MothFlow.AIMothFlow.AI

Privacy Policy

Last updated: April 14, 2026

The short version

We collect the minimum we need to run your account and the product, we isolate your data at the database level, we encrypt your provider API keys, and we don’t train models on your content. You can delete everything at any time.

1. What we collect

  • Account data — email, display name, hashed password or OAuth identifier (handled by Supabase Auth).
  • Product data — the projects, briefs, characters, closet items, looks, and assets you create.
  • Provider keys (BYOK) — encrypted at rest with Fernet (AES-128-CBC + HMAC). Decrypted only in-memory when we make an upstream call on your behalf.
  • Usage + billing data — per-step cost logs tied to your projects so you can see where credits went.
  • Operational data — request IDs, Sentry error reports, and structured logs. These help us debug incidents and are retained only as long as needed for that purpose.

2. What we do NOT collect or do

  • We do not train AI models on your prompts, reference images, or generated outputs.
  • We do not sell your personal data. Ever.
  • We do not share your projects, characters, or assets with other users. Supabase Row-Level Security enforces tenant isolation on every table.

3. Upstream AI providers

When you run a pipeline step, your prompts and any attached assets are sent to the AI provider you selected (Anthropic, OpenAI, Flux, Kling, Veo, ElevenLabs, or others). Each provider’s own privacy policy governs what they do with that data. We recommend reviewing the provider’s terms before attaching sensitive content to a prompt.

4. Cookies + local storage

We use a small number of cookies strictly for authentication and session continuity (set by Supabase Auth), plus Zustand-backed local storage for UI state (sidebar width, draft briefs). No third-party advertising cookies.

5. Third-party services we rely on

  • Supabase — database, auth, storage, realtime.
  • Sentry — error monitoring. Can be disabled per-deploy.
  • Stripe (when paid tier launches) — payment processing. We never see your full card details.
  • The AI providers you add keys for — see §3.

6. Your rights

You can, at any time:
  • Access or export your data (Settings → Account → Export).
  • Correct or update anything inaccurate.
  • Delete your account and all associated data (Settings → Account → Delete). Deletion is a hard delete with a short grace window for recovery; see the in-product notice for the exact retention time.
  • Revoke upstream provider keys at any time from Settings → API Keys.
If you’re in a jurisdiction with specific data-protection rights (GDPR, CCPA, etc.) those rights apply here — email us and we’ll honour them.

7. Data transfers

Our infrastructure is hosted with providers that operate globally. By using the service, you understand your data may be processed in countries other than your own under appropriate legal safeguards.

8. Security

We use RLS-enforced database access, per-user storage folder isolation, encrypted provider keys, request-ID-stamped logs for auditing, and Sentry for anomaly detection. No system is invulnerable — if we become aware of a breach affecting your data we will notify you promptly and describe the scope and our response.

9. Changes to this policy

We’ll update this policy as the product evolves. Material changes will be announced in-product and by email.

10. Contact

Questions or requests? privacy@mothflow.ai