Privacy Policy
Content Flow – CF Digital Solutions | Last updated: April 2026
1. Data Controller
The data controller within the meaning of the GDPR is:
Thomas Mudra | CF Digital Solutions
c/o MDC#contentflow, Welserstraße 3, 87463 Dietmannsried, Germany
Email: [email protected]
2. Collection and Processing of Personal Data
We process personal data of our users only to the extent necessary to provide a functional website and our content and services. Processing generally occurs only with the user's consent. Exceptions apply where prior consent is not practically obtainable and processing is permitted by law.
3. Data We Process
When using Content Flow, the following data may be processed:
- Contact data (name, email address) upon registration and account creation
- Payment data (processed exclusively via LemonSqueezy — not stored on our servers)
- Usage data (login timestamps, features used, credit consumption)
- Technical data (IP address, browser type) when visiting our website
- Content processed by the user within the Chrome Extension (not stored permanently)
4. Legal Basis for Processing
- Art. 6(1)(b) GDPR: Contract performance (provision of subscription)
- Art. 6(1)(c) GDPR: Compliance with legal obligations (e.g. tax requirements)
- Art. 6(1)(f) GDPR: Legitimate interests (security, abuse prevention)
5. Third-Party Providers and Processors
5.1 Supabase (Database Hosting)
We use Supabase as our backend infrastructure. Provider: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992. The database server is hosted in the EU region (eu-west). More information: supabase.com/privacy
5.2 LemonSqueezy (Payment Processing)
Payments are processed via LemonSqueezy (Lemon Squeezy LLC, USA). LemonSqueezy acts as Merchant of Record and is independently responsible for processing payment data. More information: lemonsqueezy.com/privacy
5.3 AI Providers (Variable by Plan)
Content Flow offers two ways to access AI services, which differ in how data is processed:
Bring Your Own Key (BYOK) – $19.99/mo tiers:
Customers provide their own API key from Anthropic (Claude), OpenAI (ChatGPT), or xAI (Grok). All AI requests are sent directly from the Customer's browser to the chosen provider, using the Customer's own account. Content Flow does not proxy, log, or store any AI requests in this mode. The Customer's contractual relationship for AI services is directly with the chosen provider, and their respective privacy policies apply:
- Anthropic: anthropic.com/legal/privacy
- OpenAI: openai.com/policies/privacy-policy
- xAI: x.ai/legal/privacy-policy
AI Included – $34.99/mo tier:
AI services are provided through our own proxy infrastructure. Requests are routed through a Supabase Edge Function (hosted in the EU region) to xAI (Grok) as the primary provider. User content is transmitted to xAI solely for the purpose of generating the AI response and is not permanently stored on our side. xAI's data handling is governed by their privacy policy: x.ai/legal/privacy-policy. Credit consumption is tracked on our infrastructure to prevent abuse and enforce subscription limits.
In both cases, the content of Customer-AI interactions is processed only for the duration necessary to deliver the response. Content Flow does not build profiles, train AI models on Customer data, or share Customer inputs with third parties beyond the AI provider chosen for a given request.
6. Cookies and Tracking
Our website uses technically necessary cookies for login and session management. We do not use tracking or analytics cookies from third parties. No user profiles are created for advertising purposes. See our Cookie Policy for details.
7. Retention Period
Personal data is deleted as soon as it is no longer required for the purpose for which it was collected. Customer data is retained after contract termination for the legally prescribed period (generally 10 years under §§ 147 AO, 257 HGB) and then deleted.
8. Your Rights
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
To exercise your rights, please contact: [email protected]
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data. The competent authority for Bavaria is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 27, 91522 Ansbach, Germany.