FlowDot Privacy Policy

Last Updated: October 20, 2025 Effective Date: October 20, 2025

Introduction

At FlowDot, we believe privacy is a fundamental right. This Privacy Policy explains how we collect, use, protect, and share your information when you use our workflow automation platform.

Our Privacy Philosophy:

We collect only what's necessary to provide our Service
You control your data and where it goes
We support local AI processing for maximum privacy
We encrypt sensitive data like API keys
Public sharing is opt-in, not default
We don't sell your personal information

Important: When you use FlowDot's "Bring Your Own Keys" (BYOK) model or local AI processing, your data may go directly to third-party providers or stay entirely on your device. This policy explains our role in that data flow.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

Email address (required)
Name or username
Password (stored as cryptographic hash, not plaintext)
Profile information (optional)
Billing information (processed through Stripe, not stored by us)

Workflow Data:

Workflows you create (node configurations, connections, logic)
Workflow names and descriptions
Execution history and logs
Input data and output results from workflow executions
Custom code in JavaScript nodes
Workflow settings and preferences

API Keys and Credentials (BYOK):

Third-party API keys you provide (OpenAI, Anthropic, Google, etc.)
Webhook URLs and authentication tokens
OAuth tokens for integrated services
Database connection strings
Custom API credentials

IMPORTANT: These credentials are:

Encrypted at rest using Laravel encryption
Never shared with other users
Never used for purposes other than executing your workflows
Removable by you at any time

Communications:

Support requests and correspondence
Feedback and feature requests
Community discussions and comments
Ratings and reviews of workflows

1.2 Information Collected Automatically

Usage Data:

Workflows executed and execution frequency
Features used and interaction patterns
Error logs and debugging information
Performance metrics (execution time, resource usage)
API response times and errors

Device and Technical Information:

IP address
Browser type and version
Operating system
Device identifiers
Referring URLs
Pages visited and actions taken

Cookies and Similar Technologies:

Session cookies (required for authentication)
Preference cookies (optional, for settings)
Analytics cookies (optional, can be disabled)
Security cookies (required for CSRF protection)

See Section 7 for cookie details and controls.

1.3 Information from Third-Party Services

OAuth Authentication: If you sign in using Google, GitHub, or other OAuth providers, we receive:

Email address
Basic profile information (name, avatar)
OAuth access token (for accessing your resources with permission)

Webhook Data: When external services send data to your workflows via webhooks:

We receive and process the data according to your workflow
This data may include any information the external service sends
We store webhook data according to your workflow configuration

Third-Party Integrations: When you connect services (Slack, Trello, etc.):

We may receive data from these services as configured in your workflow
This data is processed according to your workflow logic
We don't access your third-party accounts beyond what you explicitly configure

1.4 Information We Do NOT Collect

We do NOT collect:

Data processed by local AI models (Ollama) running on your device
Contents of your documents processed through local models
Passwords or credentials for third-party services (only encrypted tokens)
Credit card details (handled entirely by Stripe)
Biometric data
Precise geolocation (only general location from IP)

2. How We Use Your Information

2.1 To Provide the Service

Authenticate your account and maintain sessions
Execute workflows you create and trigger
Store and retrieve your workflows and data
Process payments and manage subscriptions
Provide customer support and respond to inquiries
Send transactional emails (execution results, alerts, etc.)

2.2 To Improve the Service

Analyze usage patterns to improve features
Debug errors and optimize performance
Develop new features based on user needs
Conduct A/B testing of interface improvements
Generate anonymized, aggregated analytics
Train our team on common user workflows (anonymized)

2.3 To Ensure Security and Compliance

Detect and prevent fraud and abuse
Monitor for violations of Terms of Service
Investigate security incidents
Comply with legal obligations
Enforce our rights and protect users
Maintain audit trails for security purposes

2.4 To Communicate with You

Send workflow execution notifications
Alert you to service issues or maintenance
Respond to your support requests
Share product updates (if you opt in)
Send billing and account information
Request feedback or participation in research (optional)

Marketing Communications:

We may send marketing emails if you opt in
You can unsubscribe at any time
We never sell your email to third parties
We don't share your email with partners without consent

3. The BYOK Model: Where Your Data Actually Goes

This is critical to understand: When you use FlowDot with your own API keys, your data goes directly to those third-party services, not to us (except for metadata and logs).

3.1 How BYOK Works

You provide API keys for services like OpenAI, Anthropic, Google, etc.
We encrypt and store these keys securely
When your workflow executes:
- We retrieve your encrypted API key
- We make API calls to the third-party service on your behalf
- Your data (prompts, documents, images) goes to that third-party
- Results come back and are processed by your workflow
You are charged by the third-party provider according to their pricing
Third-party privacy policies apply to data sent to them

3.2 What We See vs. What Third Parties See

FlowDot sees:

That you executed a workflow
Which nodes were triggered
Execution time and resource usage
Error messages (if any)
Aggregated metrics (token counts, execution duration)
Workflow configuration and logic

FlowDot stores (in execution logs):

Inputs and outputs of workflow nodes
Intermediate data between nodes
Results returned from APIs
Error details and stack traces

Third-party AI providers see (via your API key):

All data you send to them through workflows
Prompts, documents, images, audio
Your API usage patterns
Any metadata included in API calls

Important: Different AI providers have different data retention and privacy policies:

Some providers (like OpenAI) may use your data for training unless you opt out
Some providers (like Anthropic) don't train on API data
Local models (Ollama) don't send data anywhere
Review each provider's privacy policy to understand their practices

3.3 Local AI Processing: Maximum Privacy

When you use local AI models (e.g., Ollama):

What happens:

AI models run entirely on your device
Data never leaves your computer
FlowDot relays requests through your browser to localhost
No data is sent to FlowDot servers or third-party providers
Processing is completely private

What we see:

That you executed a workflow
That it used a local AI provider
Execution metadata (time, success/failure)

What we do NOT see:

Your prompts or inputs
Model outputs or results
Documents or data processed
Any content processed by local models

This means: Medical records, financial data, proprietary research, or any sensitive information can be processed with complete privacy using local models.

3.4 Your Responsibilities Under BYOK

When using BYOK, you are responsible for:

Reviewing privacy policies of third-party providers you use
Ensuring you have legal basis to send data to these providers
Complying with data protection laws (GDPR, CCPA, HIPAA, etc.)
Managing your API usage and costs
Understanding data retention policies of providers
Obtaining necessary consents from data subjects

We are NOT responsible for:

How third-party providers use your data
Third-party provider privacy practices
Data breaches at third-party providers
Costs incurred from API usage
Compliance of third-party providers with regulations

4. Data Security

4.1 Security Measures

We implement industry-standard security measures to protect your data:

Encryption:

TLS/HTTPS for all data in transit
AES-256 encryption for sensitive data at rest (API keys, credentials)
Laravel encryption for stored credentials
Database encryption for sensitive fields
Encrypted backups

Access Controls:

Authentication required for all access (Sanctum tokens)
Role-based access control (RBAC)
Principle of least privilege for internal access
Two-factor authentication available (optional)
Temporary tokens with automatic expiration

Infrastructure Security:

Firewalled Docker containers
Regular security updates and patches
Isolated database per environment
Redis for session management
Rate limiting and DDoS protection
Regular security audits

Application Security:

Input validation and sanitization
CSRF protection
SQL injection prevention (parameterized queries)
XSS prevention
Secure password hashing (bcrypt)
Webhook signature verification (HMAC-SHA256, Ed25519)
Constant-time comparison for cryptographic operations

Monitoring:

Intrusion detection systems
Automated security scanning
Error monitoring and alerting
Audit logs of sensitive operations
Unusual activity detection

4.2 Data Retention

Active Accounts:

Workflows: Retained indefinitely while account is active
Execution logs: Retained for 90 days by default (configurable based on plan)
API keys: Retained until you remove them
Account data: Retained while account is active

Inactive Accounts:

Accounts inactive for 2+ years may be deleted
We will email warnings before deletion
You can export your data before deletion

Deleted Accounts:

Most data deleted within 30 days
Some data retained for legal/compliance reasons (90 days)
Backups may contain data for up to 60 days
Public workflows you shared may persist (others may have copied them)

Legal Holds:

Data may be retained longer if required by law
Litigation holds or investigations may extend retention
We will retain minimum necessary data

4.3 Your Security Responsibilities

To keep your account secure:

Use a strong, unique password
Enable two-factor authentication
Don't share your account credentials
Review account activity regularly
Use different API keys for different environments
Rotate API keys periodically
Report security issues to security@flowdot.ai
Log out on shared devices

4.4 Data Breaches

In the event of a data breach:

We will investigate and contain the breach
We will notify affected users within 72 hours (GDPR requirement)
We will report to authorities as required by law
We will provide details about what data was affected
We will offer guidance on protective measures

How we notify you:

Email to registered address
In-app notification
Public disclosure if widespread impact
Updates on status page

5. How We Share Your Information

5.1 We Do NOT Sell Your Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.2 Sharing You Control

Public Workflows:

You choose whether to make workflows public
Public workflows are visible to all users
Other users can view, copy, and modify public workflows
Your username is attributed as the creator
You can unpublish at any time (but copies may exist)

Team/Organization Sharing:

You can share workflows with team members
Team members can view and edit shared workflows
Team admins can manage team member access
You control who has access to your team workflows

5.3 Service Providers

We share data with trusted service providers who help us operate the Service:

Infrastructure Providers:

Cloud hosting providers (for servers and databases)
CDN providers (for content delivery)
Backup and disaster recovery services

Payment Processing:

Stripe (for payment processing)
We do not store credit card information
Stripe's privacy policy applies to payment data

Communication Services:

Email service providers (for transactional and marketing emails)
SMS providers (if we add SMS notifications)
Push notification services (for mobile apps)

Analytics and Monitoring:

Error tracking services (e.g., Sentry)
Analytics platforms (anonymized data)
Performance monitoring tools

All service providers:

Are contractually obligated to protect your data
May only use data to provide services to us
Cannot use your data for their own purposes
Are vetted for security and privacy practices

5.4 Business Transfers

If FlowDot is involved in a merger, acquisition, bankruptcy, or sale of assets:

Your information may be transferred to the new entity
You will be notified via email and/or prominent notice
The new entity must honor this Privacy Policy
You may have the right to delete your account before transfer

5.5 Legal Requirements

We may disclose your information if required by law:

To comply with legal obligations (subpoenas, court orders)
To protect our rights or property
To investigate fraud or security issues
To protect the safety of users or the public
In emergencies to prevent harm
To enforce our Terms of Service

We will:

Notify you of legal requests unless prohibited
Challenge overbroad or inappropriate requests
Provide only the minimum information required
Maintain transparency reports (when possible)

5.6 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you:

Usage statistics and trends
Research on AI automation patterns
Public reports on platform growth
Academic research collaborations
Industry benchmark reports

This data cannot be traced back to individual users.

6. Your Privacy Rights and Choices

6.1 Access and Portability (GDPR Article 15, CCPA)

You have the right to:

Access all personal data we hold about you
Receive a copy of your data in a portable format
Export your workflows, execution logs, and settings
Request a detailed report of data processing activities

How to exercise:

Use the "Export Data" feature in account settings
Contact privacy@flowdot.ai for comprehensive data requests
We will respond within 30 days (GDPR requirement)

6.2 Correction and Updating (GDPR Article 16)

You have the right to:

Correct inaccurate personal information
Update your account details
Modify workflow data
Change preferences and settings

How to exercise:

Update directly in account settings
Contact support@flowdot.ai for assistance

6.3 Deletion and Right to be Forgotten (GDPR Article 17, CCPA)

You have the right to:

Delete your account and associated data
Request deletion of specific workflows or data
Be forgotten (subject to legal exceptions)

How to exercise:

Use "Delete Account" in account settings
Contact privacy@flowdot.ai for specific deletion requests
We will process deletions within 30 days

Exceptions:

Data required for legal compliance (tax records, etc.)
Data needed for pending transactions or disputes
Aggregated, anonymized data
Public workflows others have copied (we don't control copies)

6.4 Objection and Restriction (GDPR Articles 18, 21)

You have the right to:

Object to processing of your data for specific purposes
Restrict how we process your data
Opt out of marketing communications
Opt out of analytics cookies

How to exercise:

Unsubscribe from marketing emails
Adjust cookie preferences in settings
Contact privacy@flowdot.ai for specific objections

6.5 Withdraw Consent (GDPR Article 7)

For processing based on consent:

You can withdraw consent at any time
Withdrawal doesn't affect prior processing
Some features may not work without consent

How to exercise:

Adjust settings in account preferences
Remove API keys or integrations
Contact privacy@flowdot.ai

6.6 Opt-Out of Sale (CCPA)

We do not sell personal information. However, sharing for analytics or advertising might be considered "sale" under some definitions.

To opt out:

Disable analytics cookies
Contact privacy@flowdot.ai
Use the "Do Not Sell My Info" link (California residents)

6.7 Non-Discrimination (CCPA)

We will not discriminate against you for exercising privacy rights:

No denial of service
No different prices or quality
Equal treatment for all users

6.8 Authorized Agents

You may designate an authorized agent to make requests on your behalf:

Provide written authorization
Agent must verify identity and authorization
We may require you to verify the request directly

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

Essential Cookies (Required):

Session management (authentication)
Security (CSRF tokens)
Load balancing
Account preferences

Functional Cookies (Optional):

Language preferences
Theme preferences (dark mode, etc.)
Workflow editor settings
Dashboard customizations

Analytics Cookies (Optional):

Usage patterns and feature adoption
Performance metrics
Error tracking
A/B testing

We do NOT use:

Third-party advertising cookies
Social media tracking pixels (unless you explicitly integrate)
Cross-site tracking
Behavioral profiling for ads

7.2 Cookie Controls

Browser Controls:

Configure cookie settings in your browser
Block or delete cookies
Use private/incognito mode

FlowDot Controls:

Cookie preference center in settings
Opt in/out of optional cookies
Export cookie consent choices

Note: Blocking essential cookies will prevent the Service from working properly.

7.3 Do Not Track (DNT)

We honor Do Not Track browser signals
DNT disables optional analytics cookies
Essential cookies still required for functionality

7.4 Third-Party Analytics

We may use analytics services such as:

Google Analytics (anonymized IP, opt-out available)
Self-hosted analytics (Plausible, Matomo)
Error tracking (Sentry)

These services have their own privacy policies. We configure them for maximum privacy:

IP anonymization enabled
No cross-site tracking
No advertising features
Data retention limits

8. International Data Transfers

8.1 Where We Store Data

Primary servers located in [Your Primary Region, e.g., United States]
Backup servers in [Backup Region if applicable]
Some service providers may process data in other countries

8.2 Transfers Outside the EU/EEA (GDPR Article 44)

If you're in the EU/EEA and we transfer your data outside this region:

Safeguards we use:

Standard Contractual Clauses (SCCs) with service providers
Adequacy decisions by the European Commission (where applicable)
Binding Corporate Rules (for internal transfers)
Explicit consent for specific transfers (where required)

8.3 Privacy Shield

Note: The EU-U.S. Privacy Shield was invalidated. We rely on SCCs and other approved mechanisms for EU-US transfers.

8.4 Your Rights for International Transfers

Right to information about safeguards
Right to object to transfers in some cases
Right to file complaints with supervisory authorities

9. Children's Privacy (COPPA Compliance)

9.1 Age Requirements

Service is not intended for children under 13
We do not knowingly collect data from children under 13
Users aged 13-18 should have parental/guardian consent

9.2 If We Discover Child Data

If we learn we've collected data from a child under 13:

We will delete the account and data promptly
We will not use or share the data
Parents can contact us at privacy@flowdot.ai

9.3 Parental Rights

Parents/guardians can:

Request access to their child's data
Request deletion of their child's account
Refuse further collection of their child's data

9.4 Educational Use

If used in educational settings:

Schools must obtain parental consent
Schools are responsible for FERPA and COPPA compliance
We act as a service provider to the school
Contact us for education-specific data processing agreements

10. California Privacy Rights (CCPA/CPRA)

10.1 Categories of Personal Information Collected

In the past 12 months, we collected:

Category	Collected	Business Purpose	Shared With
Identifiers (email, name)	Yes	Account management, communication	Service providers
Commercial information (subscription)	Yes	Billing, service provision	Stripe, service providers
Internet activity (usage data)	Yes	Service improvement, analytics	Analytics providers
Geolocation (general from IP)	Yes	Service delivery, fraud prevention	Service providers
Professional information (optional)	No	-	-
Biometric information	No	-	-
Sensitive personal information	Yes (API keys)	Workflow execution	Encrypted, service providers only

10.2 California Consumer Rights

Right to Know: Request categories and specific pieces of personal information

Right to Delete: Request deletion of personal information

Right to Correct: Correct inaccurate information

Right to Opt-Out of Sale: We don't sell, but you can opt out of sharing

Right to Limit Use of Sensitive Information: We only use sensitive info (API keys) for service provision

Right to Non-Discrimination: Equal service regardless of privacy choices

How to Exercise Rights:

Email: privacy@flowdot.ai
Phone: [Your Phone Number]
Submit via: [Online Form URL]

Verification:

We verify your identity before processing requests
May require email confirmation or account authentication
Authorized agents must provide proof of authorization

Response Time:

45 days (extendable to 90 days for complex requests)
Free twice per 12-month period
Reasonable fee for excessive or repetitive requests

10.3 Shine the Light Law

California residents can request information about third parties we've shared personal information with for direct marketing purposes. We don't share for this purpose, but you can request confirmation annually at privacy@flowdot.ai.

11. European Union/EEA Rights (GDPR)

11.1 Legal Basis for Processing

We process your data based on:

Contract (Article 6(1)(b)):

Providing the Service you signed up for
Executing workflows you create
Processing payments

Legitimate Interests (Article 6(1)(f)):

Improving the Service
Security and fraud prevention
Analytics and research
Marketing to existing customers

Consent (Article 6(1)(a)):

Optional features
Marketing to non-customers
Cookies beyond essential ones
Third-party integrations you enable

Legal Obligation (Article 6(1)(c)):

Compliance with tax laws
Responding to legal requests
Regulatory reporting

11.2 GDPR Rights Summary

All rights listed in Section 6 apply, plus:

Right to Lodge a Complaint:

Contact your supervisory authority
File complaints about our data practices
We will cooperate with investigations

Right to Data Portability:

Receive data in structured, machine-readable format (JSON, CSV)
Transfer data to another service

Automated Decision-Making:

We do not use automated decision-making or profiling with legal/significant effects
Workflow outputs are controlled by you, not automated decisions about you

11.3 EU Representative

If required, our EU representative can be contacted at: [EU Representative Name and Address if applicable]

11.4 Data Protection Officer

For GDPR matters, contact our Data Protection Officer: Email: dpo@flowdot.ai [DPO Contact Information]

12. Changes to This Privacy Policy

12.1 How We Notify Changes

Material changes: Email notification + prominent in-app notice
Minor changes: Updated "Last Updated" date + optional notification
You can review previous versions upon request

12.2 Your Acceptance

Continued use after changes constitutes acceptance
If you disagree, you must stop using the Service
You may export your data before leaving

12.3 Version History

We maintain a history of significant policy changes available at [URL].

13. Contact Us

13.1 Privacy Questions

For privacy questions or concerns:

Email: privacy@flowdot.ai
Support: support@flowdot.ai
DPO: dpo@flowdot.ai (for GDPR matters)

13.2 Data Subject Requests

To exercise your privacy rights:

Email: privacy@flowdot.ai
Online Form: [URL to data request form]
Mail: [Your Company Address]

13.3 Security Issues

To report security vulnerabilities:

Email: security@flowdot.ai
Encrypted: [PGP key if available]

Do NOT report security issues through public channels.

13.4 General Contact

FlowDot [Your Company Legal Name] [Address Line 1] [Address Line 2] [City, State, ZIP] [Country]

Website: https://flowdot.ai Support: support@flowdot.ai

Additional Privacy Considerations

For Healthcare Data (HIPAA)

Important: FlowDot is NOT HIPAA-compliant by default.

If you handle Protected Health Information (PHI):

Do NOT use cloud-based AI providers for PHI
DO use local Ollama models for maximum privacy
Ensure you have a Business Associate Agreement (BAA) with any services you use
Implement additional safeguards as required by HIPAA
Contact us about enterprise HIPAA-compliant solutions

For Financial Data (GLBA, PCI-DSS)

If you handle financial data:

Review third-party provider compliance
Use local processing when possible
Implement additional access controls
Maintain audit trails
Ensure workflows comply with financial regulations
Do NOT store credit card numbers in workflows

For Educational Data (FERPA)

Schools using FlowDot:

Ensure student consent/notice as required by FERPA
We act as a school official with legitimate educational interest
We don't share student data with third parties without consent
Contact us for education-specific data processing agreements
Use local models for sensitive student information

For Government and Public Sector

Government agencies:

Review data residency requirements
Consider on-premises or dedicated cloud deployments
Ensure compliance with FedRAMP, StateRAMP, or equivalent
Contact us about government-specific solutions
Consider air-gapped local processing for classified data

Privacy Best Practices for FlowDot Users

Maximizing Your Privacy

Use Local AI Models (Ollama) for sensitive data
Review third-party provider privacy policies before sending data
Use separate API keys for different security levels
Keep workflows private unless you want to share
Regularly review execution logs and delete if needed
Enable two-factor authentication for account security
Audit your integrations and remove unused ones
Export your data periodically as backup
Use strong, unique passwords
Monitor your API usage with third-party providers

Understanding Data Flow

Local Processing (Most Private):

Your device → Local Ollama → Your device
FlowDot sees: Workflow executed, metadata only
Nobody else sees: Your actual data

BYOK with Third-Party API (Less Private):

Your device → FlowDot → Third-party API → FlowDot → Your device
FlowDot sees: Full data and results (stored in logs)
Third-party sees: Full data and results
Others see: Nothing (unless you share workflow publicly)

Public Workflows (Least Private for Workflow Design):

Anyone can see: Your workflow design and logic
Nobody sees: Your execution data or API keys
Others cannot: Execute your workflows with your API keys

Appendix: Technical Details

A. Encryption Specifications

Data in Transit: TLS 1.2+ with strong cipher suites
Data at Rest: AES-256 encryption for sensitive fields
Password Hashing: bcrypt with appropriate work factor
Token Generation: Cryptographically secure random number generator
Webhook Signatures: HMAC-SHA256, Ed25519

B. Data Retention Schedule

Data Type	Retention Period	Basis
Account information	While account active + 30 days	Contract
Workflows	While account active + 30 days	Contract
Execution logs	90 days (default)	Legitimate interest
API keys	Until user removes	Contract
Billing records	7 years	Legal obligation
Support tickets	3 years	Legitimate interest
Security logs	1 year	Legitimate interest
Anonymized analytics	Indefinitely	Legitimate interest

C. Third-Party Service Providers

Current service providers and their purposes:

Stripe: Payment processing (https://stripe.com/privacy)
[Email Provider]: Transactional and marketing emails
[Hosting Provider]: Infrastructure and hosting
[Analytics Provider]: Usage analytics (if applicable)

This list is not exhaustive. Contact privacy@flowdot.ai for complete list.

D. Subprocessors

For GDPR Article 28 requirements, our list of subprocessors is available at: [Subprocessors URL]

We notify customers 30 days before adding new subprocessors.

By using FlowDot, you acknowledge that you have read and understood this Privacy Policy.

Version: 1.0 Last Updated: October 20, 2025 Effective Date: October 20, 2025