Privacy Policy
The short version: we never read, collect, or transmit prompts, AI responses, chat history, or page content. We record that an ad was shown or clicked, where, and for how long — that's what gets publishers and extension users paid. No cross-site tracking, no profiles, no sale of data.
1. Who we are
IdleFlow ("we", "us") operates an advertising marketplace for the loading states of AI applications. This policy covers the browser extension, the publisher SDK embedded in third-party AI apps, our website and portals, and our API.
2. Data we process when an ad is served
| Data | What it is | Why |
|---|---|---|
| Ad delivery events | Which ad was shown or clicked, the app or site it appeared in, timestamps, display duration, visibility signals | Crediting earnings; billing advertisers for genuine impressions |
| Coarse context | Country/region derived from IP, device class (desktop/mobile), operating system, browser family, hour of day | Ad targeting and aggregate analytics. The IP itself is not stored on events |
| Session hash | A short hash of IP + browser + the current date. Rotates every day; cannot be reversed into an identity | Frequency capping (not showing you the same ad too often) and fraud detection |
| Extension device ID | A random identifier from a cryptographic key generated at install (extension users only) | Attributing extension earnings; fraud prevention |
| First-party attributes | Optional coarse attributes (age band, gender, interest tags) that a publisher's app may pass if it has them and the right to share them | Ad targeting. We accept only coarse bands and reject anything resembling PII |
3. What we never collect
- Prompts, AI responses, conversations, or any page content.
- Browsing history, keystrokes, form inputs, passwords, or screenshots.
- Third-party cookies, fingerprints, or any cross-site identity. Nothing we store can follow a person from one app to another.
- Names, emails, or precise location of people who see ads.
4. Account holders
Publishers and advertisers sign in with email or Google (via Firebase Authentication); we store your email, company details, and — for publishers — your app's URL and earnings ledger. Payments run through Stripe; we never see card numbers. Payout recipients may need to provide tax documentation, which is handled by our payment processor.
5. Consent
Extension users see ads only after explicit opt-in on the consent screen. For publisher apps, the publisher is responsible for disclosing IdleFlow in their own privacy policy (we require it in the Publisher Terms and provide template language). Every ad is labeled "Sponsored · via IdleFlow".
6. Retention
Raw ad events are kept as long as needed for earnings accounting, fraud review, and billing disputes, then aggregated or deleted. Daily aggregates are kept up to two years. Frequency-capping hashes are deleted within 48 hours. Payout records are kept as tax law requires.
7. Sharing
We do not sell or rent data. We share it only with payment processors, infrastructure providers, and authorities when legally required. Advertisers see aggregate statistics only — never who viewed an ad.
8. Security
Extension events are cryptographically signed on-device. SDK traffic is bound to verified publisher domains and single-use delivery tokens. All traffic uses TLS. Earnings sit in a 48-hour review window before becoming payable.
9. Your rights
Depending on where you live (including under GDPR and CCPA), you may access, correct, export, or delete your data, and object to processing. Email us; we honor requests within 30 days, without discrimination.
10. Children
IdleFlow is not directed at children under 16 and we do not knowingly collect their data. Publisher apps targeting children under 13 are not accepted.
11. Changes
Changes are posted here with an updated date; material changes are announced to account holders by email before taking effect.