Privacy Policy
1. Data controller
The data controller for personal data processed through FlowPro is [OWNER_PLACEHOLDER: legal entity / data controller — Golico BV to confirm]. For account and diagram content that our business customers upload, we typically act as a processor on the customer's behalf (see our DPA).
2. Categories of data we process
- Account and identity data (name, email, organization) — via our authentication provider.
- Diagram, sequence, and project content you create in the Service.
- Billing and tax data — handled by our payment processor.
- Technical/usage data (aggregated, cookieless analytics — see section 6).
3. Purposes & legal bases
We process personal data to provide the Service (contract, Art. 6(1)(b) GDPR), to comply with legal obligations such as invoicing and tax (Art. 6(1)(c)), and for our legitimate interests in securing and improving the Service (Art. 6(1)(f)). [OWNER_PLACEHOLDER: confirm legal bases per activity — LAWYER]
4. Subprocessors
We use the following third-party subprocessors to deliver the Service. Each is engaged under a data processing agreement with appropriate safeguards (including Standard Contractual Clauses where personal data leaves the EEA).
| Subprocessor | Purpose | Location / Notes |
|---|---|---|
| Vercel | Hosting / CDN / serverless functions | US with EU edge; DPA + SCCs |
| Supabase | PostgreSQL database | Region per project |
| Clerk | Authentication + organizations | US; strictly-necessary auth cookies |
| Stripe | Billing + Stripe Tax + invoicing | Payment data; PCI-compliant |
| Vercel AI Gateway | AI request routing | Routes to the model providers below |
| Anthropic | AI model provider (primary) | claude-sonnet-5 — sequence/diagram generation |
| OpenAI | AI model provider (fallback) | gpt-5.4 — fallback path only |
5. Retention
[OWNER_PLACEHOLDER: retention periods per data category — LAWYER]
6. Cookies & analytics
We use privacy-friendly, cookieless analytics (aggregated pageviews only, no cross-site tracking, no personal profiling); therefore no cookie consent banner is shown.
Authentication cookies (Clerk) are strictly necessary for login/session to function and are exempt from consent under the ePrivacy "strictly necessary" carve-out. We do not set non-essential or advertising cookies.
7. International transfers
Where personal data is transferred outside the EEA (for example to subprocessors located in the US), we rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards. [OWNER_PLACEHOLDER: confirm transfer mechanisms — LAWYER]
8. Your rights
Subject to the GDPR, you have the right to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. To exercise these rights, contact us at [OWNER_PLACEHOLDER: support / DPO contact].
9. EU representative & supervisory authority
[OWNER_PLACEHOLDER: EU/UK representative, if required — LAWYER]
10. Contact
Privacy questions: [OWNER_PLACEHOLDER: support email]