Privacy Policy

Last updated: May 14, 2025

FollowSo ("we", "our", or "us") is committed to protecting your privacy. This policy explains exactly what personal data we collect when you use FollowSo, why we collect it, how we store and protect it, and what rights you have over it. Please read it carefully. By using FollowSo you agree to the practices described below.

Who we are Data we collect How we use it Storage & security Third parties Cookies Your rights Contact

1. Who We Are

FollowSo is an AI-powered outreach workspace that helps individuals and small teams organise DM conversations from LinkedIn, Instagram, and Facebook Messenger. The service is available at followso.com (marketing) and app.followso.com (application).

For any privacy-related questions, contact us at privacy@followso.com. We aim to respond within 5 business days.

2. Data We Collect

2.1 Account data

When you sign up we collect your email address and, optionally, your full name. If you sign in with Google, we additionally receive your profile photo URL from Google OAuth. This data is strictly necessary to create and identify your account.

2.2 Lead and conversation data

When you use the FollowSo browser extension to save a lead, we store the following on your behalf:

The lead's name, public profile URL, and avatar image URL
The platform the conversation took place on (LinkedIn, Instagram, Facebook, etc.)
The text content of the DM messages you explicitly choose to sync
Any status labels, follow-up dates, priority scores, or tags you assign
Notes you manually write about a lead

Important: FollowSo does not independently scrape, crawl, or access any social media platform. All conversation data is submitted by you via the extension when you click "Save Lead" or "Sync". You have full control over what is stored and can delete any lead or your entire account at any time.

2.3 Usage and technical data

We collect standard server-side logs including your IP address, browser type and version, operating system, pages visited, and request timestamps. This data is used solely for security monitoring, error diagnosis, and rate limiting. It is not shared with third parties for advertising purposes and is automatically deleted after 30 days.

We do not embed third-party analytics scripts (e.g. Google Analytics, Meta Pixel) on any page of the application.

2.4 Payment data

All payment processing is handled by Stripe. FollowSo never receives or stores your full credit card number, CVV, or banking credentials. Stripe shares with us only a customer ID, subscription status, subscription period, and the plan price ID. You can review Stripe's own privacy practices at stripe.com/privacy.

3. How We Use Your Data

We use the data we collect for the following purposes, and nothing else:

Providing the service: Displaying your leads and conversations, running AI analysis, storing notes and follow-up reminders, and enabling workspace collaboration.
AI features (paid plans only): Conversation text is transmitted to the OpenAI API to generate summaries, priority scores, tone detection, and follow-up message suggestions. OpenAI processes this data under our API agreement and does not use API inputs to train its models by default. See openai.com/policies/api-data-usage.
Authentication: Your email and session token are used to identify you and keep you securely signed in. If you use Google sign-in, we exchange an OAuth code for a session and do not store your Google password.
Billing and subscription management: Your email and Stripe customer ID are used to manage plan upgrades, downgrades, and cancellations.
Security and fraud prevention: IP addresses and request logs are used to detect unusual activity, prevent abuse, and protect your account.
Transactional email: We send email only for account-related events: email confirmation, password reset, and critical service notices. We do not send marketing emails without your explicit opt-in.

We do not sell, rent, trade, or otherwise share your personal data with any third party for advertising, profiling, or marketing purposes — ever.

4. Data Storage and Security

Your data is stored in Supabase, a managed PostgreSQL database service running on AWS infrastructure in the EU (eu-west-1) region. All data in transit between your browser and our servers is encrypted using TLS 1.2 or higher. Data at rest is encrypted by the cloud provider using AES-256.

Within the database, every table is protected by Row Level Security (RLS) — a Postgres-native mechanism that enforces at the database level that each user can only read and write their own rows. Even if an application bug were to bypass our API logic, RLS prevents cross-user data leakage.

Service credentials and API keys (Stripe, OpenAI, Supabase service role) are stored as server-side environment variables and are never exposed to the browser or included in client bundles.

Data retention: Your data is retained for as long as your account is active. If you delete your account, all associated data — leads, conversations, messages, notes, tokens — is permanently and irreversibly deleted from our systems within 30 days. We do not retain backups of deleted accounts beyond this window.

Data breaches: In the unlikely event of a data breach affecting your personal data, we will notify you by email within 72 hours of becoming aware of the incident, as required under GDPR.

5. Third-Party Sub-Processors

FollowSo uses the following third-party services to deliver the product. Each sub-processor has been evaluated for security and data protection compliance.

Service	Purpose	Data transferred
Supabase (AWS EU)	Database & authentication	All user and lead data
OpenAI	AI summaries, scoring, suggestions	Conversation text (paid plans only)
Stripe	Payment processing	Email address, billing details
Vercel	Web hosting & edge delivery	Request logs, IP addresses
Resend	Transactional email delivery	Email address, email content
Google	OAuth sign-in (optional)	Email, name, profile photo URL

We review sub-processors at least annually and will update this policy if any change is made. If you object to a particular sub-processor, please contact us — we will try to find an alternative or explain why it is essential.

6. Cookies

FollowSo uses only strictly necessary cookies. Specifically, we set one session cookie managed by Supabase Auth (sb-access-token and sb-refresh-token) to keep you logged in between sessions. These cookies are:

HttpOnly — not accessible via JavaScript, reducing XSS risk
Secure — only sent over HTTPS connections
SameSite=Lax — not sent on cross-site requests, preventing CSRF
Session-scoped — cleared when you sign out or the token expires

We set no advertising cookies, tracking pixels, analytics scripts, or third-party cookies of any kind. Because we only use strictly necessary cookies, no cookie consent banner is required or displayed under the ePrivacy Directive.

7. Your Rights

Depending on your location, you may have the following rights over your personal data. Users in the European Economic Area (EEA), UK, and many other jurisdictions have these rights under GDPR or equivalent laws:

Right of access: You may request a complete copy of all personal data we hold about you. We will provide it in a structured, machine-readable format (JSON) within 30 days.
Right to rectification: If any data we hold about you is inaccurate or incomplete, you may request that we correct it. You can update your name and email directly in Settings → Account.
Right to erasure ("right to be forgotten"): You may request that we delete your account and all associated personal data. You can trigger this yourself from Settings, or by emailing us. Deletion is permanent and irreversible.
Right to data portability: You may request an export of your leads, conversations, and notes in a structured format so you can transfer them to another service.
Right to restriction of processing: You may ask us to stop processing your data in certain circumstances — for example, if you contest its accuracy while we verify it.
Right to object: You may object to processing of your personal data where we rely on legitimate interests as the legal basis.
Right to withdraw consent: Where processing is based on your consent (e.g. marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@followso.com with the subject line "Privacy Request — [right you wish to exercise]". We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority (e.g. ANSPDCP in Romania, ICO in the UK, or your local supervisory authority).

8. Children's Privacy

FollowSo is not directed at or intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal information, we will delete it immediately. If you believe a child has created an account, please contact us at privacy@followso.com.

9. Changes to This Policy

We may revise this Privacy Policy from time to time to reflect changes in the law, our services, or our data practices. When we make changes, we will:

Update the "Last updated" date at the top of this page
For material changes — notify you by email and with an in-app banner at least 14 days before the change takes effect
For minor changes (e.g. typo fixes, clarifications) — update the page without notice

Your continued use of FollowSo after the effective date of any update constitutes your acceptance of the revised policy. If you do not agree to a material change, you may delete your account before it takes effect.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please reach out:

Email: privacy@followso.com

Website: followso.com

Response time: Within 5 business days (GDPR requests: within 30 days)