How we handle your data

Privacy Policy

Plain English summary

ONYX collects the minimum data needed to schedule and publish your BlueSky posts. We do not sell your data. We do not share it with advertisers. We encrypt sensitive credentials at rest. You can delete your account and all associated data any time by emailing support.

What we collect

  • Your email address (used to sign in and send account-related notifications)
  • Your BlueSky handle and app password (used to publish posts on your behalf)
  • The posts you write, schedule, and publish through ONYX
  • Your recent public BlueSky posts (used to train the AI voice generator on your writing style)
  • Basic usage data (which features you use, when you log in) for product improvement

What we do NOT collect

  • Your main BlueSky password (we only use app passwords, which you generate in BlueSky settings)
  • Your direct messages or any private BlueSky content
  • Your contacts, address book, or social graph beyond what is publicly visible
  • Financial information directly (payments are handled by our payment processor)
  • Location, device fingerprinting, or third-party tracking cookies

How we store it

Your BlueSky app password is encrypted using AES-256-GCM before being written to the database. The encryption key is stored separately as an environment variable on our backend. Email addresses are stored in plaintext (since we need to email you). Posts are stored as you wrote them.

Who we share it with

  • BlueSky - when you publish a post, the text and any media go to BlueSky. That is the point of the product.
  • Google Gemini - when you use AI voice generation, your recent BlueSky posts and writing prompts are sent to Google's Gemini API to generate drafts.
  • Our infrastructure providers - Vercel, Supabase, Upstash, and Render host the application. They process data on our behalf under standard data processing agreements.
  • No one else. We do not sell your data. We do not run ad networks. We do not share with data brokers.

Your rights

You can request a copy of your data, correction of any inaccuracies, or full deletion of your account at any time by emailing fluxhq@proton.me. We process these requests within 30 days.

Children

ONYX is not intended for users under 13 years old. We do not knowingly collect data from children. If you are a parent and believe your child has signed up, email us and we will delete the account.

Changes

If we update this policy, we will note the new date at the top and email registered users about any material changes before they take effect.

Contact

Questions, complaints, or data requests: fluxhq@proton.me