Privacy Policy

1. Introduction

Welcome to Flowcrest ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our visual programming platform and related services (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address – Required for account creation and authentication
• Password – Stored as a cryptographic hash (bcrypt), never in plain text
• Username – Optional, for profile customization
• Profile picture – Optional, stored as a URL reference

2.2 Project and Workflow Data

We store your created content, including:

• Project names and descriptions
• Canvas data – Your node configurations, connections, and workflow designs
• Node count and project metadata

Note: Your project data is your intellectual property. We do not access, use, or share it except as necessary to provide the Service or as required by law.

2.3 Usage and Technical Data

We automatically collect certain information when you use our Service:

• IP address – Used temporarily for rate limiting and fraud prevention
• Browser type and version
• Device information
• Access times and dates
• Pages viewed and actions taken

2.4 Payment Information

Payment processing is handled by Stripe. We do not store your credit card information on our servers. We only store:

• Stripe Customer ID - Links your account to your Stripe customer record
• Subscription status - Active, canceled, past_due, etc.
• Subscription plan details - Plan type, billing period

2.5 Communications

If you contact us or subscribe to our newsletter, we collect:

• Email address
• Message content
• Consent timestamp

3. How We Use Your Information

We use the information we collect for the following purposes:

• Account Management - Create and maintain your account, authenticate you
• Service Provision - Provide, operate, and maintain our Service
• Billing and Payments - Process subscriptions and payments via Stripe
• Communication - Send transactional emails (account confirmation, password reset, billing notifications)
• Security - Detect and prevent fraud, abuse, and security incidents
• Compliance - Comply with legal obligations and enforce our Terms of Service
• Service Improvement - Analyze usage patterns to improve our Service (aggregated, anonymized data only)

We do NOT:

• Sell your personal information to third parties
• Use your project data for any purpose other than providing the Service to you
• Send marketing emails without your explicit consent
• Share your data with advertisers

4. Data Sharing and Third Parties

We share your information with the following third-party service providers who help us operate our Service:

We may also disclose your information:

• To comply with legal obligations (court orders, subpoenas)
• To protect our rights, property, or safety, or that of our users
• In connection with a merger, acquisition, or sale of assets (with notice to you)

5. Your Rights (GDPR Compliance)

If you are a resident of the European Economic Area (EEA), you have the following data protection rights:

To exercise any of these rights, please contact us at: info.flowcrest@gmail.com

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS 1.2+
• Encryption at Rest: All data stored in our database is encrypted at rest by Supabase
• Password Hashing: Passwords are hashed using bcrypt with salt
• Row-Level Security (RLS): Database policies ensure users can only access their own data
• Secure Authentication: HttpOnly cookies, CSRF protection, session management
• Rate Limiting: Protection against brute force attacks
• Regular Security Audits: We conduct regular security reviews and updates

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

7. Data Retention

We retain your information for as long as necessary to provide our Service and comply with legal obligations:

• Active Accounts: All data is retained indefinitely until you delete your account
• Deleted Accounts: User data is immediately deleted from our active database via cascading deletion
• Database Backups: Deleted data may persist in backups for up to 30 days (Supabase retention policy)
• Third-Party Retention:
  • Stripe: Retains payment history per their policy (typically 7 years for compliance)
  • Mailgun: Retains email logs per their policy (typically 30 days)
• Legal Holds: We may retain data longer if required by law or legal proceedings

8. Cookies and Tracking

We use cookies and similar tracking technologies to provide and improve our Service. For detailed information, please see our Cookie Policy.

Essential Cookies: Required for authentication and core functionality (cannot be disabled)

• Supabase authentication tokens (HttpOnly, Secure)

Functional Cookies: Remember your preferences (optional)

• UI preferences and settings

Third-Party Cookies:

• Google reCAPTCHA (bot protection)
• Stripe (payment processing)

You can manage cookie preferences through our cookie consent banner or your browser settings.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those of your country. For certain service providers we are able to choose a data‐center region; however, in some cases data may also be processed in regions outside the EU/EEA. We ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses approved by the European Commission) to protect your data in accordance with the General Data Protection Regulation (GDPR) requirements.

10. Children's Privacy

Our Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we become aware that we have collected personal information from children under 18 without verification of parental consent, we will take steps to remove that information from our servers.

11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by:

• Updating the "Last Updated" date at the top of this Privacy Policy
• Sending you an email notification (for material changes)
• Displaying a prominent notice on our Service

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days.

13. GDPR Supervisory Authority

If you are located in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.