us at support@shaflex.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Any changes will be posted on this page with an updated "Last updated" date. For material changes, we will make reasonable efforts to notify you via email or through a prominent notice on the Service. We encourage you to review this Privacy Policy periodically.

13. Contact Information

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Email: support@shaflex.com

For GDPR inquiries, contact our data protection contact at support@shaflex.com.