Privacy Policy
Last updated: Mar 23, 2026
1. Who we are
Flowtag is operated by [YOUR NAME], Poland.
For privacy-related questions, contact us at: hello-flowtag@qwerty.ovh
2. What data we collect and why
2.1 Account data
When you create a Flowtag account, we collect:
- Email address — required for account creation, login, and service communications
- Username or display name — used to personalise the interface
- Password — stored as an irreversible cryptographic hash; we never see your plain-text password
Legal basis: Art. 6(1)(b) GDPR — performance of a contract (providing the service)
2.2 Payment data
Payments are processed by Paddle.com Market Limited, acting as Merchant of Record. Flowtag does not store your card numbers or full billing details.
Paddle may collect:
- Payment card or PayPal account details
- Billing address
- Invoice details (name, company name, address, VAT number for B2B purchases)
Payment data processing is governed by Paddle's Privacy Policy. Paddle acts as an independent data controller for payment processing purposes.
Legal basis (Flowtag): Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(c) GDPR — legal obligation (retention of billing records)
2.3 Analytics data
We collect pseudonymous data about how you use the application, including:
- Feature clicks and UI interactions
- Usage events (e.g. launching a feature, saving a project)
- Session duration and frequency of use
This data is used solely to improve the product and identify bugs. It is never sold or shared with third parties for marketing purposes.
The retention period for raw analytics events depends on your subscription plan. See our Analytics & Data Retention Policy for full details.
Legal basis: Art. 6(1)(f) GDPR — legitimate interests (improving the quality of the service)
2.4 Technical data
We automatically collect data necessary for the operation and security of the service:
- IP address (truncated or hashed after 30 days)
- Browser type and version, operating system
- Error logs and exception reports
- API request timestamps
Legal basis: Art. 6(1)(f) GDPR — legitimate interests (system security, abuse detection)
3. How long we keep your data
| Data category | Retention period |
|---|---|
| Account data | Until account deletion + 30-day buffer |
| Billing records (invoices) | 5 years (legal tax obligation) |
| Analytics — raw events | Depends on your plan (see Analytics & Data Retention Policy) |
| Analytics — aggregated, anonymous | Indefinitely |
| Technical logs | 90 days |
| Security logs | 12 months |
After the retention period expires, data is permanently deleted or irreversibly anonymised.
4. International data transfers
Flowtag uses infrastructure located in both the European Union and the United States. Your data may be processed on servers outside the EEA.
For transfers to the US, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Where applicable, transfers to providers certified under the EU-U.S. Data Privacy Framework
A full list of our sub-processors is available at /legal/subprocessors.
5. Your rights
Under GDPR, you have the following rights:
- Right of access — request a copy of the data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to restriction — request that we pause processing of your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at: hello-flowtag@qwerty.ovh
We will respond within 30 days of receiving your request.
You also have the right to lodge a complaint with your local supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl. If you are based in another EU country, you may contact your national data protection authority.
6. Sub-processors
We work with trusted third-party providers who process data on our behalf. A full and up-to-date list of sub-processors, including their purpose and data location, is available at /legal/subprocessors.
7. Cookies and similar technologies
Flowtag uses cookies solely for functional purposes:
- Session cookies — to keep you logged in
- Preference cookies — to remember interface settings
PostHog, our analytics provider, may set its own cookies for session identification. We do not use advertising or third-party tracking cookies.
You can manage cookies through your browser settings. Disabling functional cookies may prevent some features of the application from working correctly.
8. Data security
We apply the following technical and organisational security measures:
- Encryption of data in transit (TLS 1.2+)
- Encryption of data at rest
- Least-privilege access controls
- Incident response procedures
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay, as required by GDPR.
9. Children
Flowtag is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with their data, please contact us and we will delete it promptly.
10. Changes to this policy
We may update this policy as the service evolves or regulations change. For significant changes, we will notify you by:
- Email to the address associated with your account, or
- In-app notification
The date of the last update is always visible at the top of this document. Continued use of Flowtag after changes take effect constitutes acceptance of the updated policy.
11. Contact
Email: hello-flowtag@qwerty.ovh