Privacy Policy
This Privacy Policy describes how Flowdown ("we", "us", "our") collects, uses, and protects your personal information when you use our web application at flowdown.io (the "Service"). We are committed to protecting your privacy and being transparent about how we handle your data.
1. Information We Collect
1.1 Account Information
When you register for a Flowdown account, we collect:
- Email address — used for authentication, account recovery, and important service communications.
- Display name — shown within the application interface.
- Password — stored as a cryptographic hash (bcrypt). We never store your password in plain text and cannot retrieve it.
1.2 User Content
We store the flowcharts, diagrams, and related data you create using the Service. This includes:
- Flowchart structure data (nodes, edges, layouts).
- Text labels and annotations within flowcharts.
- Metadata such as creation date, last modified date, and flowchart titles.
1.3 Usage Data
We may collect limited usage data to improve the Service, including:
- Feature usage patterns (which tools and features are used).
- Session duration and frequency of use.
- Error logs and crash reports.
- Browser type, operating system, and screen resolution.
1.4 Information We Do Not Collect
We do not collect payment information (credit card numbers, billing addresses, etc.) directly. All payment data is collected and processed exclusively by Paddle, our Merchant of Record (see Section 3).
2. How We Use Your Data
We use the information we collect for the following purposes:
- Provide the Service — store and display your flowcharts, authenticate your account, and deliver the features you use.
- Improve the product — analyze usage patterns to understand which features are most valuable, identify bugs, and guide product development.
- Communicate with you — send essential service notifications (e.g., password resets, plan changes, Terms updates). We do not send marketing emails without your explicit consent.
- Ensure security — detect and prevent fraud, abuse, and unauthorized access.
3. Payment Processing — Paddle as Merchant of Record
Paddle.com Market Limited ("Paddle") acts as the Merchant of Record for all Flowdown subscription payments. This means:
- Paddle is the entity that processes your payment and appears on your bank or credit card statement.
- Paddle collects and processes your payment information (credit/debit card details, billing address, etc.) directly. Flowdown never receives or stores this data.
- Paddle handles all sales tax, VAT, and other transaction-related taxes on our behalf.
- Paddle manages refunds in accordance with their policies.
When you make a purchase, we share your email address and account identifier with Paddle so they can associate the payment with your Flowdown account. Paddle processes this data under their own privacy policy.
For details on how Paddle handles your data, please review Paddle's Privacy Policy.
4. AI Features and OpenAI
Flowdown's Pro plan includes AI-powered features for generating and editing flowcharts. These features are powered by OpenAI.
4.1 What Data Is Sent to OpenAI
When you use AI features, the following data may be sent to OpenAI's API for processing:
- Your text prompts and instructions (e.g., "Create a flowchart for user onboarding").
- Relevant context from your current flowchart (node labels, structure) to provide accurate AI assistance.
4.2 What Data Is Not Sent
We do not send your email address, name, password, account information, or data from other flowcharts to OpenAI. Only the minimum data necessary for the specific AI request is transmitted.
4.3 OpenAI Data Handling
Data sent to OpenAI via the API is processed according to OpenAI's usage policies and their privacy policy. As of the last update of this policy, OpenAI does not use data submitted through its API to train its models.
5. Data Storage and Security
5.1 Where Your Data Is Stored
Your account information and flowchart data are stored in a PostgreSQL database hosted by Neon, with servers located in the European Union (EU). This means your data benefits from the strong data protection standards provided under EU regulations.
5.2 Security Measures
We take reasonable measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit.
- Passwords stored using bcrypt hashing with appropriate salt rounds.
- JWT-based authentication with appropriate token expiration.
- Database access restricted to the application layer with secured credentials.
While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
6. Cookies and Local Storage
Flowdown uses minimal cookies and local storage, limited to:
| Name | Purpose | Type | Duration |
|---|---|---|---|
| Authentication token (JWT) | Keeps you signed in to your account | Local storage | Until logout or expiration |
| Theme preference | Remembers your light/dark mode choice | Local storage | Persistent |
We do not use third-party tracking cookies, analytics cookies, or advertising cookies. We do not participate in ad networks or share data with advertisers.
7. Data Retention
- Active accounts: Your data is retained for as long as your account is active.
- Deleted accounts: When you delete your account, we permanently remove your personal data and flowchart content from our databases within 30 days. Some data may persist in encrypted backups for up to 90 days before being purged.
- Cancelled subscriptions: If you cancel your paid subscription, your account and data remain intact (you revert to the Free plan). Only account deletion removes your data.
8. Your Rights
You have the following rights regarding your personal data:
- Access: You can view all personal data associated with your account through the application settings.
- Export: You can export your flowcharts at any time in PNG, SVG, JSON, or Mermaid format. You may also request a full data export by contacting us.
- Correction: You can update your name and email address through the account settings.
- Deletion: You can delete individual flowcharts or your entire account at any time. Account deletion permanently removes all associated data.
- Portability: You can export your data in standard formats (JSON, Mermaid) that can be used with other tools.
To exercise any of these rights or for requests we cannot fulfill through the application, please contact us at [email protected].
9. Third-Party Services
Flowdown relies on the following third-party services. Each operates under their own privacy policies:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Paddle | Merchant of Record — payment processing, billing, taxes, refunds | Email address, account ID | paddle.com/legal/privacy |
| OpenAI | AI-powered flowchart generation (Pro plan only) | Text prompts, flowchart context | openai.com/policies/privacy-policy |
| Neon | PostgreSQL database hosting (EU region) | All account and flowchart data (stored) | neon.tech/privacy |
10. Children's Privacy
Flowdown is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at [email protected].
11. International Data Transfers
Our primary data storage is in the EU. However, when you use AI features, data may be processed by OpenAI in the United States. Paddle may also process payment data in jurisdictions outside your country of residence. By using the Service, you consent to these transfers. We ensure that appropriate safeguards are in place for any international data transfers.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify you via email or through a notice on the Service.
We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
13. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
Email: [email protected]
For payment-related privacy inquiries, you may also contact Paddle directly.