Privacy Policy

1. Scope

This Policy covers personal information processed when you visit flowix web properties, create an Account, configure AI Agents, chat in the dashboard, connect third-party apps, use flowix Teams, fund your Wallet, or interact with our APIs.

It does not cover third-party websites, apps, or services you connect to flowix—those providers have their own privacy policies. This Policy also does not apply to information we process solely as a processor on behalf of enterprise customers under a separate data processing agreement.

2. Data controller

flowix is the controller of personal information described in this Policy for standard consumer and business use of the Service. Contact: privacy@flowix.com.

3. Information we collect

3.1 Account & identity

• Email address and password (if you register with email);
• Google account identifier, name, email, and profile picture (if you sign in or sign up with Google);
• Authentication session tokens and account identifiers from our auth provider (Supabase Auth);
• Account preferences and settings (including sky/appearance preferences stored locally or in your profile).

3.2 Agent & dashboard data

• Agent names, system prompts, model selections, allowed URL lists, and permission settings;
• Chat messages and conversation history in the dashboard;
• API keys and agent tokens (stored securely; keys are hashed or encrypted where applicable);
• Usage logs related to agent invocations, tool calls, and browser actions.

3.3 Connected application data

• OAuth tokens, refresh tokens, scopes, and connection metadata for services you link (e.g., Slack, Google Calendar, Discord, GitHub, Notion, Microsoft Teams);
• Account labels and external account IDs associated with Connections;
• Data retrieved or sent through Connections when your Agents perform authorized actions.

3.4 flowix Teams

• First and last name entered when joining a workspace;
• Invite codes and workspace membership records;
• Chat messages sent through flowix Teams;
• Device and app version information for troubleshooting.

3.5 Billing & wallet

• Wallet balance, transaction history, and usage deductions;
• Stripe checkout session identifiers and payment status (we do not store full payment card numbers—Stripe processes payments);
• Billing-related communications.

3.6 Technical & usage data

• IP address, browser type, device information, and operating system;
• Log files, error reports, performance metrics, and security events;
• Pages viewed, features used, and approximate location derived from IP;
• Cookies and similar technologies (see Section 10).

3.7 Communications

• Support requests, emails to us, and feedback you submit;
• Marketing preferences where applicable.

4. Sources of information

We collect information:

• Directly from you when you register, configure Agents, chat, connect apps, pay, or contact support;
• From Google when you choose Google sign-in/sign-up;
• From third-party OAuth providers when you authorize Connections;
• Automatically through cookies, logs, and analytics when you use the Service;
• From subprocessors such as AI model providers and browser automation infrastructure when Agents run.

5. How we use information

We use personal information to:

• Provide, maintain, and improve the Service;
• Authenticate users (email/password and Google OAuth);
• Operate AI Agents, including sending prompts and context to model providers and executing permitted tools;
• Store and retrieve chat history, agent configurations, and Connections;
• Process payments, manage Wallet balances, and prevent fraud;
• Enable flowix Teams invite codes and workspace chat;
• Monitor security, enforce Terms, and detect abuse;
• Communicate about the Service, updates, and support;
• Comply with legal obligations and respond to lawful requests;
• Analyze aggregated, de-identified usage to improve product quality.

Legal bases (EEA/UK). Where GDPR applies, we rely on: performance of a contract; legitimate interests (security, improvement, analytics); consent (where required, e.g., non-essential cookies or marketing); and legal obligation.

6. AI & automated processing

When you interact with Agents, we process your prompts, conversation history, agent configuration, and (where enabled) website content, screenshots, and connection data to generate responses and perform actions.

6.1 Model providers

Prompts and relevant context may be transmitted to third-party large language model providers (such as Anthropic, OpenAI, or other configured providers). Their processing is governed by their terms and privacy policies. We configure integrations to minimize unnecessary data sharing, but you should not submit sensitive personal data you are not authorized to share.

6.2 Browser automation

When Agents browse allowed URLs, we may use browser automation infrastructure (such as Browserbase) to render pages, capture screenshots, and execute clicks or typing within permission boundaries. Page content processed in this way may temporarily reside on subprocessors’ systems.

6.3 Automated decision-making

Agents may take actions you authorize (e.g., sending a message). We do not use fully automated decision-making that produces legal or similarly significant effects about you without human involvement, except as part of features you explicitly configure and trigger.

7. Connected services

When you connect Slack, Google Calendar, Discord, GitHub, Notion, Microsoft Teams, or other integrations, we store OAuth credentials and use them only to provide features you enable. Disconnecting removes our ability to access new data from that Connection; previously processed data may remain in backups for a limited retention period.

Each provider’s data practices apply to data on their platforms. Review their privacy policies before connecting.

8. flowix Teams

Workspace admins control invite codes and associated Agents. We process teammate names, messages, and usage to deliver chat functionality. Admins may access sharing controls and revoke codes from the dashboard. If you join a workspace via invite code, the workspace admin’s organization may see your activity within that Teams context as permitted by product features and applicable agreements.

9. Payments

Payments are processed by Stripe. Stripe collects payment method details directly. We receive confirmation of payment, customer identifiers, and transaction metadata needed for Wallet crediting and accounting. See Stripe’s Privacy Policy.

10. Cookies & local storage

We use cookies, local storage, and similar technologies for:

• Authentication — maintaining signed-in sessions (including after Google OAuth);
• Preferences — e.g., sky appearance and UI settings;
• Security — CSRF protection for OAuth flows;
• Analytics — understanding feature usage (where enabled).

You can control cookies through browser settings. Disabling essential cookies may prevent sign-in. Local storage keys may include flowix_sky_settings and similar product preferences.

11. How we share information

We do not sell your personal information. We may share information with:

• Service providers — hosting (Supabase/cloud infrastructure), authentication, AI inference, browser automation, email, analytics, and payment processing, under contractual confidentiality and security obligations;
• Connected platforms — when your Agents perform actions you request on those platforms;
• Other users — when you share Agents via flowix Teams or collaborate through product features;
• Legal & safety — to comply with law, enforce Terms, or protect rights, safety, and security;
• Business transfers — in connection with merger, acquisition, or asset sale, with notice where required.

We may share aggregated or de-identified information that cannot reasonably identify you.

12. Data retention

We retain personal information as long as needed to provide the Service, comply with law, resolve disputes, and enforce agreements. Typical retention includes:

• Account data — until you delete your Account, plus a reasonable backup period;
• Chat history — until you delete conversations or your Account, subject to product limits;
• OAuth tokens — until you disconnect or tokens expire;
• Transaction records — as required for tax, accounting, and fraud prevention;
• Security logs — for a limited period appropriate to investigation needs.

Request deletion at privacy@flowix.com. Some data may persist in backups until overwritten.

13. Security

We implement technical and organizational measures including encryption in transit (TLS), access controls, row-level security on user data in our database, hashed or encrypted secrets where applicable, and monitoring for abuse. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

Report security issues to security@flowix.com.

14. International transfers

We may process information in the United States and other countries where we or our providers operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses for transfers from the EEA, UK, or Switzerland.

15. Your privacy rights

Depending on your location, you may have the right to:

• Access personal information we hold about you;
• Correct inaccurate data;
• Delete your data (subject to legal exceptions);
• Export your data in a portable format;
• Object to or restrict certain processing;
• Withdraw consent where processing is consent-based;
• Lodge a complaint with a supervisory authority.

Submit requests to privacy@flowix.com. We may verify your identity before responding. We will respond within timelines required by applicable law.

16. Children’s privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, contact us and we will delete it promptly.

17. California residents (CCPA/CPRA)

California residents may have additional rights including knowing categories of personal information collected, sources, purposes, and recipients; deleting personal information; correcting inaccurate information; and opting out of “sale” or “sharing” for cross-context behavioral advertising. We do not sell personal information as defined by California law.

To exercise rights, email privacy@flowix.com with “California Privacy Request” in the subject. We will not discriminate against you for exercising privacy rights.

18. EEA, UK & Switzerland

Where GDPR applies, flowix is the controller unless otherwise stated. Our legal bases are described in Section 5. You may contact your local data protection authority. For international transfers, we rely on adequacy decisions or Standard Contractual Clauses as applicable.

19. Policy changes

We may update this Privacy Policy from time to time. We will post the updated Policy with a new effective date and provide additional notice for material changes where required. Continued use after changes take effect constitutes acceptance.

20. Contact us

• Privacy: privacy@flowix.com
• Support: support@flowix.com
• Security: security@flowix.com