Legal
Privacy Policy
Last updated: July 5, 2026
This Privacy Policy explains how UGCflow ("UGCflow", "we", "us") collects, uses, shares, and protects personal data when you use our platform, visit our website, or communicate with us. For data in your workspace that you control (for example creator lists you upload), we generally act as a processor on your behalf; for account, billing, and usage data we act as the controller.
1. Data we collect
Account and billing data
- Name, email address, company name, and role.
- Plan, payment status, and billing history (payment card details are processed by our payment provider and never stored by us).
Workspace and campaign data
- Brand profiles, campaign settings, briefs, and UGC scripts.
- Creator information you upload or that the Service gathers for you, such as names, handles, follower statistics, contact details, past collaboration notes, and outreach messages.
- Delivered content, including videos and automatically generated transcripts.
Connected advertising accounts
- When you connect a Meta ad account, we retrieve campaign and creative data and performance metrics (for example spend, purchases, ROAS, CPA, CTR, and hook rates) through Meta's APIs, based on the permissions you grant. We access this data only to provide the Service and handle it in accordance with the Meta Platform Terms.
Usage and device data
- Log data such as IP address, browser type, pages viewed, and actions taken in the app, used for security, debugging, and product analytics.
- Local storage on your device for functional preferences, such as your light or dark theme setting.
2. How we use data
- To provide and operate the Service: sourcing and matching creators, managing outreach, generating briefs and scripts, analyzing ad performance, and reviewing content.
- To secure the Service, prevent abuse, and troubleshoot problems.
- To communicate with you about the Service, including transactional emails and, with your consent where required, product news.
- To improve the Service, including developing and training the machine-learning models behind features such as creator matching, script generation, and performance prediction. For this purpose we use data that has been aggregated across customers or de-identified so it no longer identifies you, your brand, or any individual. We do not use your identifiable workspace data to train models made available to other customers, and we do not sell personal data.
- To comply with legal obligations.
3. Legal bases (GDPR)
Where the GDPR applies, we process personal data on these bases:
- Contract: providing the Service you signed up for.
- Legitimate interests: securing and improving the Service, preventing fraud, and communicating with business users, balanced against your rights.
- Consent: where required, for example for marketing emails or non-essential cookies. You can withdraw consent at any time.
- Legal obligation: for example tax and accounting requirements.
4. Creator data
The Service processes information about creators, such as public profile information, engagement statistics, contact details, and message history, on behalf of our customers so they can run UGC campaigns. If you are a creator and want to know what data a brand holds about you, or want it corrected or deleted, you can contact the brand directly or email us at privacy@ugcflow.com and we will assist.
5. How we share data
- Service providers: hosting, storage, payment processing, email delivery, transcription, and AI infrastructure providers that process data under our instructions and appropriate contracts.
- Third-party platforms: when you connect an account or send outreach through a channel (for example Meta, Instagram, TikTok, or email), data is exchanged with that platform as needed to perform the action you requested.
- Within your workspace: team members you invite can see workspace data.
- Legal and safety: when required by law or to protect rights, safety, and the integrity of the Service.
- Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this policy.
We do not sell personal data and we do not share it for cross-context behavioral advertising.
6. International transfers
We may process data in countries outside your own, including the United States and the European Economic Area. Where required, we use safeguards such as the European Commission's Standard Contractual Clauses to protect transferred data.
7. Retention
We keep personal data for as long as your account is active or as needed to provide the Service. After account deletion we delete or de-identify personal data within 90 days, except where longer retention is required by law (for example invoices) or where data has already been aggregated or de-identified so it no longer identifies anyone.
8. Security
We protect data with measures appropriate to the risk, including encryption in transit, access controls, isolation between customer workspaces, and logging. No system is perfectly secure; if a breach affects your personal data we will notify you and the relevant authorities as required by law.
9. Your rights
Depending on where you live, you may have the right to access, correct, delete, or export your personal data, to object to or restrict certain processing, and to withdraw consent. Residents of the EEA and the UK can also lodge a complaint with their supervisory authority; in the Netherlands this is the Autoriteit Persoonsgegevens. California residents have equivalent rights under the CCPA/CPRA, and we honor them without discriminating against you for exercising them.
To exercise any right, email privacy@ugcflow.com. We respond within the timelines required by applicable law.
10. Cookies and local storage
Our website currently uses only functional storage (for example your theme preference) and strictly necessary cookies for authentication and security. If we introduce analytics or marketing cookies, we will ask for your consent where required and update this policy.
11. Children
The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. If a change is material, we will notify you by email or in the app before it takes effect. The date at the top shows when this policy was last revised.
13. Contact
UGCflow, Amsterdam, the Netherlands. Privacy questions and requests: privacy@ugcflow.com. General questions: hello@ugcflow.com.
