This Policy explains what personal information PopCandi Creative Studio (“we”, “us”) collects when you use Adflow at adflow.design — including the web app, API, and MCP server — how we use and share it, and the choices and rights you have. It should be read with our Terms of Service.
Adflow is operated by PopCandi Creative Studio ABN 20 413 419 189, 21 Gordon Grove, Preston VIC 3072, Australia. For any privacy question, contact support@adflow.design.
We handle personal information in accordance with applicable law, including the Australian Privacy Principles under the Privacy Act 1988 (Cth) and the GDPR/UK GDPR where applicable.
If you use the URL-capture or tab-stream features, we process the page or stream content you direct us to capture in order to render it onto your canvas.
Where the GDPR applies, our legal bases are: performance of our contract with you, our legitimate interests (security, improvement), your consent (where required, e.g. certain cookies/marketing), and compliance with legal obligations.
When you generate or edit imagery, vectors, video, or audio, your prompts and any uploaded assets are sent to the relevant third-party AI provider (see section 5) to produce the Output and returned to you. Providers process this input under their own terms and privacy policies. We do not control, and are not responsible for, providers’ independent practices, but we select providers intended to support business use. See our Terms for ownership of AI Output.
We share personal information with the following categories of providers, only as needed to run the Service. Each processes data under its own terms; the list may change as the Service evolves.
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Authentication, database, file storage | Account, content, projects, usage |
| Google (OAuth) | “Sign in with Google” authentication | Email, basic profile identifier |
| Stripe | Payments, card storage, billing | Billing details, payment method, charges |
| fal.ai & connected model providers (e.g. GPT Image, Flux, Imagen, Nano Banana, Ideogram) | AI image, vector, motion generation, editing & upscaling | Prompts, uploaded/generated images |
| Anthropic for AI/agent features | AI/agent text features | Prompts and related inputs |
| Amazon Web Services | Cloud video rendering & storage (render pipeline) | Project/render data, output assets |
| Vercel | Application hosting, serverless functions, storage/CDN | Requests, logs, hosted assets |
| Dropbox / Google Drive | Optional integrations you connect | Files you choose to import/export |
| Error/analytics tooling our transactional email provider | Error monitoring & product analytics | Diagnostic & usage data |
| Email provider our transactional email provider | Transactional & account email | Email address, message content |
We may also disclose information to comply with law, enforce our Terms, or in connection with a merger, acquisition, or sale of assets (with notice where required). We do not sell your personal information.
If you connect Dropbox, Google Drive, or other third-party accounts, you authorise us to access only the data needed for the feature you use (for example, importing an asset or exporting a render). You can disconnect an integration at any time; doing so stops future access but does not delete data already imported into your projects.
We keep personal information for as long as your account is active and as needed to provide the Service. After account closure, we delete or de-identify your content and projects within 30 days, except where we must retain certain records longer — for example, billing and transaction records kept for 7 years to meet tax and accounting obligations, and limited security/log data. Backups are purged on a rolling cycle.
We use technical and organisational measures appropriate to the risk, including encryption in transit, access controls, tenant isolation so users see only the design systems and projects assigned to them, and rate limiting and abuse protections. No method of transmission or storage is completely secure; we cannot guarantee absolute security. If a data breach affecting you occurs, we will notify you and the relevant regulator where required by law.
Our providers may store and process data outside your country, including in the United States and other regions. Where we transfer personal information across borders, we take reasonable steps to ensure it is protected consistently with this Policy and applicable law standard contractual clauses where the GDPR applies.
To exercise any right, email support@adflow.design. We will verify your identity and respond within the period required by law. Many settings (billing, auto top-up, integrations) can also be managed directly in the app.
The Service is not directed to, and is not intended for, anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
We may update this Policy from time to time. We will post the updated version with a new effective date and, for material changes, take reasonable steps to notify you. Your continued use after changes take effect constitutes acceptance.
PopCandi Creative Studio ABN 20 413 419 189
21 Gordon Grove, Preston VIC 3072, Australia
Privacy enquiries: support@adflow.design