What this policy covers

Cookies are small pieces of data stored by your browser when you visit a website. Browser storage (such as localStorage) can also hold interface preferences or short-lived state. This policy describes which cookies and storage mechanisms the Flow Solutions website and application currently use, what third-party requests are made, and how you can manage them.

This policy should be read together with our Privacy Policy.

Cookies currently used

All cookies currently used by Flow Solutions are strictly necessary for the service to function. They are used to authenticate signed-in users, maintain sessions, and support security features. These cookies cannot be disabled without breaking the service.

Name Purpose Type Duration
access_token Maintains the active authenticated web session for signed-in users. Essential authentication cookie Session (expires when the session ends or the token is refreshed, typically within 15–60 minutes)
refresh_token Supports secure session refresh and session lifecycle controls. Allows the session to be extended without re-entering credentials. Essential authentication cookie Persistent (up to 30 days, or until the user signs out)
device_id Identifies a browser or device for session and security workflows, such as detecting new device sign-ins. Essential security cookie Persistent (up to 1 year)
google_oauth_state Stores short-lived state for Google sign-in flow validation. Prevents cross-site request forgery during the OAuth flow. Essential temporary cookie Session (removed automatically after sign-in completes, typically within minutes)
google_pending_signup Stores short-lived state needed to finish Google signup. Essential temporary cookie Session (removed automatically after signup completes, typically within minutes)

Authentication cookies are set as Secure (transmitted only over HTTPS) and HttpOnly (not accessible to client-side JavaScript) where applicable. Exact durations may vary depending on session lifecycle events such as signing out, token rotation, or security-related session invalidation.

Browser storage

The application uses browser storage (such as localStorage) for product experience features. No browser storage is used for advertising, profiling, or tracking. Examples include:

  • UI preferences such as avatar theme, user initials, active settings tab, and sidebar state;
  • draft workflow snapshots stored locally for recovery in the workflow editor;
  • short-lived redirect-aware login handling that reads temporary session state if present.

Browser storage data remains on your device and is not transmitted to our servers. If you clear your browser storage, some preferences or draft-recovery behavior may reset. This does not affect your account or data stored on our servers.

Third-party requests and asset loading

Some pages load fonts or JavaScript libraries from third-party content delivery networks (CDNs). When those assets load, the CDN provider may receive technical request data such as your IP address, browser type and version, referring page URL, and the time of the request. These requests are made to deliver functionality, not for advertising or tracking purposes.

Provider What it delivers Where it loads Provider's privacy policy
fonts.googleapis.com / fonts.gstatic.com Web fonts (Google Fonts) Public pages and subscription pages Google Privacy Policy
cdn.tailwindcss.com Tailwind CSS runtime Public and app layouts Tailwind Privacy Policy
unpkg.com HTMX library Public and app layouts Operated by Cloudflare; see Cloudflare Privacy Policy
cdn.jsdelivr.net QR code library, Chart.js Integrations, admin, and app pages jsDelivr Privacy Policy
cdnjs.cloudflare.com GSAP animation library App layout Cloudflare Privacy Policy
js.stripe.com Stripe checkout and payment UI Subscription purchase page Stripe Privacy Policy

We are evaluating self-hosting fonts and JavaScript libraries to reduce the number of third-party requests and minimize the data shared with CDN providers. As we transition to self-hosted assets, this table will be updated accordingly.

Future non-essential cookies or tracking

No first-party marketing analytics, ad-tech tags, advertising pixels, or behavioral tracking cookies are currently in use. If non-essential cookies or similar tracking technologies are introduced in the future, we will implement a consent mechanism compliant with the EU ePrivacy Directive and GDPR before enabling them and will update this policy accordingly. Non-essential cookies will not be set until you have given explicit consent.

Managing cookies

You can control cookies through your browser settings. Most browsers allow you to view, delete, and block cookies from specific or all websites. Note that disabling essential cookies will prevent you from signing in and using the application.

For instructions on managing cookies in common browsers:

If you have questions about a specific cookie or want to understand how it affects your experience, contact [email protected].

Contact

Questions about cookie usage or browser-side storage can be sent to [email protected].