← Back to FlowstateFlowstate

Privacy Policy

Disclaimer: This is a template draft for review purposes only. It is not legal advice. Consult a qualified attorney in your jurisdiction before publishing or relying on this policy.

Effective date: [EFFECTIVE DATE]


Operator information

Data controller [OPERATOR LEGAL NAME]
Trade name Flowstate
Status Operated by [OPERATOR LEGAL NAME] as an individual / sole proprietor, pending formal company registration
Registered address [REGISTERED ADDRESS]
Privacy contact [PRIVACY EMAIL]
General contact [CONTACT EMAIL]
Grievance officer (India) [GRIEVANCE OFFICER NAME] — [GRIEVANCE OFFICER EMAIL]
Website [WEBSITE URL]

1. Introduction

This Privacy Policy explains how [OPERATOR LEGAL NAME] ("we", "us", or "our") collects, uses, shares, and protects personal information when you use Flowstate (the "Service") at [WEBSITE URL] and related applications.

We are committed to handling your information responsibly. Please read this policy carefully. By using the Service, you acknowledge that you have read this Privacy Policy.

If you do not agree with our practices, do not use the Service.


2. Scope

This policy applies to:

  • The Flowstate web application
  • Account sign-in and authentication
  • Cloud storage and synchronization of your canvases
  • AI-assisted features
  • Collaboration features
  • Optional Google Workspace integration
  • Feedback and support channels we operate

This policy does not apply to third-party websites, services, or AI providers' own privacy practices. We encourage you to review their policies separately.


3. Information we collect

3.1 Account information

When you sign in with Google, we receive and store:

  • Email address
  • Display name
  • Profile photo URL
  • Unique user identifier (from our authentication provider)

This is used to create your profile, identify you in the Service, and enable collaboration features.

3.2 Canvas and content data

We store the content you create and interact with on the Service, including:

  • Questions and AI-generated answers on your canvas
  • Artifacts (tables, maps, charts, code, custom UI, and similar outputs)
  • Canvas layout, connections between cards, and viewport state
  • File attachments you upload (stored in cloud object storage)
  • Token usage metadata associated with AI turns (for service operation and internal analytics)
  • Preferences such as your last active canvas and selected AI model

Note: Conversation content is stored as part of your canvas data in our database. There is no separate "messages" table — your Q&A lives inside your canvas state.

3.3 Collaboration data

If you use collaboration features, we may collect and process:

  • Email addresses you invite to a canvas
  • Collaboration roles (owner, editor, viewer)
  • Invite and share-link status
  • Realtime presence information (display name, avatar, cursor position on the canvas) while you are actively collaborating

3.4 Google Workspace data (optional)

If you connect a Google account, we store:

  • Your connected Google email address
  • OAuth access and refresh tokens (encrypted at rest)
  • Authorized scopes and token expiry

We use this connection only to perform actions you request (such as importing a Google Doc or exporting a table to Sheets). We do not access your Google account beyond the scopes you approve.

3.5 Feedback and support

If you submit feedback or suggestions through the Service, we may collect:

  • Your message
  • Your email (if you are signed in)
  • The page URL you were on
  • Optional screenshot images you attach

Feedback may be stored in our database and, if configured, forwarded to internal tools (such as a spreadsheet or messaging webhook) for review.

3.6 Technical and usage information

We automatically collect certain technical information, including:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Referring URLs
  • Dates and times of access
  • Pages and features used

We use Google Analytics to understand how the Service is used. Analytics cookies are used only where permitted by law and, in regions that require it, after you provide consent.

3.7 Local storage on your device

The Service may store backup copies of canvas data in your browser's local storage to help recover work if a save is interrupted. This data remains on your device unless you clear browser storage.

3.8 Information we do not intentionally collect

We do not intentionally collect sensitive categories of personal data (such as health information, government ID numbers, or financial account details) unless you voluntarily include them in your canvas content or attachments.


4. How we use your information

We use personal information to:

Purpose Examples
Provide the Service Authenticate you, save and sync canvases, render collaboration, process AI requests
AI features Send prompts, history, and attachments to AI providers to generate responses
Collaboration Manage invites, roles, share links, and realtime presence
Google integration Import/export content you request via connected Google services
Security Detect abuse, protect accounts, enforce our Terms
Improve the Service Analyze usage patterns, fix bugs, develop features
Support Respond to feedback and inquiries
Legal compliance Comply with law, respond to lawful requests, enforce our Terms

We do not sell your personal information. We do not use your personal information for cross-context behavioral advertising.


5. Legal bases for processing (EU / UK)

If you are in the European Economic Area or United Kingdom, we process personal data on the following legal bases:

Processing Legal basis
Providing the Service you signed up for Performance of a contract (Art. 6(1)(b) GDPR)
Security, fraud prevention, service improvement Legitimate interests (Art. 6(1)(f) GDPR) — balanced against your rights
Google Analytics and non-essential cookies Consent (Art. 6(1)(a) GDPR) where required
Legal obligations Compliance with law (Art. 6(1)(c) GDPR)

You may withdraw consent for analytics at any time without affecting the lawfulness of processing before withdrawal.


6. AI processing and third-party providers

6.1 AI providers

When you use AI features, we send relevant data to third-party AI providers to generate responses. Our primary provider is Anthropic (Claude models). Some features may also use other AI tooling (such as the Cursor Agent SDK for custom UI generation).

Data sent may include your prompts, conversation history, file attachments, artifact context, and fetched page content from URLs in your messages.

Anthropic's privacy policy: https://www.anthropic.com/privacy

You should not submit personal information you are not comfortable sharing with these providers.

6.2 Other service providers (processors)

We use the following categories of service providers who process data on our behalf:

Provider Role Location (typical)
Supabase Authentication, database, file storage, realtime sync US / EU (configurable)
Vercel Application hosting and serverless functions US / global edge
Anthropic AI text and tool processing US
Google Sign-in OAuth, optional Workspace APIs, Maps embeds, Analytics US / global
Giphy GIF search (if you use GIF features) US
OpenStreetMap / Nominatim Map geocoding (travel map artifacts) EU / community-operated
GitHub Repository metadata (if you use repo artifacts) US
Microlink Link preview screenshots (if configured) EU
Slack / Google Sheets Optional feedback forwarding (if configured by operator) US

We require processors to handle data only for the purposes we specify and in accordance with applicable data protection law. Where required, we use standard contractual clauses or equivalent safeguards for international transfers.


7. How we share information

We share personal information only in these circumstances:

7.1 With collaborators you invite

When you share a canvas, collaborators you invite can see User Content on that canvas according to their role.

7.2 With service providers

As described in Section 6, we share data with vendors who help us operate the Service.

7.3 For legal reasons

We may disclose information if we believe it is necessary to:

  • Comply with applicable law, regulation, legal process, or government request
  • Protect the rights, property, or safety of us, our users, or the public
  • Enforce our Terms and Conditions

7.4 Business transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

7.5 With your direction

We share information when you explicitly request an integration or export (e.g. exporting a table to Google Sheets).


8. Cookies and similar technologies

8.1 What we use

Cookie / storage Type Purpose
Supabase auth session Essential Keep you signed in
Google OAuth state cookies Essential Secure Google Workspace connection flow
Google Analytics (_ga, etc.) Analytics Understand site usage
Browser local storage Functional Local canvas backup on your device

8.2 Your choices

  • Essential cookies are required for sign-in and core functionality.
  • Analytics cookies will only be set in jurisdictions that require consent after you accept them (when a cookie banner is implemented).
  • You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.

9. International data transfers

We and our service providers may process your information in the United States, India, the European Union, and other countries where our providers operate.

If you are in the EEA, UK, or India, your data may be transferred to countries that may not provide the same level of data protection as your home country. Where required, we implement appropriate safeguards, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions
  • Other mechanisms recognized under applicable law

Contact [PRIVACY EMAIL] for more information about safeguards we use.


10. Data retention

Data type Retention
Account and profile Until you request account deletion
Canvas content Until you delete the canvas or your account
File attachments Until the parent canvas is deleted
Google connection tokens Until you disconnect or delete your account
Collaboration invites Until accepted, declined, expired, or canvas deleted
Feedback submissions Up to [RETENTION PERIOD — e.g. 2 years] or until no longer needed
Server logs Up to [RETENTION PERIOD — e.g. 90 days]
Analytics data Per Google Analytics default retention settings

We may retain information longer where required by law or for legitimate purposes such as dispute resolution, security, or enforcement of our Terms.

When you delete a canvas, we delete the database record and associated files in cloud storage. Deletion may not be immediate in all backup systems.


11. Your rights and choices

Your rights depend on where you live. We honor applicable rights regardless of where our servers are located.

11.1 All users

You can:

  • Access and update profile information through your Google account and the Service
  • Delete canvases you own through the Service
  • Disconnect Google Workspace through the Service
  • Request account or data deletion by emailing [PRIVACY EMAIL]
  • Opt out of marketing emails — we do not currently send marketing emails; if we do in future, you may unsubscribe

11.2 European Economic Area and United Kingdom (GDPR)

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Data portability — receive your data in a structured, machine-readable format where technically feasible
  • Object to processing based on legitimate interests
  • Withdraw consent at any time (for consent-based processing)
  • Lodge a complaint with your local data protection supervisory authority

To exercise these rights, contact [PRIVACY EMAIL]. We will respond within the timeframe required by law (typically one month under GDPR).

11.3 United States — California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete personal information we hold about you (subject to exceptions)
  • Correct inaccurate personal information
  • Opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising

We will not discriminate against you for exercising your privacy rights.

To submit a request, email [PRIVACY EMAIL]. We may verify your identity before processing requests.

11.4 India (Digital Personal Data Protection Act, 2023)

If you are in India, you have the right to:

  • Access information about personal data we process about you
  • Correction of inaccurate or misleading personal data
  • Erasure of personal data when it is no longer necessary or consent is withdrawn (subject to legal exceptions)
  • Grievance redressal by contacting our Grievance Officer: [GRIEVANCE OFFICER NAME] at [GRIEVANCE OFFICER EMAIL]. We will acknowledge grievances within [NUMBER] days and resolve them within [NUMBER] days as required by applicable rules.

We process personal data based on your consent or other grounds permitted under the DPDPA. Where consent is the basis, you may withdraw it at any time.

We may transfer personal data outside India to service providers in the United States and other countries. We take reasonable steps to ensure such transfers comply with applicable Indian law.


12. Account deletion and data requests

We do not currently offer a self-serve "delete my account" button. To request deletion of your account and associated personal data, email [PRIVACY EMAIL] from the email address associated with your account.

We will verify your identity and process requests within a reasonable timeframe and as required by applicable law.

Note: Feedback you submitted may be retained even after account deletion (with your user ID removed from the record). Aggregated or de-identified analytics data may also be retained.

To request a copy of your data (data portability), email [PRIVACY EMAIL].


13. Security

We implement reasonable technical and organizational measures to protect personal information, including:

  • Encryption of Google OAuth tokens at rest
  • Row-level security on database tables
  • HTTPS for data in transit
  • Access controls on administrative tools

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

If you believe your account has been compromised, contact [CONTACT EMAIL] immediately.


14. Children's privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13.

If you believe a child under 13 has provided us with personal information, contact [PRIVACY EMAIL] and we will take steps to delete it.


15. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective date" at the top and, where appropriate, provide additional notice (such as a banner in the Service).

We encourage you to review this policy periodically.


16. Contact us

Privacy inquiries: [PRIVACY EMAIL]

General contact: [CONTACT EMAIL]

Postal address: [REGISTERED ADDRESS]

Grievance Officer (India): [GRIEVANCE OFFICER NAME] — [GRIEVANCE OFFICER EMAIL]


Appendix: Summary of categories collected (CCPA reference)

Category Collected Disclosed to service providers Sold
Identifiers (email, user ID) Yes Yes No
Customer records (profile name, avatar) Yes Yes No
User-generated content (canvases, attachments) Yes Yes (AI/collaboration) No
Internet/network activity (logs, analytics) Yes Yes No
Geolocation (inferred from IP) Possibly Yes (analytics) No

We do not sell personal information.

TermsPrivacyHome