Privacy Policy

Who We Are
Data We Collect
How We Use Your Data
Legal Basis (GDPR)
Google Calendar & Third-Party Integrations
Data Sharing & Sub-processors
Data Retention
Your Rights (GDPR)
Security
Cookies & Local Storage
Children's Privacy
International Transfers
Changes to This Policy
Contact & DPO

Our commitment: We collect only what is strictly necessary to operate Flowo. We never sell your personal data. You can request deletion at any time.

1. Who We Are

Flowo is operated by Hopson & Cie Srl, a company incorporated under Belgian law:

Hopson & Cie Srl

149 avenue du Domaine, 1190 Bruxelles, Belgium

VAT: BE 0450.443.155

Email: privacy@getflowo.com

Website: https://getflowo.com

Hopson & Cie Srl acts as the data controller within the meaning of the EU General Data Protection Regulation (GDPR — Regulation 2016/679) for all personal data processed through the Flowo platform.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

Email address — used for authentication, notifications, and account recovery
Display name / username — shown in the interface
Password hash — we store only a non-reversible hash, never the plaintext password
Profile picture URL — only if you sign in via Google OAuth (sourced directly from your Google profile)
Account creation date and last login timestamp

2.2 Subscription & Payment Data

Payments are processed exclusively by Polar.sh (our payment processor). We do not store your credit card number or bank details. We receive and store:

Subscription status (active, trial, cancelled)
Plan type (Monthly €14.99/mo or Annual €119.88/yr)
Subscription start/end dates
Customer ID and subscription ID from Polar

2.3 Usage & App Data

To provide the service, we store:

Tasks: title, description, deadlines, priorities, status — you own this data
Events: title, date/time, location, notes, recurrence rules
Projects: names, colors, task groupings
App preferences: language, time slots, theme, sidebar state
AI credits: usage count, reset date (no conversation content stored beyond your session)

2.4 Google Calendar Integration Data (Optional)

If you choose to connect Google Calendar:

OAuth tokens: access token and refresh token (encrypted at rest in our database)
Calendar events: title, date/time, description, location, attendees, Google Meet links — synced from your Google Calendar into Flowo's database for display purposes
We never access calendars or data beyond the permissions you explicitly grant via Google's OAuth consent screen

2.5 Technical Data

IP address (processed by Cloudflare CDN — we do not log or store it ourselves)
Browser type and operating system (from HTTP User-Agent headers — not stored persistently)
Error logs (anonymised, retained for 30 days maximum)

Category	Examples	Stored in	Retention
Account	Email, username, password hash	Cloudflare D1 (SQLite)	Until account deletion
Subscription	Plan, status, dates	Cloudflare D1	Until account deletion
Tasks & Events	Titles, dates, notes	Cloudflare D1	Until account deletion
GCal Tokens	Access + refresh token	Cloudflare D1 (encrypted)	Until disconnection
Local preferences	Language, sidebar state	Browser localStorage	Until browser clear

3. How We Use Your Data

Providing the service: scheduling, task management, AI assistance, calendar sync
Authentication: verifying your identity on login, maintaining your session
Transactional emails: account verification, password reset, subscription confirmation and cancellation notices, trial expiry reminders
AI features: your task data is sent to our AI provider (OpenAI) to generate suggestions — this is anonymised in transit and not stored by us beyond the request
Billing: managing your subscription via Polar.sh webhooks
Security & abuse prevention: detecting anomalous usage, protecting accounts
Service improvement: aggregated, anonymous usage metrics only — no individual profiling

We never use your data for advertising, never sell it to third parties, and never build marketing profiles based on your usage.

4. Legal Basis (GDPR Art. 6)

Processing activity	Legal basis
Creating and managing your account	Contract performance (Art. 6.1.b)
Processing subscription payments	Contract performance (Art. 6.1.b)
Sending transactional emails	Contract performance (Art. 6.1.b)
Google Calendar integration	Consent (Art. 6.1.a) — you explicitly authorise via OAuth
AI task suggestions	Legitimate interest (Art. 6.1.f) — core product feature
Security monitoring & fraud prevention	Legitimate interest (Art. 6.1.f)
Legal obligations (tax records)	Legal obligation (Art. 6.1.c)

5. Google Calendar & Third-Party Integrations

5.1 Google Calendar (Optional)

When you connect Google Calendar, Flowo requests the following OAuth scopes:

https://www.googleapis.com/auth/calendar — read and write events
https://www.googleapis.com/auth/calendar.events — create and modify events

We use these permissions exclusively to:

Display your Google Calendar events within Flowo
Create new events (including Google Meet links) on your behalf
Send meeting invitations to participants you specify (Google handles the email delivery)
Update or cancel events you modify in Flowo

Your OAuth refresh token is stored encrypted in our database and is used solely to maintain the sync. You can revoke access at any time from your Google Account settings (myaccount.google.com/permissions) or from within the Flowo settings page.

Flowo's use of Google Calendar data complies with the Google API Services User Data Policy, including the Limited Use requirements.

5.2 Other Integrations

OpenAI: task titles and descriptions may be sent to OpenAI to generate AI scheduling suggestions. OpenAI's privacy policy applies: openai.com/privacy
Polar.sh: handles payment processing. Their privacy policy: polar.sh/legal/privacy
Resend: transactional email delivery. Their privacy policy: resend.com/privacy

6. Data Sharing & Sub-processors

We share personal data only with the following categories of recipients:

Sub-processor	Purpose	Location
Cloudflare, Inc.	CDN, edge hosting, D1 database, DDoS protection	USA (SCCs)
OpenAI, LLC	AI task suggestions (task content only, no account data)	USA (SCCs)
Polar.sh	Payment processing and subscription management	USA (SCCs)
Resend, Inc.	Transactional email delivery	USA (SCCs)
Google LLC	OAuth authentication, Calendar API (only if you connect)	USA (SCCs)

SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914) for GDPR-compliant international transfers.

We do not share data with advertisers, data brokers, analytics companies, or any other parties beyond the above.

7. Data Retention

Account data: retained while your account is active. Deleted within 30 days of an account deletion request.
Subscription records: retained for 7 years for accounting and tax compliance under Belgian law (Code des Sociétés et des Associations).
Task and event data: deleted immediately upon account deletion.
Google Calendar tokens: deleted when you disconnect Google Calendar or delete your account.
AI interaction data: not stored — processed in real time only.
Error logs: anonymised and retained for maximum 30 days.

8. Your Rights (GDPR)

As a data subject under the GDPR, you have the following rights:

Right of access (Art. 15): request a copy of all personal data we hold about you
Right to rectification (Art. 16): correct inaccurate or incomplete data — you can update your name and email directly in Flowo settings
Right to erasure / "right to be forgotten" (Art. 17): request deletion of your account and all associated data
Right to restriction of processing (Art. 18): request that we limit processing of your data in certain circumstances
Right to data portability (Art. 20): receive your task and event data in a structured, machine-readable format (JSON export)
Right to object (Art. 21): object to processing based on legitimate interest
Right to withdraw consent (Art. 7.3): revoke Google Calendar authorisation at any time without affecting prior lawful processing
Right to lodge a complaint: you may file a complaint with the Belgian Data Protection Authority (dataprotectionauthority.be) or the supervisory authority of your EU member state of residence

To exercise any of these rights, email us at privacy@getflowo.com. We will respond within 30 days as required by GDPR.

9. Security

We implement appropriate technical and organisational measures to protect your personal data:

Encryption in transit: all data transmitted between your browser and our servers uses TLS 1.3 (HTTPS enforced)
Encryption at rest: Cloudflare D1 databases are encrypted at rest by default
Password hashing: passwords are stored as irreversible hashes — we cannot recover your password
OAuth token security: Google OAuth refresh tokens are stored in our secured database, never exposed to the frontend
Access control: production database access is restricted to authenticated Cloudflare Workers only
No plaintext secrets: API keys and secrets are stored as encrypted Cloudflare environment secrets
Edge security: Cloudflare provides DDoS protection, WAF (Web Application Firewall), and bot mitigation

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33, and affected individuals without undue delay as required by Art. 34.

10. Cookies & Local Storage

10.1 What we use

Flowo uses no third-party tracking cookies and no advertising cookies. We use only:

Name	Type	Purpose	Duration
`flowo_session` / `sa_user_*`	localStorage	Keeping you logged in between visits	Until logout or browser clear
`sa_lang`	localStorage	Remembering your language preference	Persistent until changed
`sa_sidebar_*`	localStorage	Sidebar width and mini/expanded state	Persistent until changed
`g_state`	HTTP Cookie (HttpOnly)	CSRF protection during Google OAuth flow	10 minutes (auto-expires)
`gcal_state`	HTTP Cookie (HttpOnly)	CSRF protection during Google Calendar OAuth	10 minutes (auto-expires)

No analytics trackers (no Google Analytics, no Facebook Pixel, no Hotjar). No advertising networks. No cross-site tracking.

10.2 Cloudflare

Cloudflare may set a cookie (__cf_bm) for bot detection and security purposes. This is a strictly necessary cookie. See Cloudflare's privacy policy.

11. Children's Privacy

Flowo is not directed at children under the age of 16. We do not knowingly collect personal data from individuals under 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at privacy@getflowo.com and we will delete the data promptly.

12. International Data Transfers

Our primary sub-processors (Cloudflare, OpenAI, Polar, Resend) are based in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914, providing adequate safeguards for your personal data as required by GDPR Chapter V.

Data processed by Cloudflare is subject to their Data Processing Addendum and their binding corporate rules. Cloudflare Workers and D1 can be configured to process data exclusively within the EU — we are actively evaluating this option for future compliance improvements.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Send an email notification to all registered users at least 14 days before the changes take effect
Display a notice within the Flowo application

Continued use of Flowo after the effective date of changes constitutes acceptance of the updated policy.

Previous versions of this Privacy Policy are available upon request at privacy@getflowo.com.

14. Contact & Data Protection

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data:

Data Controller & Privacy Contact

Hopson & Cie Srl