SkyFollowing
Home
Legal

Privacy policy

What we collect, why, who processes it, and the rights you have over it. Plain language first, specifics named.

Last updated July 1, 2026

This policy explains what data SkyFollowing ("we", "us") collects when you use our website, dashboard, and API, why we collect it, who processes it on our behalf, and the choices you have. It is written to be read, so plain language comes first and every section names the specifics.

Key takeaways
  • We never see or store your Bluesky password; connections use official OAuth and the session is encrypted at rest.
  • Payment cards are handled entirely by Stripe; card numbers never touch our servers.
  • AI scoring reads only public Bluesky profile content, and we cache scores so the same profile is processed once.
  • We never sell personal data, and you can export or delete your data whenever you want.

Information we collect

CategoryExamplesWhere it comes from
AccountEmail address, name and avatar when provided by Google or GitHub sign-inYou, at sign-up
Workspace and billingPlan, subscription status, invoices; payment cards stay with StripeYou and Stripe
Connected Bluesky accountsHandle, DID, follower counts, encrypted OAuth session, health and risk metricsBluesky, with your authorization
Campaigns and activityCampaign settings, follow and unfollow records, events, webhook configuration, API keys (stored as hashes)Generated as you use the service
Public profiles of candidatesBios and public profile details of accounts campaigns evaluate, plus the resulting AI scoresBluesky's public APIs
Usage and diagnosticsProduct analytics events, pages visited, device and browser information, error reportsYour use of the site and app

How we use information

  • Run the service. Execute campaigns you configure, score candidates, enforce pacing and safety, and show you analytics.
  • Bill you. Manage subscriptions, trials, and invoices through Stripe.
  • Keep accounts safe. Compute ban-risk scores, hold accounts when risk turns critical, and secure the platform against abuse.
  • Communicate. Send transactional email such as magic sign-in links and important service notices.
  • Improve the product. Understand which features are used and where errors happen, using analytics and error monitoring.

AI processing

Relevance scoring and Agency-plan reply drafting are powered by large language models from OpenAI. When a campaign evaluates a candidate, we send that profile's public bio and profile details to the model along with your campaign's niche keywords, and receive back a 0-100 relevance score. Scores are cached on the follow record, so the same profile is scored once rather than repeatedly. We send only what the feature needs, and we do not send your billing details, email address, or private workspace data to model providers.

When we share information

We never sell personal data. We share it in three cases: with the service providers below acting on our instructions, when the law requires it, and in a merger or acquisition where this policy continues to apply until replaced with notice.

ProviderPurpose
SupabaseDatabase and authentication
VercelHosting and web analytics
StripePayments, subscriptions, and invoices
ResendTransactional email delivery
PostHogProduct analytics
SentryError monitoring
OpenAIAI relevance scoring and reply drafting
Each provider processes only what its purpose requires, under its own data processing terms.

Cookies

We use essential cookies to keep you signed in (authentication sessions) and analytics cookies to understand product usage. Blocking non-essential cookies in your browser does not break the service.

Data retention

We keep your data while your account is active. Disconnecting a Bluesky account invalidates its stored OAuth session, revoking an API key disables it immediately, and deleting your account removes your workspace data within a reasonable period, except records we must keep for legal or accounting reasons (such as invoices).

Security

  • Bluesky OAuth sessions are encrypted at rest and never exposed to the browser or the API.
  • API keys are stored as SHA-256 hashes; the full key is shown once, at creation.
  • All traffic is encrypted in transit, and every query is scoped to your workspace on the server.

Public profiles of people campaigns evaluate

Campaigns read public Bluesky profiles (bios and public posts) to decide who is worth following, on behalf of our users and based on our legitimate interest in providing the service. We only process content those account holders chose to make public, and we do not build advertising profiles from it. If you are a Bluesky user and want cached data about your profile removed from our systems, email support@skyfollowing.com and we will handle it.

Your rights

Depending on where you live (including under the GDPR and CCPA), you may have rights to access, correct, export, delete, or restrict the processing of your personal data, and to object to certain processing. Exercise any of them by emailing support@skyfollowing.com from the address on your account; we respond to every request and never discriminate for exercising a right.

Children

The service is not directed to children under 13, and we do not knowingly collect their data. If you believe a child has created an account, contact us and we will remove it.

Changes to this policy

When this policy changes materially, we will notify you by email or an in-app notice before the change takes effect, and the date at the top of this page always reflects the current version.

Contact

Privacy questions and requests: support@skyfollowing.com.