Privacy Policy

StopFlag ("we", "us") is a compliance scanning tool for short-form video creators, operated by [LEGAL ENTITY NAME] based in [COUNTRY / STATE]. You can reach us at [privacy@stopflag.com].

• Account info. Email address, display name, and authentication tokens when you sign in (email/password or Google).
• Content you upload. Videos, images, audio, captions, and hashtags you submit for scanning or use to build a reel.
• Scan results. AI-generated compliance flags, transcripts, frame extracts, and metadata derived from your content.
• Connected platform data. If you connect Instagram or TikTok, we receive the profile info and permissions you grant during OAuth (e.g. username, account ID, access token). We never receive your platform password.
• Billing info. Stripe processes payments on our behalf and returns a customer ID, subscription status, and the last four digits of your card. We do not store full card numbers.
• Operational data. Basic request logs, error reports, and push notification subscriptions if you opt in.

• To run compliance scans and generate the reports you requested.
• To publish content to your connected Instagram or TikTok account, only when you click Publish.
• To manage your account, billing, and subscription tier.
• To send transactional and (only if you opt in) reminder notifications.
• To improve the product (aggregated, de-identified usage patterns only — we do not train third-party AI models on your content).

Compliance scans use Google's Gemini models via the Lovable AI Gateway. Your video frames, transcripts, captions, and hashtags are sent to that model only to generate the scan result returned to you. We do not authorize the model provider to train on your content. Scan inputs and outputs are stored in our database tied to your account so you can revisit past reports.

We do not sell your data. We share it only with the vendors that run StopFlag:

• Lovable Cloud — hosting, database, authentication, storage.
• Lovable AI Gateway (Google Gemini) — compliance analysis.
• Stripe — payment processing.
• Meta / TikTok — only when you connect your account and click Publish, and only the post payload you authorized.
• Web push providers — only if you opt into browser notifications.

Data is stored on Lovable Cloud infrastructure with row-level security policies that limit access to your own account. Traffic is served over HTTPS. Access tokens for connected platforms are stored encrypted at rest by the platform.

We do not claim SOC 2, ISO 27001, HIPAA, or PCI compliance for StopFlag itself. Stripe handles cardholder data and is PCI-DSS compliant in its own right.

• Account data: kept while your account is active and for [30 days] after deletion to handle billing reversals and abuse investigations, then purged.
• Scans, reels, uploaded media: kept until you delete them, or until account deletion.
• Billing records: retained as required by tax law (typically 7 years).

You can access, correct, export, or delete your data at any time from the in-app Settings, or by emailing [privacy@stopflag.com]. We honor GDPR (EU/UK) and CCPA (California) requests. See our Data Deletion page for the one-click deletion flow.

StopFlag is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect data from them. If you believe a child has signed up, contact us and we will delete the account.

We'll post material changes here and update the "Last updated" date. For breaking changes affecting how we share or process your data, we'll also email you.

Privacy questions: [privacy@stopflag.com]
General contact: [hello@stopflag.com]