Privacy Policy

Overview

Flowxar ("we", "us", or "our") operates the website flowxar.com and the Flowxar platform (the "Service"). This Privacy Policy describes how we handle personal data when you use our Service, and the rights you have in relation to that data.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

Definitions

• Personal Data — Any information that identifies or can identify a natural person.
• Usage Data — Data collected automatically from your use of the Service (e.g., page views, session duration).
• Cookies — Small text files stored on your device by your browser.
• Data Controller — Flowxar, which determines the purposes and means of processing personal data.
• Data Processor — Third-party service providers that process data on our behalf.
• End User — Visitors to our customers' websites who interact with onboarding flows delivered by our SDK.

Data We Collect

Account Data

When you register for Flowxar, we collect your name, email address, and organization name. This data is necessary to provide the Service.

Billing Data

Payment information is collected and processed directly by Stripe, our payment processor. We do not store full credit card numbers. We retain billing history (plan type, invoices, subscription status) to manage your account.

Usage Data

We collect information about how you use the Service, including pages visited, features used, and actions taken within the dashboard. This helps us improve the product.

SDK & End-User Data

Our JavaScript SDK is installed on customers' websites to deliver onboarding flows to their end users. The SDK collects only anonymized, non-personally-identifiable behavioral data: flow views, step completions, and dismissals. We do not collect names, email addresses, or any sensitive information about end users. All data is aggregated and used solely to power the analytics dashboard for our customers.

Legal Basis for Processing (GDPR Art. 6)

If you are located in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases to process your personal data:

• Contract (Art. 6(1)(b)) — Processing your account data (name, email, organization) and billing data is necessary to perform the contract with you and provide the Service.
• Consent (Art. 6(1)(a)) — Analytics cookies (PostHog) and marketing/support cookies (Crisp) are only activated after you give explicit consent via our cookie consent banner. You may withdraw this consent at any time (see Consent Management).
• Legitimate Interests (Art. 6(1)(f)) — We process usage data to improve the security, performance, and features of the Service. Our legitimate interest does not override your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c)) — We retain billing records for up to 7 years to comply with applicable financial and tax regulations.

Analytics

We use PostHog (EU cloud) to understand how users interact with the Flowxar dashboard and to improve the product. PostHog is loaded only after you grant analytics consent via the cookie banner — it is never initialized on page load without your permission.

PostHog may collect:

• Pages visited, features clicked, and session recordings (anonymized)
• Events such as flow creation, step edits, and plan upgrades
• Device type, browser, and approximate geographic region
• Anonymized IP addresses (IP masking enabled)

All PostHog data is routed through our first-party proxy at kalabamba.flowxar.com, which forwards requests exclusively to PostHog's EU-hosted infrastructure (eu.posthog.com). No data is ever sent to US-based PostHog servers. PostHog processes data under a GDPR-compliant Data Processing Agreement.

If you decline analytics cookies, PostHog is never initialized and all tracking is suppressed. Any PostHog cookies already set (ph_*, __ph_opt_in_out_*) are automatically cleared.

We also use Supabase internal analytics for product usage metrics (feature adoption, flow performance). This data is never sold to third parties.

Advertising

We currently do not run paid advertising campaigns. If we introduce advertising pixels or retargeting in the future, we will update this policy and obtain the necessary consent before any such tracking is activated.

Any future advertising technologies will be placed in the Marketing cookie category in our consent banner and will only activate with your explicit consent.

Cookies & Consent

We use the following categories of cookies:

• Strictly Necessary — Authentication session cookies required for login (sb-*) and your saved cookie preferences (cc_cookie). These cannot be disabled as they are essential for the Service to function.
• Analytics — PostHog cookies (ph_*, __ph_opt_in_out_*) for product analytics and session recordings. Only activated after explicit consent. Legal basis: Consent.
• Marketing & Support — Crisp live chat cookies (crisp-*) for customer support functionality. Only activated after explicit consent. Legal basis: Consent.

You can manage or withdraw your cookie preferences at any time using the Cookie Settings button in the footer or via your browser settings. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal.

Consent Management

When you first visit Flowxar, a cookie consent banner is displayed. The banner is implemented using vanilla-cookieconsent v3 (an open-source, GDPR-compliant consent management library). Here is exactly what happens depending on your choice:

If you click "Accept all"

• PostHog is initialized and begins collecting anonymized product analytics. Data is routed to EU servers via our first-party proxy.
• The Crisp live chat widget becomes available for support interactions.
• Your consent is saved in the cc_cookie first-party cookie.

If you click "Reject all"

• PostHog is never initialized. No analytics events are sent.
• The Crisp chat widget is not loaded.
• Any existing PostHog cookies (ph_*, __ph_opt_in_out_*) are automatically cleared from your browser.
• Your preference is saved and the banner will not appear again.

If you click "Manage preferences"

• A preferences panel opens showing each cookie category with a toggle. You can enable or disable Analytics and Marketing independently.
• Disabling Analytics mid-session calls posthog.opt_out_capturing() immediately, stopping all further event capture and clearing PostHog cookies.

Changing your preferences

You can change your cookie preferences at any time by clicking the Cookie Settings link in the site footer. Your new choices take effect immediately.

International Data Transfers

Some of our third-party service providers are located outside the European Economic Area (EEA). Where we transfer personal data internationally, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V:

• Stripe (USA) — Processes billing data under Standard Contractual Clauses (SCCs) and is certified under the EU–US Data Privacy Framework.
• Vercel (USA) — Hosts our application infrastructure. Data processing is governed by SCCs. EU traffic is routed to EU edge nodes where available.
• PostHog (EU) — All analytics data is processed exclusively on EU-hosted infrastructure (eu.posthog.com) via our first-party proxy. No transfer outside the EEA occurs.
• OpenAI (USA) — Used for AI copywriting features. Only flow content you explicitly submit to the AI feature is sent. OpenAI processes data under SCCs and does not use submitted content to train its models.
• Supabase (USA/EU) — Our database and authentication provider. Data is stored on EU-region infrastructure. Processing governed by SCCs.

You can request a copy of the relevant safeguards by contacting us at support@flowxar.com.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion:

• Account data is deleted within 30 days.
• Anonymized, aggregated analytics data may be retained indefinitely for product improvement.
• Billing records are retained for up to 7 years to comply with financial regulations.

End-user behavioral data collected by the SDK is retained for 12 months and then automatically purged.

Security

We take the security of your data seriously and implement industry-standard measures:

• All data is transmitted over HTTPS/TLS.
• Data is stored on Supabase (PostgreSQL), which enforces Row-Level Security (RLS) so no customer can access another customer's data.
• Passwords are never stored — we use magic link and OAuth authentication only.
• Access to production systems is restricted to authorized personnel.

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Your Rights

Under the GDPR and applicable data protection law, you have the following rights regarding your personal data:

• Access (Art. 15) — Request a copy of the personal data we hold about you.
• Rectification (Art. 16) — Request correction of inaccurate or incomplete data.
• Erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Portability (Art. 20) — Request your data in a structured, machine-readable format where processing is based on consent or contract.
• Objection (Art. 21) — Object to processing based on legitimate interests or for direct marketing purposes.
• Restriction (Art. 18) — Request that we limit processing of your data in certain circumstances.
• Withdraw Consent (Art. 7(3)) — Where processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time via the Cookie Settings in the footer. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, contact us at support@flowxar.com. We will respond within 30 days (extendable by two further months for complex requests, with notice).

You also have the right to lodge a complaint with your local data protection supervisory authority. If you are based in the EU, you can find your authority at edpb.europa.eu.

Third-Party Services

We rely on the following third-party services to operate:

• Supabase — Database, authentication, and file storage. EU region.
• Stripe — Payment processing and billing management. SCCs in place.
• Vercel — Hosting and serverless infrastructure. SCCs in place.
• PostHog (EU) — Product analytics and session recording. Only loaded with consent. All data stays on EU servers. DPA in place.
• Crisp — Live chat support widget. Only loaded with consent. Used solely for customer support communication.
• OpenAI— AI-powered copywriting features ("Magic Write"). Content is not used to train models. SCCs in place.

We do not sell your personal data to any third party.

Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us immediately and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you via email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

Contact

If you have any questions about this Privacy Policy, please contact us:

• Email: support@flowxar.com
• Website: flowxar.com