Privacy Policy

Effective Date: January 7, 2026

This Privacy Policy applies to the website substacktools.com and its subdomains (the “Sites”), together with the BlogFlyer Browser Extension (the “Extension”) and our web applications (collectively, “BlogFlyer”, “we”, “us”, or “our”).

This policy describes how we collect, use, and protect your personal information, specifically focusing on our commitment to transparency regarding the data required for our browser extension to function.

1. Definitions

  • Personal Information: Any information that can identify you (e.g., name, email, IP address, authentication tokens).
  • The Marketing Site: Public-facing pages providing information about our products.
  • The Web Application: Functional pages requiring login (e.g., dashboards at /studio) where you manage your scheduled content.
  • The Extension: The "BlogFlyer: Substack Note Scheduler" browser addon, which acts as a client-side executor to publish scheduled Notes on your behalf.

2. What Data We Collect & Why

We only collect information that is reasonably necessary to provide our services. We do not sell your personal information or any data you enter into our Services.

A. Information You Provide

  • Contact Information: Name and email address via Clerk (our identity provider).
  • Content Data: The text and metadata of the Substack Notes you choose to schedule.

B. Browser Extension Specific Data

To fulfill its single purpose—scheduling Substack Notes—the Extension processes:

  • Authentication Tokens: Securely retrieved via cookies to sync your login state between the dashboard and the extension.
  • Substack Metadata: Cached locally to ensure high-precision publishing.
  • Service Logs: Technical details if an automated publishing task fails, used strictly for debugging.

3. Permissions & Host Access (Extension)

To operate correctly, the BlogFlyer Extension requires the following permissions. We adhere to the principle of "Least Privilege":

  • alarms: Used to periodically check your scheduling queue and trigger the auto-publishing process at the exact time you specified.
  • storage: Used to cache Substack profile metadata locally to minimize latency.
  • cookies: Used to securely retrieve session tokens from our web application to keep you logged in.
  • Host Permissions:
    • https://*.substack.com/: Essential for executing the automated Note posting process on your behalf.
    • https://service.substacktools.com/: Required to synchronize your scheduled drafts from our backend.
    • https://*.clerk.accounts.dev/ & https://beta.substacktools.com: Necessary for secure user authentication and session management.

4. Third-party Services & Sub-processors

We share limited information with the following "sub-processors" to provide our service:

Company Purpose Data Shared
Clerk Authentication & Identity Email, Name, Profile Picture
Supabase Database & Hosting Scheduled Note content, User ID
Resend Email Delivery Transactional emails
Paddle Payment Processing Billing info (processed by Paddle directly)
Google Analytics Site Analytics Anonymized IP (Strictly Opt-in)

5. Single Purpose & Data Usage Disclosure

  • Single Purpose: BlogFlyer is a dedicated scheduling tool for Substack authors. Its extension exists solely to automate the publishing of Notes.
  • No Remote Code: We do not use remote code. All logic is contained within the extension package to ensure security.
  • Data Use: We do not use or transfer user data for purposes unrelated to the extension's single purpose, nor do we use data for creditworthiness or lending purposes.

6. Security

We implement industry-standard measures to protect your data. Access to personal information is restricted to employees and contractors bound by strict confidentiality obligations. For the Extension, we take extra care to ensure that your Substack session tokens are handled securely and never exposed to unauthorized parties.

7. Rights & Data Retention

  • Your Rights: You have the right to access, rectify, or delete your personal data. You can withdraw your consent at any time.
  • Retention:
    • If you delete your account, all your data will be removed from our active databases within 30 days.
    • Data is cleared from backups within 3 months.
    • You can request complete removal via email for faster processing.

8. Changes to This Policy

We may update this policy to reflect changes in our business or regulatory requirements. Significant changes will be notified to registered users via email.

9. Contact Us

If you have questions or concerns about this privacy policy, please contact us at contact@substacktools.com