Privacy Policy
Last updated: 2026-02-25 · GDPR-compliant · Germany / EU
Who we are / Data controller
TootFlow is a tool for scheduling and managing Mastodon social media campaigns, operated by the individual identified in the Impressum. References to "we", "us", or "TootFlow" refer to that operator, who is the data controller within the meaning of the GDPR.
For any privacy-related enquiries or to exercise your rights, contact: hello@tootflow.com. A data protection officer is not required for this service (Art. 37 GDPR — small private operator, no large-scale processing of special-category data).
What data we store
When you use TootFlow we store the following data about you:
| Data | Why | How long |
|---|---|---|
| Mastodon username & instance URL | Your identity — used to link your account | Until you delete your account |
| Mastodon access token (encrypted) | Publishing posts on your behalf when scheduled | Until you delete your account; refreshed on each login |
| Campaign names, descriptions, post content | Core product functionality | Until you delete the campaign or your account |
| Post engagement metrics (favourites, reblogs, replies) | Showing you how your posts perform | Until you delete the campaign or your account |
| Payment order ID and amount | Activating campaigns; reconciling payments | Until you delete your account |
We do not store email addresses, passwords, or any payment card details.
Cookies
TootFlow uses two cookies, both strictly necessary for the service to function:
| Cookie | Purpose |
|---|---|
access_token |
Session authentication (JWT, httpOnly, not readable by JavaScript) |
csrf_token |
Cross-site request forgery protection |
No tracking, advertising, or analytics cookies are used. No consent banner is required.
Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Your Mastodon instance | OAuth login; publishing posts; fetching metrics | OAuth authorisation code; post content on publish |
| LemonSqueezy | Payment processing | A campaign identifier to link payment to your campaign. Card data never reaches TootFlow. |
| OpenAI | AI-generated post suggestions | Campaign name, description, tone, and language when generating posts |
Each third party operates under its own privacy policy. We do not sell your data to any party.
Legal basis for processing (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Account data, Mastodon tokens, campaigns, posts | Art. 6(1)(b) — performance of a contract (providing the Service you signed up for) |
| Payment records (order ID, amount) | Art. 6(1)(c) — legal obligation (commercial record-keeping requirements) |
| Security logs, CSRF tokens, rate-limit counters | Art. 6(1)(f) — legitimate interest (protecting the Service and its users from abuse) |
| Engagement metrics fetched from Mastodon | Art. 6(1)(b) — performance of a contract (engagement tracking is a core feature) |
Your rights (GDPR)
If you are in the EU or UK you have the following rights:
- Access — download everything we hold about you via Account → Download Data Export.
- Erasure — permanently delete your account and all associated data via Account → Delete My Account.
- Portability — the data export is a standard JSON file you can use with other services.
- Rectification — your identity data (username/instance) is updated automatically on each login via Mastodon OAuth.
Deletion is immediate and permanent. There is no retention period after deletion.
Data security
Mastodon access tokens are encrypted at rest using AES-128 (Fernet).
Session cookies are signed with a server-side secret, marked httpOnly,
and use SameSite=Lax. All requests are protected by CSRF tokens.
In production the application is served over HTTPS only.
Supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your country of residence. In Germany the relevant authority is the Datenschutzbeauftragter of the state (Bundesland) in which the operator resides — see bfdi.bund.de for a list of all German supervisory authorities.
EU residents may also contact the supervisory authority of their own member state.
Changes to this policy
Material changes will be communicated by updating the "Last updated" date at the top of this page. Continued use of TootFlow after changes constitutes acceptance of the updated policy.