Privacy Policy

Last updated: March 22, 2026

FireBreath ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our social media scheduling and publishing platform.

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada. If you are located in the European Economic Area, we also respect your rights under the General Data Protection Regulation (GDPR).

1. Information We Collect

1.1 Information You Provide

  • Account information: Email address, display name, password (hashed), avatar, timezone preference
  • Organization information: Organization name, team member invitations
  • Content: Post text, captions, media files (images, videos), scheduling preferences, tags
  • Payment information: Billing details processed securely through Stripe (we do not store card numbers)

1.2 Information From Connected Accounts

When you connect social media accounts, we receive:

  • Account identifiers: Platform user IDs, page/profile names, avatars
  • OAuth tokens: Access and refresh tokens (encrypted with AES-256-CBC before storage)
  • Published content: Posts, engagement metrics (likes, comments, shares, reach) when you use the sync or analytics features

We only request permissions necessary to provide the Service. You can review connected account permissions on your Accounts page and revoke access at any time.

1.3 Information Collected Automatically

  • Usage data: Pages visited, features used, actions taken within the Service
  • Device information: Browser type, operating system, screen resolution
  • Log data: IP address, request timestamps, referrer URLs
  • Cookies: Authentication session cookies (see our Cookie Policy)

2. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Publish and schedule your social media content as directed
  • Generate AI-powered caption suggestions (content is processed but not stored for AI training)
  • Display analytics and engagement metrics for your connected accounts
  • Process payments and manage subscriptions
  • Send transactional emails (account confirmations, team invitations, password resets)
  • Provide customer support
  • Detect and prevent fraud, abuse, or security issues
  • Comply with legal obligations

3. How We Share Your Information

We do not sell your personal information. We share your information only in these cases:

  • Social media platforms: To publish content and retrieve analytics as you direct
  • Service providers: Third-party services that help us operate (listed below)
  • Team members: Other members of your organization can see shared content and analytics
  • Legal requirements: When required by law, subpoena, or to protect rights and safety
  • Business transfers: In connection with a merger, acquisition, or asset sale

3.1 Third-Party Service Providers

  • Supabase: Database, authentication, and file storage (hosted in the US/Canada)
  • Vercel: Application hosting and deployment
  • Stripe: Payment processing (PCI-DSS compliant)
  • Upstash: Job queue infrastructure (Redis)
  • Anthropic: AI caption generation (content processed per request, not retained for training)

4. Data Security

We implement industry-standard security measures to protect your information:

  • OAuth tokens are encrypted with AES-256-CBC before database storage
  • Passwords are hashed using bcrypt (handled by Supabase Auth)
  • All data in transit is encrypted via HTTPS/TLS
  • Row-Level Security (RLS) policies ensure data isolation between organizations
  • Service role keys are never exposed to client-side code
  • Regular security reviews of authentication and authorization flows

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Data Retention

  • Account data: Retained while your account is active
  • Post content: Retained while your account is active; soft-deleted posts are kept for 90 days
  • Analytics data: Cached engagement metrics are retained for 12 months
  • OAuth tokens: Retained until you disconnect the account or they expire
  • After account deletion: All data is permanently deleted within 30 days of account termination

6. Your Rights

Depending on your location, you may have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate personal information
  • Deletion: Request deletion of your personal information
  • Portability: Request your data in a portable, machine-readable format
  • Restriction: Request that we limit processing of your data
  • Objection: Object to processing of your data for certain purposes
  • Withdraw consent: Withdraw consent at any time where we rely on consent for processing

To exercise any of these rights, please contact us at privacy@firebreath.app. We will respond within 30 days.

7. International Data Transfers

Your information may be processed in countries outside your own, including Canada and the United States, where our service providers operate. We ensure that appropriate safeguards are in place for any international data transfers.

8. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address or through a prominent notice on the Service. The "Last updated" date at the top of this page indicates when this policy was most recently revised.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: