Privacy Policy

1. Who We Are

Flowo is operated by Hopson & Cie Srl, a company incorporated under Belgian law:

Hopson & Cie Srl acts as the data controller within the meaning of the EU General Data Protection Regulation (GDPR — Regulation 2016/679) for all personal data processed through the Flowo platform.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

• Email address — used for authentication, notifications, and account recovery
• Display name / username — shown in the interface
• Password hash — we store only a non-reversible hash, never the plaintext password
• Profile picture URL — only if you sign in via Google OAuth (sourced directly from your Google profile)
• Account creation date and last login timestamp

2.2 Subscription & Payment Data

Payments are processed exclusively by Polar.sh (our payment processor). We do not store your credit card number or bank details. We receive and store:

• Subscription status (active, trial, cancelled)
• Plan type (Monthly €14.99/mo or Annual €119.88/yr)
• Subscription start/end dates
• Customer ID and subscription ID from Polar

2.3 Usage & App Data

To provide the service, we store:

• Tasks: title, description, deadlines, priorities, status — you own this data
• Events: title, date/time, location, notes, recurrence rules
• Projects: names, colors, task groupings
• App preferences: language, time slots, theme, sidebar state
• AI credits: usage count, reset date (no conversation content stored beyond your session)

2.4 Google Calendar Integration Data (Optional)

If you choose to connect Google Calendar:

• OAuth tokens: access token and refresh token (encrypted at rest in our database)
• Calendar events: title, date/time, description, location, attendees, Google Meet links — synced from your Google Calendar into Flowo's database for display purposes
• We never access calendars or data beyond the permissions you explicitly grant via Google's OAuth consent screen

2.5 Technical Data

• IP address (processed by Cloudflare CDN — we do not log or store it ourselves)
• Browser type and operating system (from HTTP User-Agent headers — not stored persistently)
• Error logs (anonymised, retained for 30 days maximum)

3. How We Use Your Data

• Providing the service: scheduling, task management, AI assistance, calendar sync
• Authentication: verifying your identity on login, maintaining your session
• Transactional emails: account verification, password reset, subscription confirmation and cancellation notices, trial expiry reminders
• AI features: your task data is sent to our AI provider (OpenAI) to generate suggestions — this is anonymised in transit and not stored by us beyond the request
• Billing: managing your subscription via Polar.sh webhooks
• Security & abuse prevention: detecting anomalous usage, protecting accounts
• Service improvement: aggregated, anonymous usage metrics only — no individual profiling

4. Legal Basis (GDPR Art. 6)

5. Google User Data — Full Disclosure

Flowo interacts with Google services in two distinct ways: (a) Google Sign-In for authentication, and (b) Google Calendar integration for calendar synchronisation. This section fully discloses how Flowo accesses, uses, stores, shares, retains, and allows deletion of Google user data, in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Google User Data Accessed

A. Google Sign-In (authentication)

When you sign in with Google, Flowo requests the following OAuth scopes:

• openid — to verify your identity
• email — to obtain your email address for account creation and login
• profile — to obtain your display name and profile picture URL

Specifically, we access the following data from the googleapis.com/oauth2/v3/userinfo endpoint:

B. Google Calendar Integration (optional, user-initiated)

If you choose to connect Google Calendar (a separate action from signing in), Flowo requests these additional OAuth scopes:

• https://www.googleapis.com/auth/calendar — read and write calendar data
• https://www.googleapis.com/auth/calendar.events — read, create, and modify calendar events

Specifically, we access the following calendar data via the Google Calendar API v3:

5.2 How We Use Google User Data

Flowo uses Google user data exclusively for the following purposes:

5.3 Google User Data Sharing

Google user data obtained through Google API Services is shared only with the following categories of third parties, and only for the purposes described:

Important: Google user data is never shared with OpenAI, Polar, Resend, or any other sub-processor. Specifically:

• The AI scheduler receives only event time ranges (start/end timestamps) — never event titles, descriptions, attendees, or any other Google Calendar content
• Resend (email service) has no access to any Google user data
• Polar (payment processor) has no access to any Google user data

5.4 Google User Data Storage & Protection

Google user data is stored and protected using the following measures:

Additional security measures applicable to all Google user data:

• No client-side storage of tokens: Google OAuth tokens are stored server-side only. The browser receives only a Flowo JWT session token.
• Automatic token rotation: access tokens are short-lived and automatically refreshed using the stored refresh token.
• DDoS and WAF protection: all API endpoints are protected by Cloudflare's Web Application Firewall and DDoS mitigation.
• Rate limiting: authentication endpoints are rate-limited to prevent brute-force attacks.

5.5 Google User Data Retention & Deletion

We retain Google user data only for as long as necessary to provide the service:

How to delete your Google user data:

• Disconnect Google Calendar: Go to Flowo Settings → Calendar → Disconnect Google Calendar. This immediately deletes all synced events and OAuth tokens from our database.
• Revoke access from Google: Visit myaccount.google.com/permissions, find "Flowo," and click "Remove Access." This revokes our OAuth authorization at the Google level.
• Delete your Flowo account: Go to Flowo Settings → Account → Delete Account, or email privacy@getflowo.com. All Google user data (and all other personal data) is permanently deleted within 30 days.
• Request data deletion by email: Send a request to privacy@getflowo.com with the subject "Google Data Deletion Request." We will process your request within 30 days and confirm deletion.

5b. Other Third-Party Integrations

Microsoft (Outlook / Microsoft 365)

If you connect Microsoft Outlook or sign in with a Microsoft account where offered, Microsoft processes authentication and calendar data according to their terms. We use Microsoft identity and calendar APIs only to provide the features you enable (display sync, creating or updating events when you ask us to). We do not use Microsoft data for advertising or to train unrelated models. For how we store tokens and calendar events, the same security measures as for other calendar integrations apply (encrypted storage, per-user isolation, TLS). Microsoft's privacy statement: privacy.microsoft.com/privacystatement.

• OpenAI: task titles and descriptions may be sent to OpenAI to generate AI scheduling suggestions. No Google user data is sent to OpenAI. OpenAI's privacy policy: openai.com/privacy
• Polar.sh: handles payment processing. No Google user data is shared with Polar. Their privacy policy: polar.sh/legal/privacy
• Resend: transactional email delivery. Only your email address and username are shared with Resend for sending emails. No Google Calendar data is shared. Their privacy policy: resend.com/privacy

6. Data Sharing & Sub-processors

We share personal data only with the following categories of recipients:

SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914) for GDPR-compliant international transfers.

We do not share data with advertisers, data brokers, analytics companies, or any other parties beyond the above.

7. Data Retention

• Account data: retained while your account is active. Deleted within 30 days of an account deletion request.
• Subscription records: retained for 7 years for accounting and tax compliance under Belgian law (Code des Sociétés et des Associations).
• Task and event data: deleted immediately upon account deletion.
• Google Calendar tokens: deleted when you disconnect Google Calendar or delete your account.
• AI interaction data: not stored — processed in real time only.
• Error logs: anonymised and retained for maximum 30 days.

8. Your Rights (GDPR)

As a data subject under the GDPR, you have the following rights:

• Right of access (Art. 15): request a copy of all personal data we hold about you
• Right to rectification (Art. 16): correct inaccurate or incomplete data — you can update your name and email directly in Flowo settings
• Right to erasure / "right to be forgotten" (Art. 17): request deletion of your account and all associated data
• Right to restriction of processing (Art. 18): request that we limit processing of your data in certain circumstances
• Right to data portability (Art. 20): receive your task and event data in a structured, machine-readable format (JSON export)
• Right to object (Art. 21): object to processing based on legitimate interest
• Right to withdraw consent (Art. 7.3): revoke Google Calendar authorisation at any time without affecting prior lawful processing
• Right to lodge a complaint: you may file a complaint with the Belgian Data Protection Authority (dataprotectionauthority.be) or the supervisory authority of your EU member state of residence

9. Security

We implement appropriate technical and organisational measures to protect your personal data:

• Encryption in transit: all data transmitted between your browser and our servers uses TLS 1.3 (HTTPS enforced)
• Encryption at rest: Cloudflare D1 databases are encrypted at rest by default
• Password hashing: passwords are stored as irreversible hashes — we cannot recover your password
• OAuth token security: Google OAuth refresh tokens are stored in our secured database, never exposed to the frontend
• Access control: production database access is restricted to authenticated Cloudflare Workers only
• No plaintext secrets: API keys and secrets are stored as encrypted Cloudflare environment secrets
• Edge security: Cloudflare provides DDoS protection, WAF (Web Application Firewall), and bot mitigation

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33, and affected individuals without undue delay as required by Art. 34.

10. Cookies & Local Storage

10.1 What we use

Flowo uses no third-party tracking cookies and no advertising cookies. We use only:

10.2 Cloudflare

Cloudflare may set a cookie (__cf_bm) for bot detection and security purposes. This is a strictly necessary cookie. See Cloudflare's privacy policy.

10.3 Cookie consent (this website)

On marketing pages (e.g. homepage, guide, legal pages), we store your cookie choices in localStorage under the key flowo_cookie_consent (JSON with your analytics preference). This record is not used to track you across other companies' sites; it only remembers whether you accepted or rejected optional measurement tags on getflowo.com.

If you accept analytics & marketing measurement, we load Google Tag Manager (which may include Google Analytics 4 or other tags as configured) and the Google Ads gtag library. These tools are not injected before consent. If you reject optional tags, they are not loaded.

You can change your mind by clearing site data for getflowo.com in your browser or by deleting the flowo_cookie_consent entry; the banner will appear again on your next visit.

11. Children's Privacy

Flowo is not directed at children under the age of 16. We do not knowingly collect personal data from individuals under 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at privacy@getflowo.com and we will delete the data promptly.

12. International Data Transfers

Our primary sub-processors (Cloudflare, OpenAI, Polar, Resend) are based in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914, providing adequate safeguards for your personal data as required by GDPR Chapter V.

Data processed by Cloudflare is subject to their Data Processing Addendum and their binding corporate rules. Cloudflare Workers and D1 can be configured to process data exclusively within the EU — we are actively evaluating this option for future compliance improvements.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to all registered users at least 14 days before the changes take effect
• Display a notice within the Flowo application

Continued use of Flowo after the effective date of changes constitutes acceptance of the updated policy.

Previous versions of this Privacy Policy are available upon request at privacy@getflowo.com.

14. Contact & Data Protection

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data:

If you are not satisfied with our response, you have the right to lodge a complaint with the Belgian Data Protection Authority (APD/GBA):

For cross-border disputes, you may also use the EU Online Dispute Resolution platform: ec.europa.eu/consumers/odr