Privacy Policy

Last updated: 2026-05-16

This Privacy Policy explains how Flowfy processes personal data when you use our services (web and mobile app).

Data controller: Flowfy, a sole proprietorship registered in Sweden. Contact: info@flowfyco.com.

1. Summary (store-reviewer friendly)

• We collect the data needed to run Flowfy (account, favorites/preferences, security, and payments).
• Payments may be handled via Apple App Store, other mobile purchase flows, Stripe, and/or PayPal. We typically do not store full card details.
• We do not sell personal data and we do not use personal data for targeted advertising.
• The Free plan may show non‑personalized ads (no targeted advertising) on some platforms. Ads are temporarily disabled in the iOS app.

2. How Flowfy is built (short)

• API & hosting: Flowfy runs on a Cloudflare Worker that handles authentication and API requests.
• Accounts & storage: We use Supabase (Auth + database) for user accounts and app data.
• Content (prompts): Prompt metadata and content for prompts/prompt packs are fetched from Webflow CMS.
• Payments: Stripe/PayPal (web) and in-app mobile purchases. We may use a technical provider (such as RevenueCat) to validate and sync mobile purchases.
• Notifications: If you enable push notifications, a provider (such as Expo and platform providers) may process a device token to deliver notifications.

3. Data we collect

• Account data: email address, user ID, and login/session data.
• Profile data: display name and avatar URL (if you provide them), and plan/entitlements (e.g., subscription status or prompt pack access).
• Favorites & settings: favorites, preferences (language, theme, notification preferences), and similar app settings.
• Usage & activity: actions such as viewing, copying, or favoriting prompts, with timestamps and sometimes category. We also store usage events to enforce limits/cooldowns.
• Feedback: whether feedback prompts were shown and any vote you submit (e.g., thumbs up/down).
• Device/technical data: IP address, user-agent, and approximate location (country) for security and operations; device information you provide to the app for diagnostics/analytics.
• Payment data: payment status and references/IDs (for example customer/subscription IDs) from Stripe/PayPal, and/or order/transaction references from in-app mobile purchases. Payment providers process payment method details.

We do not ask for access to your contacts, photos, camera roll, or precise location to provide the core Flowfy service.

4. How we use data

• To provide the service (authentication, access to prompts, favorites, and settings).
• To enforce usage limits/cooldowns and prevent abuse.
• To process payments, manage subscriptions, and deliver purchased content.
• To deliver push notifications if you enable them.
• To maintain security, troubleshoot issues, and improve Flowfy.

5. Legal basis (GDPR)

• Contract: to provide Flowfy and your purchases/subscriptions.
• Legitimate interests: security, fraud prevention, service reliability, and product improvement.
• Legal obligation: accounting and compliance requirements where applicable.
• Consent: for push notifications (when you choose to enable them) and, where applicable, for advertising.

6. Sharing & third-party processors

We use vendors to operate and deliver Flowfy. Depending on the feature, data may be processed by:

• Supabase (accounts, database, authentication)
• Cloudflare (hosting, DDoS protection, traffic/security logs)
• Webflow (CMS for prompts/prompt packs content)
• Unity LevelPlay (Unity Ads) (ads in the Free plan, if applicable)
• Stripe and PayPal (payments/subscriptions on web)
• Mobile app stores (In‑App Purchases/subscriptions on mobile)
• RevenueCat (mobile purchase validation/sync, if applicable)
• Expo and platform providers (push notifications, if enabled)

We do not sell personal data. We do not share personal data with third parties for targeted advertising.

Our vendors may only process personal data on our instructions and under agreements that require at least the same level of protection described in this policy and required by applicable rules.

7. Advertising (Unity LevelPlay/Unity Ads) and App Tracking Transparency

The Free plan may show non‑personalized ads via Unity LevelPlay (Unity Ads) on some platforms. We aim to deliver non‑personalized ads (no targeted advertising). Ads are temporarily disabled in the iOS app.

• What may be processed: technical data like IP address, device information, approximate location (country), and ad interactions (such as impressions/clicks) to deliver and measure ads.
• Tracking (ATT): if we request permission for tracking on iOS (App Tracking Transparency), you can choose to deny it. If you deny, ads may still be shown, but without tracking for advertising. You can change your choice in iOS Settings. The iOS app currently does not show ads.

We do not use personal data for targeted advertising and we do not track you across other companies' apps/websites for advertising.

8. International data transfers

Our vendors may process data in countries other than your own (including the United States). Where required, we use appropriate safeguards such as Standard Contractual Clauses and vendor agreements.

9. Data retention (clear timeframes)

• Account and app data: stored for as long as you keep an account, then deleted when you delete your account (except where retention is required by law).
• Operational and security logs: typically up to 30 days.
• Usage/activity logs (limits and recommendations): typically up to 12 months, or until you delete your account.
• Payment-related records: may be kept up to 7 years for accounting, tax, and compliance.

10. Account deletion

You can delete your account in the app: Settings → Delete account.

If you cannot access the app, you can request deletion by email: info@flowfyco.com.

What we delete: your login account, profile, favorites, preferences, and user-linked app activity (such as usage/activity logs and feedback tied to your user ID).

What we may keep: payment/transaction records and limited logs required for accounting, fraud prevention, and security (see retention above). Payment providers (Stripe/PayPal) also retain records under their own policies.

Timing: deletion is typically prompt, but may in some cases be scheduled (for example to enforce usage limits/cooldowns and prevent abuse). Some data may remain in backups for up to 30 days.

11. Children's privacy

Flowfy is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided personal data, contact us and we will delete it.

12. Your rights

• Request access, correction, deletion, or portability of your personal data.
• Object to or request restriction of certain processing where applicable.
• Withdraw consent at any time where processing is based on consent (e.g., disable push notifications in your device Settings). Withdrawal does not affect the lawfulness of processing before the withdrawal.
• Lodge a complaint with your national data protection authority. In Sweden: Integritetsskyddsmyndigheten (IMY), www.imy.se.

13. Security

• Encryption in transit (TLS/HTTPS).
• Access controls and least-privilege design.
• Database access is controlled by permissions and (where applicable) row-level security (RLS) policies.

14. Changes

We may update this policy from time to time. The latest version is always available on this page.

15. Automated decision-making

Flowfy does not make decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects on you.