Privacy policy
What we collect, why, who processes it, and the rights you have over it. Plain language first, specifics named.
This policy explains what data SkyFollowing ("we", "us") collects when you use our website, dashboard, and API, why we collect it, who processes it on our behalf, and the choices you have. It is written to be read, so plain language comes first and every section names the specifics.
- We never see or store your Bluesky password; connections use official OAuth and the session is encrypted at rest.
- Payment cards are handled entirely by Stripe; card numbers never touch our servers.
- AI scoring reads only public Bluesky profile content, and we cache scores so the same profile is processed once.
- We never sell personal data, and you can export or delete your data whenever you want.
Information we collect
| Category | Examples | Where it comes from |
|---|---|---|
| Account | Email address, name and avatar when provided by Google or GitHub sign-in | You, at sign-up |
| Workspace and billing | Plan, subscription status, invoices; payment cards stay with Stripe | You and Stripe |
| Connected Bluesky accounts | Handle, DID, follower counts, encrypted OAuth session, health and risk metrics | Bluesky, with your authorization |
| Campaigns and activity | Campaign settings, follow and unfollow records, events, webhook configuration, API keys (stored as hashes) | Generated as you use the service |
| Public profiles of candidates | Bios and public profile details of accounts campaigns evaluate, plus the resulting AI scores | Bluesky's public APIs |
| Usage and diagnostics | Product analytics events, pages visited, device and browser information, error reports | Your use of the site and app |
How we use information
- Run the service. Execute campaigns you configure, score candidates, enforce pacing and safety, and show you analytics.
- Bill you. Manage subscriptions, trials, and invoices through Stripe.
- Keep accounts safe. Compute ban-risk scores, hold accounts when risk turns critical, and secure the platform against abuse.
- Communicate. Send transactional email such as magic sign-in links and important service notices.
- Improve the product. Understand which features are used and where errors happen, using analytics and error monitoring.
AI processing
Relevance scoring and Agency-plan reply drafting are powered by large language models from OpenAI. When a campaign evaluates a candidate, we send that profile's public bio and profile details to the model along with your campaign's niche keywords, and receive back a 0-100 relevance score. Scores are cached on the follow record, so the same profile is scored once rather than repeatedly. We send only what the feature needs, and we do not send your billing details, email address, or private workspace data to model providers.
When we share information
We never sell personal data. We share it in three cases: with the service providers below acting on our instructions, when the law requires it, and in a merger or acquisition where this policy continues to apply until replaced with notice.
| Provider | Purpose |
|---|---|
| Supabase | Database and authentication |
| Vercel | Hosting and web analytics |
| Stripe | Payments, subscriptions, and invoices |
| Resend | Transactional email delivery |
| PostHog | Product analytics |
| Sentry | Error monitoring |
| OpenAI | AI relevance scoring and reply drafting |
Cookies
We use essential cookies to keep you signed in (authentication sessions) and analytics cookies to understand product usage. Blocking non-essential cookies in your browser does not break the service.
Data retention
We keep your data while your account is active. Disconnecting a Bluesky account invalidates its stored OAuth session, revoking an API key disables it immediately, and deleting your account removes your workspace data within a reasonable period, except records we must keep for legal or accounting reasons (such as invoices).
Security
- Bluesky OAuth sessions are encrypted at rest and never exposed to the browser or the API.
- API keys are stored as SHA-256 hashes; the full key is shown once, at creation.
- All traffic is encrypted in transit, and every query is scoped to your workspace on the server.
Public profiles of people campaigns evaluate
Campaigns read public Bluesky profiles (bios and public posts) to decide who is worth following, on behalf of our users and based on our legitimate interest in providing the service. We only process content those account holders chose to make public, and we do not build advertising profiles from it. If you are a Bluesky user and want cached data about your profile removed from our systems, email support@skyfollowing.com and we will handle it.
Your rights
Depending on where you live (including under the GDPR and CCPA), you may have rights to access, correct, export, delete, or restrict the processing of your personal data, and to object to certain processing. Exercise any of them by emailing support@skyfollowing.com from the address on your account; we respond to every request and never discriminate for exercising a right.
Children
The service is not directed to children under 13, and we do not knowingly collect their data. If you believe a child has created an account, contact us and we will remove it.
Changes to this policy
When this policy changes materially, we will notify you by email or an in-app notice before the change takes effect, and the date at the top of this page always reflects the current version.
Contact
Privacy questions and requests: support@skyfollowing.com.