// legal

Privacy Policy

Effective 17 June 2026 · FlowDesk

This policy explains what data FlowDesk ("we", "us") collects, why, and the choices you have. We aim to collect only what's needed to run the product, and we never sell your data.

1. What we collect

Account data — your email address (used for passwordless sign-in) and the workspaces you belong to.
Content you create — tasks, projects, comments, workflows, and related data you enter into FlowDesk.
Technical data — IP address, browser/device info, and request logs generated when you use the service (handled by our hosting/CDN provider).
Local storage — a session token and your theme preference are stored in your browser to keep you signed in.

2. How we use it

To provide, secure, and improve the service.
To process the text you submit to AI Dispatch into structured tasks (see §4).
To communicate sign-in links, account notices, and support responses.

3. AI processing

When you use AI features, the text you submit is sent to our model provider (Anthropic) to return a structured result. It is processed transiently to fulfil your request. If you supply your own API key (BYOK), your AI requests use that key under your provider's terms.

4. Service providers

We share data only with vendors that help us operate FlowDesk, under contract:

Supabase — database, authentication, and storage.
Cloudflare — hosting, CDN, and security.
Anthropic — AI processing of submitted text.
Stripe — payment processing, if you subscribe (we never see full card details).

We do not sell personal data or share it for advertising.

5. Retention & your rights

We keep your data while your account is active. You can export your tasks (CSV) and edit or delete your content at any time in the app. To delete your account and associated data, contact us. Depending on your location, you may have rights to access, correct, port, or erase your data.

6. Security

Data is protected with encryption in transit, row-level security isolating each workspace, scoped and rate-limited API keys for agents, and a tamper-evident audit trail. Sensitive secrets (e.g., a stored AI key) are encrypted at rest and never returned to the browser. No system is perfectly secure, but we work to protect your data.

7. International transfers

Our providers may process data in regions outside your own. We rely on their compliance frameworks and contractual safeguards for such transfers.

8. Children

FlowDesk is not directed to children under 16 and we do not knowingly collect their data.

9. Changes

We may update this policy; material changes will be reflected by the effective date above and, where appropriate, notified in-app.

10. Contact

Questions or requests: agents@flowdesk.app.

// This is a good-faith starting template. Before relying on it commercially, FlowDesk should confirm the legal entity, governing jurisdiction, and specific data-rights language with qualified counsel.