Privacy Policy

Devflair is operated by Shy Guy LLC ("we", "us", "our"), a US company. Our contact email is hello@shyguy.studio.

This policy explains what personal data we collect when you use Devflair at devflair.xyz, why we collect it, and your rights over it.

Account data: your email address and password hash, collected when you sign up.

Social account credentials: OAuth tokens for X (Twitter) and Bluesky, stored encrypted in our database. We use these solely to post content on your behalf.

AI API keys: any Anthropic, OpenAI, or Google API keys you optionally provide. These are encrypted at rest using AES-256 and never transmitted to third parties beyond the respective AI provider.

Content you create: drafts, scheduled posts, post history, project names, and diagrams you generate within the app.

Billing data: subscription plan and billing email. Payment card details are handled entirely by Stripe — we never see or store card numbers.

Usage data: standard server logs (IP address, browser, pages visited) retained for up to 90 days for security and debugging purposes.

• To provide and operate the Devflair service
• To post content to social platforms on your instruction
• To generate AI-assisted content using your provided API keys or our platform keys
• To process subscription payments via Stripe
• To send transactional emails (account confirmation, billing receipts)
• To debug and improve the service

We do not use your content to train AI models. We do not sell your data to third parties.

For users in the European Economic Area (EEA) and UK, we process your data under the following bases:

• Contract: processing necessary to provide the service you signed up for (account management, posting, scheduling)
• Legitimate interest: security monitoring, fraud prevention, and service improvement
• Legal obligation: where required by applicable law
• Consent: for any optional communications (e.g. product updates)

We share your data only with processors necessary to operate the service:

• Supabase (database and authentication) — US, GDPR-compliant, data processed in the US
• Stripe (payments and billing) — US, GDPR-compliant
• Modal Labs (serverless compute for video processing) — US, used only when you generate videos
• Jina AI (URL content extraction) — used only when you use the auto-fill feature
• Anthropic / OpenAI / Google — AI generation, only when you use AI features. Your content is sent to the provider corresponding to your selected or provided key.

All processors are contractually bound to process data only as instructed and to maintain appropriate security measures.

We retain your account data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it for legal or tax purposes (typically up to 7 years for billing records).

Post history and content you create are retained for the life of your account. You can delete individual posts or all content from your settings.

We use strictly necessary cookies only:

• Authentication session cookie: keeps you logged in. HttpOnly, Secure, SameSite=Lax.
• Theme preference: stores your light/dark mode preference. No personal data.

We do not use tracking cookies, advertising cookies, or third-party analytics.

Depending on your location, you have the following rights:

• Access: request a copy of your personal data
• Rectification: correct inaccurate data
• Erasure: request deletion of your account and data
• Portability: receive your data in a machine-readable format
• Restriction: ask us to limit processing of your data
• Objection: object to processing based on legitimate interest
• Withdraw consent: where processing is based on consent

To exercise any of these rights, email hello@shyguy.studio. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local data protection authority.

We use industry-standard security measures including TLS in transit, AES-256 encryption for sensitive credentials at rest, and row-level security on our database. We do not store plaintext passwords — passwords are hashed using bcrypt via Supabase Auth.

Devflair is operated from the United States. By using the service, you acknowledge that your data may be transferred to and processed in the US. Where required (e.g., EEA data transfers), we rely on Standard Contractual Clauses or adequacy decisions.

Devflair is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have inadvertently collected such data, contact us immediately.

We may update this policy. Material changes will be notified via email or an in-app banner. Continued use of the service after changes constitutes acceptance.

Questions about this policy or data requests: hello@shyguy.studio

Shy Guy LLC · United States