Privacy Policy | Flow Solutions AI

Controller information

The data controller for the hosted service is Flow Solutions Ltd., a limited liability company registered in Hungary, with its registered office at Váci út 76, 1133 Budapest, Hungary.

Privacy questions, rights requests, and data protection inquiries should be sent to [email protected].

When you use Flow Solutions to process lead data (contact details, message history, qualification data for individuals you import or connect), you act as the data controller for that lead data and Flow Solutions Ltd. acts as your data processor. This policy primarily addresses our processing of your account and service data as a controller. For information about how lead data is handled, see the data processing roles section below, our Terms of Service, and our Data Processing Agreement.

Categories of personal data we process

The platform currently processes the following categories of personal data:

Account and profile data: first name, last name, username, email address, password hash and salt, Google sign-in identifier, company name, bio, avatar and theme preferences, and account flags.
Session and security data: session identifiers, refresh state, device identifiers, IP address, user agent, session timestamps, MFA enrollment or challenge state, email-verification tokens, and related audit and security events.
Lead and conversation data: lead identifiers, contact details (names, phone numbers, email addresses), source labels, qualification state, workflow progress, message history, answer history, scheduling state, follow-up state, and related analytics or export data. Note: this data is processed by Flow Solutions Ltd. as a data processor on your behalf — see data processing roles.
Workflow data: workflow names, prompts, question trees, messaging logic, connected integration identifiers, language settings, rotation settings, and saved workflow content.
Integration data: integration names, channel identifiers, app credentials, tokens, session cookies, phone numbers, account IDs, email addresses, and related connection status data used to operate the integration.
Google Sheets data: connected spreadsheet metadata, column mappings, processed-row fingerprints, and lead records pulled from connected sheets.
Billing and subscription data: subscription plans, subscription state, billing identifiers, billing events, usage limits, AI budget settings, Stripe customer IDs, and related billing history.
Notification and operational data: notification preferences, in-app notification events, presence or websocket state, and platform-level administrative action data.
AI processing data: when the service uses AI to generate, edit, or qualify message content, portions of your workflow prompts, question trees, and lead conversation data may be transmitted to third-party AI model providers for processing. See AI model providers for details.
Support and communications data: messages or materials you send to us when requesting help, reporting issues, or handling account questions.

Why we process personal data and our legal bases

We process personal data for the following purposes:

Contract performance (GDPR Art. 6(1)(b)): to create and maintain accounts, authenticate users, secure sessions, operate workflows, process leads, execute integrations, manage notifications and user settings, process subscriptions, apply plan limits, and manage billing.
Legitimate interests (GDPR Art. 6(1)(f)): to maintain service reliability, debug problems, investigate incidents, prevent fraud and abuse, enforce our Terms of Service, improve the platform, and protect the security of our systems and users. Our legitimate interests do not override your fundamental rights and freedoms.
Legal compliance (GDPR Art. 6(1)(c)): to meet tax, accounting, anti-fraud, and other legal obligations that apply to us under Hungarian and EU law.
Consent (GDPR Art. 6(1)(a)): where consent is specifically required, such as for optional marketing communications. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Where the data comes from and who receives it

We receive personal data directly from you when you create an account, configure workflows, or contact support. We also receive data from your connected third-party services (such as WhatsApp, Instagram, Gmail, Telegram), from lead imports or synced Google Sheets rows, from authentication providers (such as Google, if you use Google sign-in), and from our own application logs, session systems, and billing flows.

We may share data with the following categories of recipients:

Infrastructure and hosting: private server infrastructure located within the European Union.
Payment processing: Stripe, Inc. for subscription billing and payment handling. Stripe may process data in the United States under Standard Contractual Clauses — see international transfers.
AI model providers: third-party AI services used to power the AI-assisted features of the platform — see AI model providers for details.
Third-party messaging platforms: WhatsApp, Instagram, Gmail, Telegram, Messenger, and SMS providers — only when you instruct the service to send messages through these channels.
Google services: when you connect Google Sheets or use Google sign-in.

We do not sell personal data. We do not share personal data with advertisers. We disclose information to third-party services only when you instruct the product to connect, sync, or send through them, or where disclosure is required by law.

AI model providers

The service uses third-party AI model providers to power AI-assisted features such as message generation, message editing, conversation handling, and lead qualification. When these features are used, portions of your workflow configuration and lead conversation data may be transmitted to the AI provider for processing.

The AI providers currently used by the service are:

Provider	Purpose	Data transmitted	Processing location
Anthropic (Claude)	Message generation, conversation handling, lead qualification	Workflow prompts, question trees, lead conversation content (messages and responses)	United States (under Standard Contractual Clauses)

This table will be updated if additional AI providers are added. AI providers are contractually bound to process data only for the purpose of providing the AI service and are prohibited from using your data to train their models, in accordance with their data processing terms.

No AI provider receives your account credentials, payment information, or integration access tokens. The data transmitted to AI providers is limited to what is necessary to generate or process the requested output.

Retention and security

We retain data for as long as necessary to provide the service, secure accounts, maintain subscription state, resolve disputes, enforce agreements, and meet legal obligations. Our retention practices are:

Account data: retained for as long as your account is active, and for a minimum of 90 days after account deletion to allow for recovery and to meet legal obligations.
Lead and conversation data: retained for as long as your account is active. After account deletion, lead data is deleted within 90 days unless a longer retention period is required by law.
Session and security data: session tokens and short-lived security records (such as email verification tokens and MFA challenge records) are automatically expired and removed according to their lifecycle. Security audit logs are retained for a minimum of 90 days.
Billing data: retained for 8 (eight) years after the end of the relevant financial year, as required by the Hungarian Act C of 2000 on Accounting (2000. évi C. törvény a számvitelről), Section 169, which mandates the retention of accounting records and supporting documents for this period.
Support communications: retained for as long as your account is active and for a minimum of 90 days after deletion.
AI processing data: data transmitted to AI providers is processed in real time and is not retained by the AI provider beyond the duration of the API request, in accordance with their data processing terms.

The application uses authentication cookies, token hashing, password hashing (with salting), session lifecycle controls, HTTPS encryption in transit, and related operational safeguards. No system is perfectly secure, and you are responsible for securing your own endpoints, credentials, and connected services.

Automated decision-making and profiling

The service includes AI-assisted features that automatically process lead responses to categorize, qualify, and prioritize leads based on the criteria you define in your workflow setup.

This processing is purely advisory and informational. It does not produce any legal effect for the individuals being contacted and does not result in any binding decision, denial of service, contractual consequence, or restriction of opportunity for those individuals. The automated qualification is a tool that assists you, the user, in prioritizing your own outreach. You remain responsible for reviewing the results and making any consequential decisions about how to handle each lead.

Because the automated processing does not produce legal effects or similarly significant effects on the individuals concerned, it does not fall within the scope of GDPR Article 22(1). Nevertheless, we disclose this processing in the interest of transparency.

If you are a lead who has been contacted through the service and you have questions about how your responses were processed, you may contact the business that reached out to you. You may also contact us at [email protected] and we will direct your inquiry to the appropriate account holder.

Data processing roles

When you upload lead lists, connect spreadsheets, or import contact data into the service, you are the data controller for that personal data under GDPR. Flow Solutions Ltd. acts as your data processor, processing lead data solely on your documented instructions and for the purpose of operating the service on your behalf.

The binding terms of this controller-processor relationship are set out in our Data Processing Agreement, which is automatically accepted when you create an account and satisfies the requirements of GDPR Article 28.

As data controller, you are responsible for having a lawful basis to collect and contact the individuals whose data you import, providing those individuals with appropriate privacy notices, and responding to their data subject rights requests. Flow Solutions will assist you in fulfilling those obligations to the extent technically feasible within the service.

Your privacy rights

Under GDPR and applicable data protection law, you have the following rights regarding your personal data:

Access (Art. 15): you can request a copy of the personal data we hold about you.
Rectification (Art. 16): you can ask us to correct inaccurate or incomplete data.
Erasure (Art. 17): you can ask us to delete your personal data, subject to legal retention requirements.
Restriction (Art. 18): you can ask us to restrict processing in certain circumstances.
Portability (Art. 20): you can request your data in a structured, commonly used, machine-readable format.
Objection (Art. 21): you can object to processing based on legitimate interests.
Withdrawal of consent: where processing is based on consent, you can withdraw it at any time.
Automated decisions (Art. 22): you can request human review of decisions made solely by automated processing that produce legal or similarly significant effects.

To exercise any of these rights, contact [email protected]. We will respond within 30 days as required by GDPR Article 12(3). We may need to verify your identity before acting on a request. If your request is complex or we receive a high volume of requests, we may extend the response period by a further 60 days with prior notice.

International transfers

Our infrastructure is hosted within the European Union. We process and store personal data within the EU wherever possible.

Some of our service providers may process data outside the EU/EEA. Where this occurs, we ensure that appropriate safeguards are in place as required by GDPR Chapter V. Specifically:

Stripe, Inc. (payment processing): may process data in the United States. Transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission.
Anthropic (AI model provider): processes data in the United States. Transfers are covered by Standard Contractual Clauses and Anthropic's data processing terms, which prohibit use of transmitted data for model training.

You can request details of the specific safeguards applied to international transfers by contacting [email protected].

Children

The service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. You may not use the service to process data relating to children under the age of 18. If you become aware that a child has provided us with personal data, or that lead data containing children's personal data has been uploaded to the service, please contact us at [email protected] and we will take steps to delete that data.

Data protection officer

Flow Solutions Ltd. has assessed its obligation to appoint a Data Protection Officer under GDPR Article 37. Based on our current assessment, the appointment of a DPO is not required at this time. Our assessment is based on the following factors:

Flow Solutions Ltd. is not a public authority or body.
Our core activities do not consist of processing operations which, by their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale. While the service processes lead data and uses AI-assisted qualification, this processing is performed on behalf of individual account holders (who are the data controllers) and is limited in scale to each account holder's own lead lists.
Our core activities do not consist of processing special categories of data (Article 9) or data relating to criminal convictions and offences (Article 10) on a large scale.

This assessment is reviewed periodically and will be updated if the nature or scale of our processing changes. If a DPO is appointed in the future, their contact details will be published here and communicated to the Hungarian supervisory authority (NAIH).

In the absence of a DPO, all privacy inquiries should be directed to [email protected].

Cookies and browser storage

For specific information about authentication cookies, browser-side storage, and third-party asset requests used by the website and app, see our Cookie Policy.

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the application at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact and complaints

Privacy requests and complaints can be sent to [email protected].

If you are in the EEA, UK, or another region with supervisory complaint rights, you also have the right to lodge a complaint with your local data protection authority. In Hungary, the supervisory authority is the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), reachable at www.naih.hu.

What Flow Solutions collects, stores, and uses.