Privacy Policy

1. Information for users

FX for a living S.L., hereinafter the DATA CONTROLLER, is the controller of users' personal data and informs you that such data will be processed in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The following information on processing is provided:

Purpose of processing

Maintaining an educational and/or commercial relationship with the User.

Processing operations

• Sending educational and/or commercial promotional communications by email, fax, SMS, MMS, social communities or any other electronic or physical medium, present or future, that enables such communications. These communications will be sent by the DATA CONTROLLER and will relate to its products and services, or those of its collaborators or suppliers with whom it has entered into a promotional agreement.
• Carrying out statistical studies.
• Processing orders, requests or any type of query submitted by the user through any of the available contact channels.
• Sending the website newsletter.

Data retention criteria

Data will be retained for as long as there is a mutual interest in maintaining the purpose of processing. Once no longer necessary for that purpose, data will be deleted using appropriate security measures to ensure pseudonymisation or complete destruction.

Data sharing

We will not share your personal data with third parties unless we are legally required to do so or have previously agreed to it.

In order to provide you with an adequate service and manage our relationship with you as a client, the categories of companies that process your data on behalf of FX for a living S.L. — as part of the services we have contracted from them — are tax and accounting advisory and management companies, and information technology services companies.

We also inform you that, for the same purpose stated above, certain companies providing services to FX for a living S.L. may access your personal data (international data transfers). Such transfers are made to countries with a level of protection equivalent to that of the European Union (European Commission adequacy decisions).

For more information, please contact us at: soporte@contentflow365.com.

User rights

• Right to withdraw consent at any time.
• Right to access, rectification, portability and erasure of your data, and to restriction of or objection to its processing.
• Right to lodge a complaint with the supervisory authority (aepd.es) if you consider that the processing does not comply with applicable regulations.

Contact details to exercise your rights

2. Mandatory or optional nature of information provided by the User

By ticking the relevant boxes and entering data in fields marked with an asterisk (*) in the contact form or download forms, users expressly, freely and unambiguously accept that their data is necessary for the provider to handle their request, while the inclusion of data in the remaining fields is voluntary. The User warrants that the personal data provided to the DATA CONTROLLER is accurate and undertakes to notify any changes to that data.

The DATA CONTROLLER informs users that, whenever it intends to transfer personal data, it will first request the express, informed and unambiguous consent of the Users.

All data requested through the website is mandatory, as it is necessary for the provision of an optimal service to the User. If not all data is provided, we cannot guarantee that the information and services provided will be fully suited to your needs.

3. Security measures

In accordance with the provisions of current data protection regulations, the DATA CONTROLLER is complying with all GDPR requirements for the processing of personal data under its responsibility, and in particular with the principles set out in Article 5 of the GDPR, under which data is processed lawfully, fairly and transparently in relation to the data subject and is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

The DATA CONTROLLER warrants that it has implemented appropriate technical and organisational policies to apply the security measures required by the GDPR in order to protect users' rights and freedoms, and has provided users with the information necessary to exercise those rights.

4. YouTube API Services integration

ContentFlow365 uses Google's YouTube API Services (YouTube Data API v3 and YouTube Analytics API) to provide the following features to the User once they have explicitly connected their YouTube channel through Google's OAuth 2.0 flow:

• Publishing videos created by the User to their YouTube channel (youtube.upload).
• Setting a custom thumbnail on the uploaded video (youtube).
• Publishing a pinned comment on the uploaded video (youtube).
• Changing the video privacy status (from unlisted to public) on the date scheduled by the User (youtube).
• Displaying the User's public and private channel and video statistics in their internal dashboard (youtube.readonly, yt-analytics.readonly).

4.1 Acceptance of Google and YouTube terms

By using ContentFlow365's YouTube integration, the User expressly agrees to be bound by the YouTube Terms of Service and Google's Privacy Policy.

4.2 What data we obtain from YouTube and how we use it

ContentFlow365 only obtains and stores from YouTube API Services the data strictly necessary to provide the User with the features described above:

• OAuth tokens (access token and refresh token) — stored encrypted in our database and used exclusively by our backend services to execute the operations authorised by the User. They are not shared with third parties or used for any other purpose.
• YouTube channel ID and name connected to the account, as well as the email address associated with the Google account — displayed in the User's internal dashboard so they can identify which channel is connected and disconnect it if they wish.
• Video metadata published by the User through the platform (title, description, tags, publication date, YouTube video ID) — stored in our database to display publication status, link to analytics, and allow the User to manage their published video history.
• Aggregated channel statistics (views, subscribers, interactions, watch time) — shown to the User in their internal analytics dashboard. This data is temporary and periodically refreshed from the YouTube Analytics API.

ContentFlow365 does NOT transfer, sell, share or disclose to any third party the data obtained from YouTube API Services under any circumstances. Data is used exclusively within the private scope of the User who connected it.

4.3 YouTube data storage and retention

OAuth tokens are stored encrypted in databases hosted in the European Union (Supabase, Frankfurt) and remain active until the User explicitly revokes the integration. Published video metadata is retained for the lifetime of the User's account on the platform. Upon account cancellation, this data is deleted within a maximum of 30 days.

Aggregated channel statistics are periodically refreshed and may be cached for up to 24 hours to reduce calls to the YouTube Analytics API. This data never leaves ContentFlow365's servers.

4.4 How to revoke ContentFlow365's access to your YouTube account

The User can revoke ContentFlow365's access to their YouTube data at any time using either of these two methods:

• From ContentFlow365: go to Social Hub → Accounts, find the "YouTube Direct connected" card and click "Disconnect". Revocation is immediate: the access token is invalidated, the refresh token is marked as inactive in our database, and ContentFlow365 can no longer make YouTube API calls on behalf of the User.
• From Google security settings: go to https://myaccount.google.com/permissions, find "ContentFlow365" in the list of authorised third-party apps and click "Remove access". This action revokes access on Google's side and propagates the invalidation to our servers on the next token use attempt.

4.5 Limited Use — compliance with YouTube API policies

ContentFlow365's use of information received from Google APIs, including the transfer of that information to any other application, adheres to the Google API Services User Data Policy, including the Limited Use requirements.