PublishFlow

Privacy Policy

Last updated: April 7, 2026

This Privacy Policy describes how Winsome Consulting LLC (“PublishFlow”, “we”, “us”, or “our”) collects, uses, and shares information about you when you use the PublishFlow website, web application, and related services (collectively, the “Service”), available at publishflow.io.

We are committed to protecting your privacy and being transparent about how we handle your data. By using PublishFlow, you agree to the practices described in this policy.

1. Who we are

PublishFlow is operated by Winsome Consulting LLC, a limited liability company registered in the State of Delaware, United States. For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA), Winsome Consulting LLC is the data controller of your personal information.

If you have questions about this policy or how we handle your data, you can contact us at hello@publishflow.io.

2. Information we collect

2.1 Information you provide directly

  • Account information — When you sign up, we collect your email address, name, and password (or, if you sign up with Google, the profile information Google shares with us).
  • Content you create or upload — Case studies, blog posts, URLs, voice recordings, transcripts, and the LinkedIn posts we generate for you. This is your data and you own it.
  • Voice profile data — Sample LinkedIn posts you paste into PublishFlow to train your voice profile, plus optional company URL and context.
  • Voice recordings — Audio you record using the Voice Note feature. Recordings are sent to OpenAI for transcription and are not retained after the transcript is returned.
  • Billing information — If you subscribe to a paid plan, our payment processor Stripe collects your payment details. We do not store full card numbers on our servers.
  • Communications — Messages you send us via email, support requests, or in-app feedback.

2.2 Information collected automatically

  • Usage data — Pages visited, features used, time spent, and actions taken within the Service. We use this to improve the product and understand which features are valuable.
  • Device and connection data — Browser type, operating system, IP address, and approximate location (derived from IP).
  • Cookies and similar technologies — We use essential cookies for authentication and session management. We do not use third-party advertising cookies.

3. How we use your information

We use the information we collect to:

  • Provide, operate, and improve the Service
  • Process voice recordings into transcripts and generate LinkedIn posts
  • Train and apply your personal voice profile to outputs we generate for you
  • Process payments and manage your subscription
  • Send transactional emails (e.g., login confirmations, billing receipts, important account updates)
  • Respond to your support requests and feedback
  • Detect, prevent, and respond to fraud or abuse
  • Comply with legal obligations

4. Legal bases for processing (GDPR)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases:

  • Contract — To provide the Service you signed up for.
  • Legitimate interests — To improve the Service, ensure security, and prevent abuse.
  • Consent — Where required by law, such as for optional marketing communications.
  • Legal obligation — To comply with applicable laws and respond to lawful requests from authorities.

5. Service providers (sub-processors)

We share limited information with trusted third parties who help us run PublishFlow. Each is bound by contractual obligations to protect your data.

ProviderPurposeData shared
SupabaseDatabase, authentication, file storageAccount data, generated content, voice profiles
Anthropic (Claude API)AI generation of LinkedIn postsSource content, voice profile, prompts
OpenAI (Whisper API)Voice note transcriptionAudio recordings (not retained)
StripePayment processingName, email, billing details
ResendTransactional email deliveryEmail address, message content
VercelApplication hostingRequest logs, IP address
Google (OAuth)Sign-in with GoogleProfile information you authorize

We do not sell your personal information to third parties. Your generated content and voice profile data are not used to train any third-party AI models.

6. AI providers and your content

When you use PublishFlow, your content is sent to AI providers (Anthropic and OpenAI) to generate or transcribe outputs. Both providers operate under their own privacy and data-handling policies:

  • Anthropic does not use customer API data to train their models by default.
  • OpenAI does not use API data to train their models and retains audio sent to Whisper for a limited operational window before deletion.

We do not retain voice recordings after transcription. Transcripts and generated posts are stored in your PublishFlow account and remain under your control.

7. LinkedIn integration

If you choose to connect your LinkedIn account to PublishFlow (for publishing or scheduling posts), we will collect and store an OAuth access token issued by LinkedIn. We use this token solely to perform actions you have explicitly authorized — such as publishing a post on your behalf — and never to read your LinkedIn data without your knowledge. You can disconnect your LinkedIn account at any time from your account settings, which immediately revokes our access.

8. Data retention

We retain your account data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it for legal, accounting, or fraud-prevention purposes (e.g., billing records may be retained for up to 7 years).

9. International data transfers

PublishFlow is operated from the United States, and our service providers are located in the United States and the European Union. If you access PublishFlow from outside these regions, your information will be transferred to and processed in these countries. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data is protected in line with GDPR.

10. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

  • Access — Request a copy of the data we hold about you
  • Correction — Ask us to correct inaccurate or incomplete data
  • Deletion — Ask us to delete your data (subject to legal exceptions)
  • Portability — Receive your data in a structured, machine-readable format
  • Objection — Object to processing based on our legitimate interests
  • Withdrawal of consent — Withdraw consent at any time where we rely on it
  • Lodge a complaint — File a complaint with your local data protection authority

To exercise any of these rights, email us at hello@publishflow.io. We will respond within 30 days.

11. Security

We take security seriously and implement industry-standard measures to protect your data, including encryption in transit (TLS), encryption at rest, secure authentication, regular backups, and least-privilege access controls. However, no system is 100% secure, and we cannot guarantee absolute security.

12. Children's privacy

PublishFlow is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through an in-app notice before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

14. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at:

Winsome Consulting LLC
Email: hello@publishflow.io
Website: publishflow.io