Flowframe Privacy Policy
Effective Date: January 10, 2026
Last Updated: January 10, 2026
Version: 1.0
Welcome to Flowframe. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our collaborative data analytics platform.
Our Commitment:
- ✅ We do NOT sell your personal data
- ✅ We process data only as necessary to provide our Service
- ✅ We implement enterprise-grade security measures
- ✅ We comply with GDPR, CCPA, and other data protection laws
- ✅ You own your data and can export or delete it anytime
TABLE OF CONTENTS
- What Data We Collect
- How We Collect Data
- How We Use Your Data
- Our Dual Architecture (Privacy by Design)
- How We Share Your Data
- International Data Transfers
- Data Retention
- Your Privacy Rights
- Security Measures
- Cookies and Tracking
- Children's Privacy
- California Privacy Rights (CCPA)
- Changes to This Privacy Policy
- Contact Us
1. WHAT DATA WE COLLECT
1.1 Account Information (Data We Store on Our Servers)
When you create a Flowframe account, we collect:
| Data Category | Specific Data | Purpose | Legal Basis |
|---|---|---|---|
| Contact Information | Email address, name, company name | Account management, communication | Contract performance |
| Authentication | Password (hashed with bcrypt + salt) | Security, login | Contract performance |
| Workspace Settings | Workspace name, team member roles, preferences | Service provision | Contract performance |
| Billing Information | Payment method via Stripe (we don't store card numbers) | Payment processing | Contract performance |
Important: Passwords are never stored in plaintext. We use industry-standard bcrypt hashing with salt, making it impossible for us (or attackers) to see your actual password.
1.2 Collaboration Data (Data We Store on Our Servers)
To enable real-time collaboration features, we store:
| Data Category | Specific Data | Purpose | Legal Basis |
|---|---|---|---|
| Real-Time Collaboration State | Yjs CRDT documents | Enable simultaneous editing | Contract performance |
| Query History | SQL queries you've written (NOT query results) | Version history, rollback | Contract performance |
| Metadata Descriptions | Column/table descriptions you add | AI features, documentation | Contract performance |
| Comments and Annotations | Team discussions on analyses | Collaboration | Contract performance |
| Version History | Previous versions of analyses | Rollback capability | Contract performance |
| Project Settings | Canvas layout, visualization settings | Service provision | Contract performance |
1.3 Usage Analytics (Data We Collect to Improve Our Product)
We collect analytics to understand how you use Flowframe:
| Data Category | Specific Data | Purpose | Legal Basis |
|---|---|---|---|
| Feature Usage | Which features you use, frequency | Product improvement | Legitimate interests |
| Performance Metrics | Page load times, query execution speed | Optimize performance | Legitimate interests |
| Error Logs | Technical errors (no personal data) | Fix bugs | Legitimate interests |
| Device Information | Browser type, OS, IP address | Security, fraud prevention | Legitimate interests |
| Session Data | Login times, session duration | Analytics | Legitimate interests |
Anonymization: Where possible, we anonymize analytics data so it cannot be linked back to you.
1.4 Cloud Database Query Data (Transiently Processed, Not Stored)
When you connect to cloud databases (PostgreSQL, MySQL, SQL Server, etc.):
| Data Category | How We Process It | Storage | Legal Basis |
|---|---|---|---|
| Database Credentials | Encrypted in your browser, sent encrypted to servers for connection | Encrypted at rest | Contract performance |
| SQL Queries | Routed through our servers to your database | Query text stored (results NOT stored) | Contract performance |
| Query Results | Transmitted through servers to your browser | NOT stored on servers (transient only) | Contract performance |
| Database Schema | Retrieved to power autocomplete features | Cached temporarily, not stored long-term | Contract performance |
Data Flow Architecture:
- You provide database credentials (encrypted in browser)
- Queries routed through Flowframe servers for security
- Servers connect to your database and execute queries
- Results sent directly to your browser
- Results cached in your browser only (not on Flowframe servers)
Why Through Our Servers:
- ✅ Enhanced security and connection management
- ✅ Firewall compatibility (easier to whitelist Flowframe IPs)
- ✅ Connection pooling for team collaboration
- ✅ Secure credential management
Important: While query results pass through our servers, they are transient (not stored). We only store the query text for version history purposes.
1.5 File Upload Data (Stored Encrypted)
When you upload files (CSV, Parquet, JSON):
| Data Category | How We Process It | Storage Location | Retention |
|---|---|---|---|
| Uploaded Files | Processed client-side with DuckDB WASM | DigitalOcean Spaces (encrypted) | Until you delete or account deletion |
| File Metadata | File names, sizes, upload dates | PostgreSQL database | Until you delete or account deletion |
| File Contents | Encrypted with AES-256 at rest | DigitalOcean Spaces (London, UK) | Until you delete or account deletion |
Data Flow Architecture:
- Files processed client-side in your browser using DuckDB WASM
- Encrypted file contents stored in DigitalOcean Spaces (S3-compatible)
- Files encrypted using AES-256 server-side encryption at rest
- Files remain in storage until you delete them or close your account
- No backups created - files exist only in primary storage
Data Retention:
- ✅ Files kept until you delete them OR account deletion (whichever comes first)
- ✅ Immediate deletion - Files deleted from storage instantly upon request
- ⚠️ No recovery - Deleted files cannot be recovered (no backups)
Access Control:
- ⚠️ Flowframe can technically access encrypted files (we are a Data Processor)
- ✅ Access is strictly limited to authorized personnel for support/maintenance only
- ✅ No routine access to file contents
- ✅ Access logged and monitored
1.6 AI Query Data (Planned Q2 2026 - Temporarily Processed, Not Stored Long-Term)
When you use AI natural language queries (launching Q2 2026):
What Gets Sent to AI Provider (Google Gemini):
- ✅ Your natural language question (e.g., "Show customers with revenue > $10k")
- ✅ Table metadata and column descriptions
- ✅ Schema information (table names, column names, data types)
What AI Does NOT See:
- ❌ Your actual business data (customer records, transactions, revenue numbers)
- ❌ Query results or data values
- ❌ Database credentials
- ❌ File contents from uploaded files
AI Provider Data Retention: We use Google Gemini with Zero Data Retention (ZDR) agreement:
- ❌ Your prompts are NOT used to train AI models
- ❌ Your data is NOT stored by Google after processing
- ✅ Prompts are processed and immediately discarded
Opt-Out: You can disable AI features at any time in workspace settings.
1.7 What We DO NOT Store
We do NOT store or retain:
- ❌ Query Results - Results pass through servers but are not stored (transient only)
- ❌ Raw Database Contents - We never copy your database data
- ❌ Credit Card Numbers - Handled by Stripe, not stored on our servers
- ❌ Plaintext Passwords - Only bcrypt-hashed passwords stored
- ❌ Backups of Uploaded Files - No backup copies created
2. HOW WE COLLECT DATA
2.1 Information You Provide Directly
You provide information when you:
- Create an account (email, name, password)
- Update account settings (company name, preferences)
- Add team members (names, emails, roles)
- Write SQL queries or metadata descriptions
- Contact customer support (support tickets, emails)
- Provide feedback or feature requests
2.2 Information Collected Automatically
We automatically collect:
- Technical Data: IP address, browser type, OS, device info
- Usage Data: Pages visited, features used, time spent
- Performance Data: Page load times, error rates
- Cookies: See Section 10 for details
Collection Methods:
- Browser cookies
- Log files
- Analytics tools (anonymized where possible)
2.3 Information from Third Parties
We may receive information from:
- Payment Processors (Stripe): Transaction confirmations, payment status (NOT card numbers)
- Social Login (if implemented): Basic profile info if you connect via Google/Microsoft
3. HOW WE USE YOUR DATA
We use your personal data for the following purposes:
3.1 To Provide Our Services (Legal Basis: Performance of Contract)
- ✅ Create and manage your account
- ✅ Process SQL queries and store query text (server-side)
- ✅ Enable real-time collaboration features
- ✅ Provide customer support
- ✅ Process payments and send receipts
- ✅ Send transactional emails (password resets, billing notifications, etc.)
You cannot opt out of this processing if you want to use Flowframe.
3.2 To Improve Our Services (Legal Basis: Legitimate Interests)
- 📊 Analyze usage patterns to improve UX
- 🐛 Fix bugs and technical issues
- ⚡ Optimize performance
- 🚀 Develop new features based on usage data
- 🔬 Conduct research and analytics
You can opt out by disabling analytics in account settings.
3.3 For Marketing (Legal Basis: Consent or Legitimate Interests)
- 📧 Send promotional emails about new features (you can unsubscribe)
- 📰 Send newsletters and product updates
- 📊 Conduct surveys and request feedback
You can opt out:
- Click "Unsubscribe" in any marketing email
- Adjust preferences in account settings
- Email support@flowframe.io to opt out
We do NOT:
- ❌ Sell your email to third parties
- ❌ Send excessive marketing emails (max 1-2 per month)
- ❌ Use your email for third-party advertising
3.4 For Legal Compliance (Legal Basis: Legal Obligation)
- ⚖️ Comply with tax and financial regulations (billing records retained 7 years)
- 📜 Respond to legal requests (subpoenas, court orders)
- 🛡️ Enforce our Terms of Service
- 🚨 Protect against fraud and abuse
- 📋 Comply with data protection laws (GDPR, CCPA)
We may process without your consent when required by law.
3.5 With Your Consent
- Any processing that requires explicit consent
- You can withdraw consent at any time
4. OUR DUAL ARCHITECTURE (PRIVACY BY DESIGN)
4.1 How Flowframe's Architecture Protects Your Privacy
Flowframe uses two distinct data processing architectures depending on your data source:
Architecture 1: Cloud Database Connections
Traditional Analytics Platform:
- You upload entire database → Their servers
- All queries execute → On their servers
- Results sent back → To your browser
Flowframe's Cloud Database Architecture:
- You connect database → Stays in your control (not copied to Flowframe)
- Queries routed → Through Flowframe servers (for security and connection management)
- Results transmitted → Directly to your browser (NOT stored on servers)
- Results cached → In your browser only
Why Through Our Servers:
- ✅ Enhanced security and connection management
- ✅ Firewall compatibility (easier to whitelist Flowframe IPs)
- ✅ Connection pooling for team collaboration
- ✅ Secure credential management and rotation
Privacy Protection:
- ⚠️ Query results pass through our servers (transient, not stored)
- ✅ Results NOT stored on our servers (immediately transmitted to browser)
- ✅ Your database contents never copied to Flowframe
- ✅ Results cached only in your browser
Architecture 2: File Uploads
Flowframe's File Upload Architecture:
- You upload files (CSV, Parquet, JSON) → Processed client-side with DuckDB WASM first
- Encrypted file contents → Stored in DigitalOcean Spaces (AES-256 encryption)
- Queries on files → Execute client-side in your browser (DuckDB WASM)
- Results displayed → Never leave your browser
- Files persist → Until you delete them or close your account
Privacy Trade-offs:
- ✅ Client-side processing: File analysis happens in your browser
- ⚠️ Flowframe has access: We store encrypted files (as Data Processor under GDPR)
- ✅ Encrypted storage: AES-256 server-side encryption at rest
- ✅ Immediate deletion: Files deleted instantly when you request removal
- ⚠️ No backups: Deleted files cannot be recovered
4.2 What This Means for Your Privacy
Data Minimization by Design:
For Cloud Databases:
- ✅ Your database contents never copied to Flowframe servers
- ✅ Query results transient on our servers (not stored, immediately transmitted)
- ✅ Results cached only in your browser
- ✅ Database credentials encrypted end-to-end
- ⚠️ Results pass through our servers (necessary for secure connection management)
For File Uploads:
- ✅ Files processed client-side before upload
- ⚠️ Encrypted files stored on Flowframe servers (DigitalOcean Spaces)
- ✅ File queries execute client-side in your browser (DuckDB WASM)
- ✅ Query results never leave your browser
- ✅ Immediate deletion when you request it (no recovery period)
Benefits:
- 🔒 Enhanced Privacy: Database query results not stored, files encrypted
- ⚡ Faster Performance: Client-side file processing with DuckDB WASM
- 🔐 Strong Encryption: TLS 1.3 in transit, AES-256 at rest
- 🗑️ Your Control: Delete files instantly, no backup retention
Transparency:
- ⚠️ We are transparent that we CAN access encrypted uploaded files (as Data Processor)
- ✅ Access strictly limited to authorized personnel for support/maintenance
- ✅ All access logged and monitored
- ✅ No routine access to file contents
4.3 What We Do Store Server-Side
For all data sources, we store:
- ✅ SQL query text (e.g.,
SELECT * FROM customers WHERE revenue > 10000) - ❌ NOT query results (e.g., actual customer names, revenue numbers)
- ✅ Metadata descriptions (e.g., "revenue = Annual Recurring Revenue in USD")
- ✅ Project configurations (canvas layout, chart settings)
- ✅ Real-time collaboration state (Yjs CRDT documents)
- ✅ Database credentials (encrypted)
- ✅ Uploaded file contents (encrypted in DigitalOcean Spaces)
This enables:
- ✅ Version history and rollback
- ✅ Real-time collaboration (multiple users editing simultaneously)
- ✅ AI query generation (when launched Q2 2026 - uses metadata, not data)
- ✅ Sharing projects with teammates
- ✅ File persistence across sessions
You control what gets shared:
- Public sharing is opt-in
- You can delete queries, files, and metadata anytime
- Deleting your account deletes all server-side data (immediate for active systems, 30 days for backups)
- Exception: Billing records retained 7 years (legal requirement)
5. HOW WE SHARE YOUR DATA
5.1 We Do NOT Sell Your Data
Flowframe does NOT sell your personal data to third parties. Period.
5.2 Service Providers (Data Processors)
We share data with trusted service providers who process data on our behalf:
| Service Provider | Purpose | Location | Data Shared | Safeguards |
|---|---|---|---|---|
| DigitalOcean | Infrastructure hosting + file storage (Spaces) | UK (London) | All platform data (account info, collaboration state, metadata, uploaded files encrypted) | SOC 2, ISO 27001, GDPR DPA |
| Stripe | Payment processing | USA | Billing name, email, payment info | PCI DSS Level 1, SOC 2, SCCs |
| Google Gemini (Q2 2026) | AI query generation | USA | Metadata and questions (NOT actual data or files) | Zero Data Retention, SCCs |
All service providers are contractually required to:
- ✅ Process data only on our instructions
- ✅ Implement appropriate security measures
- ✅ Comply with GDPR and data protection laws
- ✅ Use Standard Contractual Clauses for international transfers
Full sub-processor list: Available upon request at support@flowframe.io
5.3 Legal Disclosures
We may disclose your data if required by law:
- ⚖️ In response to court orders, subpoenas, or legal process
- 📋 To comply with regulatory investigations
- 🛡️ To protect our rights, property, or safety
- 🚨 To prevent fraud, abuse, or security threats
When legally permitted, we will:
- Notify you before disclosing data
- Limit disclosure to minimum necessary
- Challenge overbroad or improper requests
5.4 Business Transfers
If Flowframe undergoes a merger, acquisition, or sale of assets:
- Your personal data may be transferred to the successor entity
- You will be notified via email
- The successor will be bound by this Privacy Policy (or you'll be asked to accept a new policy)
5.5 Public Sharing (When You Choose to Share)
If you choose to share a project publicly:
- Anyone with the link can view the shared project
- Shared projects include: queries, visualizations, and results you explicitly chose to include
- You control what data is included in shared projects
- You can unshare projects at any time
- Shared projects may appear in search engines
We recommend:
- Anonymize or redact sensitive data before public sharing
- Review shared projects regularly
- Use private sharing for sensitive analyses
5.6 With Your Consent
We may share data with third parties if you explicitly consent (e.g., integrations you authorize).
6. INTERNATIONAL DATA TRANSFERS
6.1 Primary Data Location
Your data is hosted in the European Union (London, United Kingdom):
- Data Center: DigitalOcean London (LON1) and DigitalOcean Spaces (London)
- Compliance: GDPR-compliant, ISO 27001, SOC 2 certified
- Uploaded Files: No backups created (immediate deletion upon request)
Benefits for EU/UK customers:
- ✅ Data remains within EU/UK jurisdiction
- ✅ Subject to GDPR protections
- ✅ No international transfers (for data stored with DigitalOcean)
6.2 Transfers to Third Countries
Some service providers operate outside the EU/UK:
Stripe (USA) - Payment Processing:
- Safeguards: Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework
- Data Transferred: Billing name, email, payment info
- Compliance: PCI DSS Level 1, GDPR-compliant
Google Gemini (USA, planned Q2 2026) - AI:
- Safeguards: Standard Contractual Clauses, Zero Data Retention
- Data Transferred: Metadata and questions only (NOT your actual data)
- Compliance: GDPR-compliant, data not stored after processing
6.3 Standard Contractual Clauses (SCCs)
For transfers to countries without an adequacy decision, we use EU Commission-approved Standard Contractual Clauses (Decision 2021/914/EU).
What SCCs Do:
- Provide legally binding data protection obligations
- Ensure adequate level of protection for your data
- Give you enforceable rights and remedies
Full SCCs: Available upon request at support@flowframe.io
6.4 Supplementary Measures
In addition to SCCs, we implement:
- 🔒 Encryption: TLS 1.3 in transit, AES-256 at rest
- 🔑 Access Controls: Strong authentication and authorization
- 📉 Data Minimization: Only necessary data transferred
- 📜 Contractual Protections: Data Processing Agreements with all sub-processors
7. DATA RETENTION
7.1 Active Accounts
We retain your data as long as your account is active.
You can delete individual projects, team members, or data at any time via the platform.
7.2 Account Deletion
When you delete your account:
| Timeframe | What Happens |
|---|---|
| Day 0 (Immediate) | Account credentials, projects, metadata, uploaded files deleted from active systems |
| Days 1-30 | Account data remains in encrypted backups (disaster recovery) - excludes uploaded files |
| Day 31 | Permanent deletion of account data from all backups (cryptographic erasure) |
| 7 Years | Billing records retained (legal requirement for tax compliance) |
| Indefinite | Anonymized analytics (cannot be linked back to you) |
Important: Uploaded files (CSV, Parquet, JSON) are deleted immediately from DigitalOcean Spaces with no backup copies. Once deleted, they cannot be recovered.
How to Delete Account:
- Go to Account Settings → Delete Account
- Confirm deletion (irreversible)
- Receive email confirmation
- Data deleted per schedule above
Alternative: Email support@flowframe.io with "Delete Account" request
7.3 Immediate File Deletion
Uploaded files (CSV, Parquet, JSON) are already deleted immediately with no backup retention:
- Delete files via platform: Files removed from DigitalOcean Spaces instantly
- Delete account: Uploaded files removed instantly (Day 0)
- No recovery possible: Once deleted, files cannot be recovered
For other data types (account data, queries, metadata): If you need immediate deletion from backups (e.g., highly sensitive metadata):
- Email support@flowframe.io with subject "Immediate Data Deletion Request"
- We will manually purge data from backups within 5 business days
- Confirmation provided
7.4 Retention Schedule Summary
| Data Category | Active Account | After Deletion | Legal Retention | Final Deletion |
|---|---|---|---|---|
| Account credentials | Retained | Day 0 | None | Day 0 |
| Uploaded files (CSV, Parquet, JSON) | Retained | Day 0 (no backups) | None | Day 0 (immediate) |
| Projects, queries, metadata | Retained | Day 0 (active), Day 31 (backups) | None | Day 31 |
| Collaboration data | Retained | Day 0 (active), Day 31 (backups) | None | Day 31 |
| Database credentials | Retained | Day 0 (active), Day 31 (backups) | None | Day 31 |
| Usage analytics (identifiable) | Retained | Day 31 | None | Day 31 |
| Billing records | Retained | Retained 7 years | 7 years | Year 7 |
| Anonymized analytics | Retained | Retained indefinitely | N/A | Never (not personal data) |
8. YOUR PRIVACY RIGHTS
8.1 Rights Under GDPR (EU/UK Residents)
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:
8.1.1 Right of Access (Article 15)
Request a copy of all personal data we hold about you.
How to Exercise:
- Email: support@flowframe.io with subject "Data Access Request"
Response Time: Within 1 month (extendable to 3 months for complex requests)
What You'll Receive:
- Complete export in JSON format
- Information about processing purposes, legal basis, retention periods
- Information about third-party recipients
8.1.2 Right to Rectification (Article 16)
Correct inaccurate or incomplete personal data.
How to Exercise:
- Email: support@flowframe.io with corrections
Response Time: Within 1 month
8.1.3 Right to Erasure / Right to be Forgotten (Article 17)
Request deletion of your personal data in certain circumstances.
How to Exercise:
- Self-service: Account Settings → Delete Account
- Email: support@flowframe.io with subject "Data Erasure Request"
Response Time: Within 1 month (immediate deletion from active systems, 30-day backup retention)
Limitations: We may retain data if:
- Required by law (e.g., billing records for 7 years)
- Necessary for legal claims
8.1.4 Right to Restrict Processing (Article 18)
Limit how we use your data while we verify accuracy or assess your objection.
How to Exercise: Email support@flowframe.io with specific restriction request
Response Time: Within 1 month
8.1.5 Right to Data Portability (Article 20)
Receive your personal data in a machine-readable format (JSON, CSV).
How to Exercise:
- Email: support@flowframe.io with subject "Data Portability Request"
Response Time: Within 1 month
Format: JSON (easily importable into other systems)
8.1.6 Right to Object (Article 21)
Object to processing based on legitimate interests or for direct marketing.
How to Exercise:
- Marketing: Click "Unsubscribe" in emails or adjust preferences in Account Settings
- Other Processing: Email support@flowframe.io with grounds for objection
Response Time:
- Marketing: Immediate
- Other processing: Within 1 month
8.1.7 Right to Withdraw Consent
If processing is based on consent, you can withdraw it at any time.
How to Exercise: Email support@flowframe.io or adjust settings in account
Effect: Withdrawal does not affect lawfulness of processing before withdrawal.
8.1.8 Right to Lodge a Complaint
Complain to your local data protection authority if you believe we've violated data protection laws.
UK Customers: Information Commissioner's Office (ICO) - https://ico.org.uk EU Customers: Find your authority at https://edpb.europa.eu/about-edpb/board/members_en
We encourage you to contact us first so we can try to resolve your concern.
8.2 How to Exercise Your Rights
Email: support@flowframe.io Subject Line: [Type of Request] - e.g., "Data Access Request", "Data Erasure Request" Response Time: Within 1 month (extendable to 3 months for complex requests) Verification: We may ask for verification to prevent fraudulent requests No Fee: First request is free (manifestly unfounded/excessive requests may incur fee)
9. SECURITY MEASURES
We implement comprehensive technical and organizational measures to protect your data:
9.1 Technical Security Measures
Encryption:
- ✅ TLS 1.3 encryption for all data in transit
- ✅ AES-256 encryption for data at rest
- ✅ Bcrypt password hashing (12 rounds + salt)
- ✅ Encrypted backups
- ✅ Certificate pinning for API requests
Access Controls:
- ✅ Role-based access control (RBAC) for workspaces
- ✅ Multi-factor authentication (MFA) required for admin accounts
- ✅ Session timeout after 24 hours inactivity
- ✅ Account lockout after 5 failed login attempts
Network Security:
- ✅ VPC isolation: Database servers in private network (no public internet access)
- ✅ Firewall rules: Strict ingress/egress policies
- ✅ DDoS protection via DigitalOcean Cloud Firewall
- ✅ Web Application Firewall (WAF) for OWASP Top 10 protection
Client-Side Security:
- ✅ Database credentials encrypted in browser local storage
- ✅ Query execution happens client-side (your data never sent to servers)
- ✅ Secure WebSocket connections for real-time collaboration
9.2 Organizational Security Measures
Personnel:
- ✅ Background checks for employees with data access
- ✅ Confidentiality agreements signed by all employees and contractors
- ✅ Security training: Annual mandatory GDPR and security awareness training
- ✅ Principle of least privilege: Access granted only as needed
Policies and Procedures:
- ✅ Incident response plan: 72-hour breach notification
- ✅ Data retention policy: Documented retention schedules
- ✅ Vendor management: Security assessments for all sub-processors
- ✅ Change management: Secure development lifecycle
Monitoring:
- ✅ 24/7 automated monitoring for security events
- ✅ Real-time alerts for suspicious activity
- ✅ Log analysis for threat detection
- ✅ Regular security audits
9.3 Vulnerability Management
- ✅ Automated dependency scanning for known vulnerabilities
- ✅ Security patches applied within 7 days for critical issues
- ✅ Penetration testing: Annual third-party testing (starting Q2 2026)
- ✅ Bug bounty program: Planned launch Q2 2026
9.4 No Absolute Security
While we implement strong security measures, no system is 100% secure.
We cannot guarantee absolute security against all threats. If you become aware of a security vulnerability, please report it to support@flowframe.io.
9.5 Data Breach Notification
If a breach occurs that is likely to result in high risk to your rights:
- ✅ We will notify you within 72 hours of becoming aware
- ✅ We will inform you of:
- Nature of the breach
- Likely consequences
- Measures taken to address the breach
- Measures you can take to protect yourself
- ✅ We will notify supervisory authorities as required by GDPR
10. COOKIES AND TRACKING
10.1 What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They help websites remember your preferences and track usage.
10.2 Cookies We Use
Essential Cookies (Always Active)
Purpose: Necessary for the Service to function
| Cookie Name | Purpose | Duration |
|---|---|---|
session_id | Maintains your login session | Session (ends when browser closes) |
csrf_token | Protects against cross-site request forgery attacks | Session |
You cannot disable essential cookies if you want to use Flowframe.
Analytics Cookies (Requires Consent)
Purpose: Help us understand how you use Flowframe
| Cookie Name | Purpose | Duration | Provider |
|---|---|---|---|
_analytics_id | Distinguishes unique users | 1 year | Flowframe (first-party) |
You can disable analytics cookies in Account Settings or browser settings.
No Marketing Cookies (Currently)
We do NOT currently use third-party marketing or advertising cookies.
If we introduce marketing cookies in the future, we will:
- Obtain your consent before setting them
- Update this Privacy Policy with 30 days notice
- Allow you to opt out easily
10.3 Cookie Consent
Upon first visit, you will see a cookie consent banner:
- Accept All: Enables all cookies (essential + analytics)
- Reject All: Only essential cookies
- Cookie Settings: Choose which categories to enable
Change preferences anytime:
- Footer: "Cookie Settings" link
- Account Settings: Cookie Preferences
10.4 Do Not Track (DNT)
We honor Do Not Track (DNT) browser signals:
- If DNT is enabled, we will NOT set analytics cookies
- Essential cookies still set (required for functionality)
How to Enable DNT:
- Chrome: Settings → Privacy → Send "Do Not Track" request
- Firefox: Preferences → Privacy → Do Not Track
- Safari: Preferences → Privacy → Website Tracking
10.5 Third-Party Cookies
We do NOT use third-party advertising or tracking cookies.
Third-party services we use (Stripe, DigitalOcean) may set their own cookies, governed by their privacy policies.
10.6 Cookie Policy
For detailed information about cookies, see our Cookie Policy: https://flowframe.io/cookie-policy
11. CHILDREN'S PRIVACY
Flowframe is not intended for children under 16 years old.
We do not knowingly collect personal data from children under 16.
If you are a parent or guardian and believe your child has provided us with personal data:
- Contact us immediately at support@flowframe.io
- We will delete the data promptly (within 10 business days)
If you are under 16: Please do not use Flowframe or provide any personal data.
12. CALIFORNIA PRIVACY RIGHTS (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
12.1 Your California Rights
Right to Know
Request information about:
- Categories of personal data collected
- Sources of personal data
- Business or commercial purposes for collection
- Categories of third parties with whom we share data
- Specific pieces of personal data we hold about you
How to Exercise: Email support@flowframe.io with subject "CCPA Right to Know Request"
Right to Delete
Request deletion of your personal data (subject to exceptions).
How to Exercise: Email support@flowframe.io with subject "CCPA Right to Delete Request"
Right to Opt-Out of Sale
We do NOT sell your personal data. No opt-out needed.
Right to Non-Discrimination
We will NOT discriminate against you for exercising your CCPA rights.
12.2 What We Do NOT Do
Flowframe does NOT:
- ❌ Sell your personal information
- ❌ Share your data for cross-context behavioral advertising
- ❌ Process sensitive personal information beyond what's necessary
- ❌ Collect data from minors under 16 without consent
12.3 Categories of Data Collected (Past 12 Months)
| Category | Examples | Collected? | Shared? |
|---|---|---|---|
| Identifiers | Email, name, IP address | ✅ Yes | Yes (to sub-processors) |
| Commercial information | Billing records, subscription info | ✅ Yes | Yes (Stripe for payment) |
| Internet/network activity | Pages visited, features used | ✅ Yes | No |
| Geolocation data | IP-based location (city/country) | ✅ Yes | No |
| Professional information | Company name, job title | ✅ Yes (if provided) | No |
| Sensitive personal information | Passwords (hashed), payment info (via Stripe) | ✅ Yes | Yes (Stripe only) |
12.4 How to Exercise California Rights
Email: support@flowframe.io Subject Line: "CCPA [Type of Request]" Response Time: Within 45 days (extendable to 90 days for complex requests) Verification: We may ask for verification to prevent fraudulent requests No Fee: Free of charge (up to 2 requests per 12 months)
13. CHANGES TO THIS PRIVACY POLICY
13.1 How We Update This Policy
We may update this Privacy Policy from time to time to reflect:
- Changes in our practices
- New features or services
- Changes in data protection laws
- User feedback
13.2 Notification of Changes
For material changes, we will:
- ✅ Update the "Last Updated" date at the top
- ✅ Send email notification to your registered email address
- ✅ Display a prominent notice on our website
- ✅ Require acceptance for significant changes (e.g., checkbox next login)
For minor changes (typos, clarifications):
- Update the policy and "Last Updated" date
- No email notification
13.3 Material Changes
Examples of material changes:
- Introducing new data collection practices
- Sharing data with new third parties
- Changing retention periods significantly
- Reducing your rights
You will have 30 days to review changes before they take effect.
13.4 Your Acceptance
Continued use of Flowframe after changes take effect constitutes acceptance.
If you disagree with changes:
- Stop using Flowframe
- Delete your account before changes take effect
- Contact us to discuss concerns
13.5 Version History
Previous versions of this Privacy Policy are available upon request at support@flowframe.io.
14. CONTACT US
14.1 Privacy Questions
For questions about this Privacy Policy or how we handle your data:
Email: support@flowframe.io (or privacy@flowframe.io when set up) Response Time: Within 5 business days for privacy inquiries, 30 days for Data Subject Rights requests
14.2 Data Protection Officer
DPO Contact: support@flowframe.io Role: Oversees data protection compliance and handles privacy inquiries
14.3 EU Representative
EU Representative (if applicable): [To be appointed if significant EU customer base]
14.4 Supervisory Authority
If you are not satisfied with our response, you may lodge a complaint with your supervisory authority:
UK: Information Commissioner's Office (ICO) - https://ico.org.uk EU: Find your authority at https://edpb.europa.eu/about-edpb/board/members_en
SUMMARY
Key Takeaways:
- ✅ We do NOT sell your data
- ✅ Dual architecture: Cloud DB query results transient (not stored), files encrypted at rest
- ✅ You own your data and can export or delete it anytime
- ✅ We comply with GDPR, CCPA, and other data protection laws
- ✅ Enterprise-grade security measures protect your data (TLS 1.3, AES-256)
- ✅ You have comprehensive privacy rights
- ✅ Immediate file deletion with no backup retention
Questions? Contact us at support@flowframe.io
Last Updated: January 10, 2026 Version: 1.0 Effective Date: January 10, 2026
By using Flowframe, you acknowledge that you have read, understood, and agree to this Privacy Policy.
END OF PRIVACY POLICY
Questions about this document?
Contact us at support@flowframe.io