Privacy Policy

1. Introduction

Flowctory ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website and services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

This Privacy Policy should be read alongside our Terms of Service.

2. Information We Collect

2.1 Account Information

When you register for a Flowctory account, we collect and store:

• Email Address: Your email address, used for account identification and communication
• Password: If you register with email, your password is securely hashed (we never store plaintext passwords)
• Display Name: Your name, either provided by you or obtained from your social login provider (Google)
• Avatar URL: Your profile picture URL, if provided by your social login provider
• Timezone: Your timezone preference for displaying dates and times

You can register and log in using email and password, or through Google OAuth. Google OAuth is used for authentication only; cloud storage accounts are connected separately.

2.4 Media Content

We handle several types of media content through the Service:

• When you upload a video or image, the file is temporarily stored on our servers solely for the purpose of providing the Service. Uploaded files are automatically deleted from our servers within 24 hours of upload or upon successful processing.
• You may upload images and videos to a persistent library stored in Supabase cloud storage. These files are retained until you delete them and can be used as inputs for AI content generation workflows.
• Images and videos generated through our Canvas AI features are stored in Supabase cloud storage and linked to your account. Generated content is retained until you delete it or your account is closed.

2.5 Cloud Storage Connections

When you connect a cloud storage provider (Google Drive, Dropbox), we collect and store:

• Email Address: The email address associated with your cloud storage account
• Display Name: Your display name on the cloud storage provider
• Storage Provider: OAuth access and refresh tokens (encrypted) to access your cloud storage on your behalf
• Your folder preferences for file browsing and auto-save destinations

Cloud storage connections are used to import files into Flowctory and optionally auto-save generated content to your preferred cloud folder.

2.6 AI-Generated Content Data

When you use our Canvas AI features to generate images or videos, we collect and process:

• Text prompts and generation parameters you provide
• Images you select from your library or upload for AI processing
• The resulting generated images and videos, stored in Supabase cloud storage
• We do not use any of these inputs or outputs to train AI models, and our AI providers have agreed not to use them for training general-purpose AI models

Your prompts and reference images are transmitted over TLS to our AI processing providers (currently kie.ai and xAI) solely to fulfill your generation request. Generated outputs are stored in your account on Supabase storage until you delete them or close your account.

See Section 5.3 (AI Generation Providers) for the list of AI processing providers and the no-training commitment.

2.8 Technical and Usage Data

We automatically collect certain technical information when you use the Service:

• IP address
• Browser type and version
• Device information
• Access timestamps
• Error logs and diagnostic data

We do not use third-party analytics services or tracking tools.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

3.1 Contract Performance

Processing is necessary to provide you with the Service, including:

• Creating and managing your Flowctory account
• Uploading and processing your media content
• Connecting your cloud storage accounts (Google Drive, Dropbox) for file import and auto-save
• Connecting third-party services (cloud storage, AI providers) on your behalf
• Generating images and videos through Canvas AI features using your prompts and media
• Processing payments and managing subscriptions

3.2 Legitimate Interests

We process certain data based on our legitimate interests, including:

• Improving and securing the Service
• Troubleshooting technical issues
• Preventing fraud and abuse

3.3 Legal Obligations

We may process your data when required by law, such as responding to legal requests or complying with applicable regulations.

3.4 Consent

Where required, we will obtain your explicit consent before processing your data. You may withdraw your consent at any time.

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate you and manage your Flowctory account
• Connect third-party services (cloud storage, AI providers) on your behalf
• Upload and process media content you submit
• Generate images and videos using AI through our Canvas features
• Connect your cloud storage accounts for file import and auto-save of generated content
• Process payments and manage your subscription
• Display content generation history and status within the application
• Troubleshoot issues with failed uploads
• Communicate with you about the Service (service announcements, security alerts)
• Detect, prevent, and address technical issues, fraud, or abuse
• Comply with legal obligations

We do not use your personal information for advertising purposes or sell it to third parties.

5. How We Share Your Information

We share your information only in the following circumstances:

5.2 Cloud Storage Providers

When you connect a cloud storage service, we share necessary authentication data with the provider to access your files on your behalf:

Google Drive

We use Google Drive APIs to browse your files and optionally save generated content. Google's handling of your data is governed by Google's Privacy Policy.

Dropbox

We use Dropbox APIs to browse your files and optionally save generated content. Dropbox's handling of your data is governed by Dropbox's Privacy Policy.

5.3 AI Content Generation Providers

When you use Canvas AI features, your prompts, generation parameters, and any uploaded reference images are transmitted over TLS to one or more of the following AI processing providers, depending on the model you select:

kie.ai

kie.ai fronts multiple AI model families (including Veo, Seedream, Runway, and others) for image and video generation. Your prompts, generation parameters, and uploaded reference images are sent to kie.ai for processing. kie.ai processes your data solely to fulfill the generation request and does not use it to train general-purpose AI models. See kie.ai's terms and privacy policy at kie.ai.

xAI (Grok Imagine)

xAI is used for Grok Imagine image and video generation. Your prompts and any uploaded images are sent to xAI for processing. Per xAI's enterprise data policy, API inputs are not used to train xAI models by default. See xAI's privacy policy at x.ai/legal/privacy-policy.

No Training on Your Inputs

Neither Flowctory nor any of our AI processing providers uses your prompts, uploaded reference images, or generated outputs to train AI models.

Retention by AI Providers

AI providers generally retain inputs only for the duration of processing plus a short abuse-prevention window (typically up to 30 days) and then delete them. We separately store the generated outputs you keep, as described in Section 6 (Data Retention).

Where AI Processing Happens

AI providers may process your data in the United States or other jurisdictions outside the EEA. International transfers are governed by appropriate safeguards (Standard Contractual Clauses or equivalent) as described in Section 9 (International Data Transfers).

Provider Safety Systems

AI providers operate automated safety and abuse-prevention systems that may inspect prompts and reference images to detect prohibited content (for example, child sexual abuse material). These systems are operated by the providers; Flowctory does not control them.

5.4 Service Providers

We use trusted third-party service providers to help operate the Service:

• Payment Processor: We use Stripe to process payments and manage subscriptions. Stripe receives your payment information (card details, billing address) directly. We do not store your full card details. Stripe's handling of your data is governed by Stripe's Privacy Policy.
• We use Supabase for cloud file storage. Your library files and AI-generated content are stored on Supabase infrastructure. Supabase's handling of your data is governed by their privacy policy.
• Hosting Provider: Our servers are hosted on infrastructure that may have access to server logs and technical data necessary to provide hosting services.
• Database Provider: We use PostgreSQL for data storage. All data is encrypted at rest.

These providers are contractually obligated to protect your information and may only use it to provide services to us.

5.5 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal requests by public authorities (e.g., court orders, subpoenas).

5.6 Business Transfers

If Flowctory is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.7 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

7.9 Exercising Your Rights

To exercise any of these rights, please contact us at contact@flowctory.com. We will respond to your request within 30 days.

8. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

8.1 Right to Know

You have the right to request that we disclose:

• The categories of personal information we have collected about you
• The categories of sources from which we collected the information
• The business or commercial purpose for collecting the information
• The categories of third parties with whom we share the information
• The specific pieces of personal information we have collected about you

8.2 Right to Delete

You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.

8.3 Right to Opt-Out of Sale

You have the right to opt-out of the sale of your personal information. However, Flowctory does not sell personal information.

8.4 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, or provide you with a different level of service for exercising your rights.

8.5 Exercising Your Rights

To exercise your CCPA rights, please contact us at contact@flowctory.com. We will verify your identity before processing your request.

9. International Data Transfers

Flowctory is based in France (European Union). If you access the Service from outside the EU, please be aware that your information may be transferred to, stored, and processed in the EU.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Transfers to countries with an EU adequacy decision
• Standard Contractual Clauses approved by the European Commission
• Other legally recognized transfer mechanisms

Canvas AI features may transmit your prompts and reference images to AI processing providers located in the United States. We rely on the safeguards listed above for these transfers.

Third-party services we integrate with (cloud storage providers, AI providers, Stripe) may transfer your data internationally according to their own privacy policies.

10. Cookies

We use strictly necessary cookies to operate the Service. All cookies are essential for authentication and security. We do not use tracking, advertising, or analytics cookies.

10.1 Cookie Overview

The following table lists all cookies used by Flowctory:

Note: In production, authentication cookies use the __Secure- prefix and other cookies use the __Host- prefix for enhanced security, requiring HTTPS and preventing cross-site access.

10.2 Session Cookies

The authjs.session-token cookie maintains your authenticated session. This cookie:

• Is HTTP-only (not accessible via JavaScript) and secure (HTTPS-only in production)
• Uses SameSite=lax for CSRF protection
• Expires after 30 minutes of inactivity (sliding session)
• Contains a signed JWT with your user ID, email, and timezone
• Is strictly necessary for the Service to function

10.3 OAuth Flow Cookies

When connecting a cloud storage service, we temporarily store OAuth state and verification data in cookies (e.g., gdrive_oauth_state, gdrive_code_verifier, dropbox_oauth_state, dropbox_code_verifier, flowctory_pending_connection). These cookies:

• Are HTTP-only and secure (in production)
• Expire after 10 minutes
• Are automatically deleted after the OAuth flow completes
• Protect against CSRF attacks and ensure OAuth security (PKCE)

10.4 No Tracking Cookies

We do not use tracking cookies, advertising cookies, or third-party analytics.

10.5 Cookie Preferences

Since we only use strictly necessary cookies required for the Service to function, cookie consent is not required under GDPR. However, you can configure your browser to reject cookies, but this will prevent you from using the Service.

11. Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

• Encryption in Transit: All communications use HTTPS/TLS encryption
• Encryption at Rest: Sensitive data is encrypted at rest using AES-256-GCM in our database
• Secure Authentication: OAuth tokens are securely stored and managed
• Access Controls: Limited access to personal data on a need-to-know basis. Flowctory personnel do not access data obtained through Google API Services except when: (a) you have provided explicit consent to view specific data, (b) it is necessary for security purposes such as investigating abuse or security incidents, or (c) we are required to do so by applicable law
• Regular Updates: Infrastructure and dependencies are regularly updated

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.

12. Children's Privacy

The Service is not intended for children under the age of 16 in the European Union or 13 in other jurisdictions. We do not knowingly collect personal information from children under these ages.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at contact@flowctory.com. If we become aware that we have collected personal information from a child without verification of parental consent, we will take steps to delete that information.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes:

• We will update the "Last updated" date at the top of this policy
• For material changes, we will provide notice through the Service or via email
• We will obtain your consent where required by applicable law

We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: