Last Updated: October 26, 2025

Flowlytics is committed to protecting your privacy and ensuring that your personal data is handled with transparency, security, and compliance. This Privacy Policy explains how we collect, process, store, and safeguard your information when you use our services. It applies globally and is designed to meet GDPR and other international privacy standards.

You retain full ownership of your research data.

1. Local First Architecture
Flowlytics uses a Local First model by default for users who do not enable cloud syncing.

Local Storage
If you use Flowlytics without logging in or if you are on the Starter plan without sync enabled, your project data is stored only in your browser’s IndexedDB. Flowlytics has no technical ability to access this data.

Cloud Sync (Optional)
If you enable Cloud Sync through the Pro or Team plan, your data is encrypted and stored in Google Cloud Firestore through Firebase. The purpose is to enable secure syncing across devices.

2. Artificial Intelligence and Data Usage
Flowlytics uses Large Language Models through the Google Gemini API to generate insights.

No Training Use
Your data is not used to train AI models. Information sent to the API is processed only for generating responses and is not retained by model providers.

Ephemeral Processing
LLM inputs are processed in real time and are not stored by Flowlytics beyond what is required to deliver the requested output.

3. Information We Collect
3.1 Account Information
If you create an account, we collect your name and email address through Google Authentication or email sign-up.

3.2 Usage Data
We collect anonymous telemetry such as feature usage counts to help improve system reliability and performance. We do not log, inspect, or store the content of your research or analysis outputs.

3.3 Payment Information
All payments are processed by Stripe. Flowlytics does not see or store full credit card information.

3.4 Cookies and Local Data
Flowlytics uses browser storage technologies such as local storage and IndexedDB to operate the application. These are required for core functionality. You can clear them at any time through your browser settings.

4. Legal Bases for Processing (GDPR)
For users in the European Economic Area and the United Kingdom, Flowlytics processes personal data under the following legal bases: Contract: To provide access to the Flowlytics platform.
Consent: For optional features such as marketing communications or cloud syncing.
Legitimate Interest: For product analytics, security monitoring, and service improvement. These activities do not involve collecting research content.
Legal Obligation: To comply with tax, accounting, or regulatory requirements when applicable.

5. Third Party Subprocessors
Flowlytics uses trusted service providers to deliver parts of the platform: Google Cloud and Firebase: Hosting, databases, authentication, and optional cloud sync.
Google Gemini API: Processing and generating AI insights.
Stripe: Secure payment processing.
All subprocessors operate under agreements that require strong privacy and security practices.

6. International Data Transfers
Your data may be stored or processed in regions outside your home country. When transferring data from the EEA or UK to other regions, we rely on: Standard Contractual Clauses approved by the European Commission
Equivalent legal safeguards where required
These safeguards ensure your data continues to receive an adequate level of protection.

7. Data Retention
Data stored only in your browser remains until you delete it.
Cloud-synced data is retained while your account is active.
When you delete your account, cloud-stored data is permanently removed.
Backup systems may retain encrypted copies for up to 30 days before automated deletion.

8. Security Measures
Flowlytics uses industry-standard security practices, including: Encryption in transit and at rest
Role-based access controls
Regular monitoring for unauthorised access
Least privilege access for engineering staff
We work continuously to protect your data from unauthorised access, alteration, or loss.

9. Your Rights
If you are in the EEA, UK, or in regions with similar protections, you have the following rights: Right to access your personal data
Right to correct inaccurate information
Right to delete your data
Right to data portability
Right to restrict or object to processing
Right to withdraw consent at any time
You can export your entire workspace as a JSON file through the Settings menu. To request account deletion or exercise any other rights, contact us using the details below.

10. Data Breach Notification
If a data breach occurs that affects your personal data, Flowlytics will notify you without undue delay and provide information required under applicable law.

11. Age Restrictions
Flowlytics is not intended for individuals under the age of 13. Users in the EEA and UK must be at least 16 unless parental consent is provided.

12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Updates will be reflected by the date at the top of the policy. In cases of material changes, we may provide additional notice through email or in-up.