Back to home

Privacy Policy

Last updated: 2026-06-01

Your privacy matters. This policy explains what personal data Flowmatic collects, why we collect it, who we share it with, how long we keep it, and what rights you have over it — in plain language. It complies with the EU General Data Protection Regulation (GDPR / RGPD).

1. Data controller

The data controller is Flowmatic, contactable at privacy@flowmatic.app. Identification details (legal form, SIREN, registered address) are listed on the Legal Notice page.

2. What data we collect

We collect only what we need to run the Service:

  • Account data: email address, display name, password hash (if not OAuth-only), avatar URL.
  • OAuth tokens: Discord / Twitch / Google access & refresh tokens — encrypted at rest using AES-256-GCM.
  • Workflows: the nodes, edges, configuration, and expressions you create.
  • Execution data: logs of each workflow run (status, timestamps, error messages, sampled outputs).
  • Billing data: processed by Stripe — we store only the Stripe customer ID, plan, and billing status.
  • Technical data: IP address (for security / rate limiting), browser / device fingerprint, language preference.
  • Communications: emails you send us (support, legal).

3. Why we process it (legal bases — GDPR Art. 6)

  • Contract performance (Art. 6.1.b): running the Service for you (account, workflows, executions, billing).
  • Legitimate interest (Art. 6.1.f): security, abuse prevention, debugging, product analytics on aggregate usage.
  • Consent (Art. 6.1.a): non-essential cookies, optional marketing emails. You can withdraw consent at any time.
  • Legal obligation (Art. 6.1.c): retaining billing data for accounting law (3 years minimum, Article L123-22 French Code de Commerce).

4. How long we keep it

  • Account data: until you delete your account, then anonymised within 30 days.
  • Workflows: as long as the account exists.
  • Execution logs: 30 days (free), 90 days (Pro), 1 year (Enterprise).
  • OAuth tokens: until you disconnect the integration or delete your account.
  • Billing data: 3 years after the last transaction (legal obligation).
  • Audit logs: 90 days for security investigations.

5. Who we share it with (sub-processors)

We share data with the minimum number of trusted sub-processors, each bound by appropriate contractual safeguards (SCCs for transfers outside the EU/EEA):

  • Stripe — payment processing (US, with EU SCCs)
  • Discord — OAuth + workflow actions you configure
  • Twitch — OAuth + workflow actions you configure
  • Google — OAuth (Gmail / Calendar / Drive integrations, if used)
  • Hosting provider — see Legal Notice for the current host
  • SMTP provider — outbound transactional email (magic links, notifications)
  • MongoDB — primary database (EU region)
  • MinIO / S3 — object storage (workflow attachments, exports)

We never sell your data. We don't share it for advertising purposes.

6. How we protect it

  • TLS encryption in transit for every HTTP request.
  • OAuth tokens encrypted at rest with AES-256-GCM.
  • HTTP-only, secure-flag session cookies with CSRF double-submit protection.
  • JWT access tokens (15 min) + refresh tokens (7 days).
  • Rate limiting + brute-force protection.
  • Bcrypt-hashed passwords (when password auth is used).
  • Regular dependency updates and security audits.

7. Your rights (GDPR Art. 15-22)

You can exercise the following rights at any time:

  • Access: get a copy of all the personal data we hold about you.
  • Rectification: correct inaccurate or outdated data.
  • Erasure ("right to be forgotten"): request deletion of your account and associated data.
  • Portability: get a structured, machine-readable export of your data.
  • Restriction: ask us to pause processing in certain cases.
  • Objection: object to processing based on legitimate interest.
  • Withdraw consent: where processing relies on consent (e.g. cookies, marketing).

To exercise any of these rights, email privacy@flowmatic.app or use the "Download my data" / "Delete my account" controls in your account settings. We respond within 30 days.

If you're not satisfied with our response, you have the right to lodge a complaint with your local data-protection authority. In France that's the CNIL.

8. International transfers

Most processing happens in the EU. Where transfers to a third country are necessary (e.g. Stripe in the US), we rely on the European Commission's Standard Contractual Clauses (SCCs) and additional safeguards.

9. Cookies

We use a small number of strictly-necessary cookies for authentication, security, and theme preferences. Details and your choices are documented on our Cookie Policy.

10. Changes to this policy

We'll update this policy if our practices change. Material changes are announced by email or in-app notice at least 30 days before taking effect. The "Last updated" date at the top tells you when the current version was published.

11. Contact

For any privacy-related question, contact us at privacy@flowmatic.app.

Privacy Policy | Flowmatic