Shortflow
Get started

Privacy policy

How Shortflow collects, processes and retains your personal data, in line with the EU General Data Protection Regulation (GDPR).

Last updated: May 12, 2026

Data controller

YOM AKAKPO EI (Entreprise Individuelle (EI) — nom commercial : Leandre), 60 Rue François 1er, 75008 Paris, France. Contact: contact@leandre.io.

Data we collect

Account data

  • Email, display name, hashed password.
  • Account creation date, last sign-in, preferred language.

Connected platform data

  • YouTube and TikTok OAuth tokens (encrypted at rest with AES-256-GCM, never logged). You can revoke them at any time from the Connections page.
  • Channel id and public name, public metrics (views, likes, comments) gathered via the official APIs.

Technical data

  • IP address, user-agent, access logs (90 days).
  • Session cookie, MCP audit log entries.

Billing data

  • Processed exclusively by Stripe, our payment processor (PCI-DSS). We keep the Stripe customer id and subscription history.

Purposes

  • Operate the multi-platform publishing service.
  • Authenticate users and secure sessions.
  • Bill subscriptions and manage renewals.
  • Detect and prevent fraud or abuse.
  • Reach out about the service (material changes, invoices, operational notifications).

Legal basis

  • Performance of the service contract (account, publishing, billing).
  • Legitimate interest (security, audit, fraud prevention).
  • Legal obligation (invoicing, accounting retention).
  • Consent (non-essential cookies, opt-in push notifications).

Retention

  • Active account: while the subscription remains active.
  • Inactive account: deleted on request, otherwise anonymized after 3 years.
  • Access logs: 90 days.
  • Billing data: 10 years (accounting obligation).
  • Revoked OAuth tokens: deleted immediately.

Recipients

We never sell your data. The only recipients are:

  • Hetzner Online GmbH (application hosting).
  • Stripe (payment processing).
  • Resend (transactional email delivery).
  • YouTube and TikTok (only to publish on your behalf).
  • French judicial or administrative authority on a duly executed legal request.

Transfers outside the EU

Some sub-processors (Stripe, Vercel, Resend) are based in the United States. Transfers are framed by EU Standard Contractual Clauses or by the Data Privacy Framework valid at the time of the transfer.

Your rights

Under GDPR you have the following rights:

  • Access, rectification, erasure of your data.
  • Restriction and objection to processing.
  • Data portability (export in a readable format).
  • Withdraw consent at any time.
  • Set post-mortem directives.
  • Lodge a complaint with the CNIL if your rights are not respected.

To exercise these rights, write to contact@leandre.io. We respond within 30 days.

Security

Tokens encrypted at rest (AES-256-GCM), passwords hashed (bcrypt), traffic over HTTPS, per-key API audit log. No system is bulletproof — if a breach is likely to result in a high risk, we'll notify you without undue delay as required by GDPR article 34.

Google / YouTube data

Shortflow uses YouTube API Services. By using the YouTube integration you also agree to the YouTube Terms of Service and the Google Privacy Policy. You can revoke Shortflow's access at any time via the Permissions page of your Google account.

Google scopes requested and their purpose

  • youtube.upload — upload videos to the channels you authorize, only on your explicit request (a "Publish" click in the web UI or an MCP/REST call triggered by your code).
  • youtube.force-ssl — edit the title, description, tags and privacy of videos you've published through Shortflow.
  • yt-analytics.readonly — read view counts, watch time, retention and demographics of your videos to power the Analytics dashboard.

Limited Use disclosure: Shortflow's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. YouTube channel data is never used to train AI models, is not sold, and is not exposed to other users. It is only used to execute the operations you ask us to perform (publish, read your metrics, edit your videos).

TikTok data

The TikTok integration uses the TikTok Content Posting API and the TikTok Login Kit. By using it you also agree to the TikTok Terms of Service and the TikTok Privacy Policy.

TikTok scopes requested and their purpose

  • user.info.basic, user.info.profile, user.info.stats — display the connected account name and its public stats (followers, etc.) in the dashboard.
  • video.upload, video.publish — publish videos to your TikTok account, only on your explicit request.
  • video.list — list your published videos for the Analytics page.

You can revoke Shortflow's access to your TikTok account at any time from your TikTok account settings.