DRAFT — not legally binding until reviewed by counsel and the placeholders are completed.

Privacy Policy

1. Data controller

The data controller for personal data processed through FlowPro is [OWNER_PLACEHOLDER: legal entity / data controller — Golico BV to confirm]. For account and diagram content that our business customers upload, we typically act as a processor on the customer's behalf (see our DPA).

2. Categories of data we process

3. Purposes & legal bases

We process personal data to provide the Service (contract, Art. 6(1)(b) GDPR), to comply with legal obligations such as invoicing and tax (Art. 6(1)(c)), and for our legitimate interests in securing and improving the Service (Art. 6(1)(f)). [OWNER_PLACEHOLDER: confirm legal bases per activity — LAWYER]

4. Subprocessors

We use the following third-party subprocessors to deliver the Service. Each is engaged under a data processing agreement with appropriate safeguards (including Standard Contractual Clauses where personal data leaves the EEA).

SubprocessorPurposeLocation / Notes
Vercel Hosting / CDN / serverless functions US with EU edge; DPA + SCCs
Supabase PostgreSQL database Region per project
Clerk Authentication + organizations US; strictly-necessary auth cookies
Stripe Billing + Stripe Tax + invoicing Payment data; PCI-compliant
Vercel AI Gateway AI request routing Routes to the model providers below
Anthropic AI model provider (primary) claude-sonnet-5 — sequence/diagram generation
OpenAI AI model provider (fallback) gpt-5.4 — fallback path only

5. Retention

[OWNER_PLACEHOLDER: retention periods per data category — LAWYER]

6. Cookies & analytics

We use privacy-friendly, cookieless analytics (aggregated pageviews only, no cross-site tracking, no personal profiling); therefore no cookie consent banner is shown.

Authentication cookies (Clerk) are strictly necessary for login/session to function and are exempt from consent under the ePrivacy "strictly necessary" carve-out. We do not set non-essential or advertising cookies.

7. International transfers

Where personal data is transferred outside the EEA (for example to subprocessors located in the US), we rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards. [OWNER_PLACEHOLDER: confirm transfer mechanisms — LAWYER]

8. Your rights

Subject to the GDPR, you have the right to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. To exercise these rights, contact us at [OWNER_PLACEHOLDER: support / DPO contact].

9. EU representative & supervisory authority

[OWNER_PLACEHOLDER: EU/UK representative, if required — LAWYER]

10. Contact

Privacy questions: [OWNER_PLACEHOLDER: support email]