Developer Privacy Policy

Effective Date: December 12, 2025
Last Updated: December 12, 2025

1. Introduction

This policy covers how we handle data from developers and businesses using Flowsta Auth API.

2. Developer Data We Collect

Account Data

  • Organization name
  • Contact email
  • API keys
  • Team members (user IDs, roles)
  • Pending invites (email addresses - deleted after 7 days or acceptance)

Billing Data (via Stripe)

  • Payment method (stored by Stripe)
  • Billing address
  • Invoice history

Usage Data

  • API request counts
  • Error rates
  • Response times
  • MAU counts (aggregate only)

3. What We DON'T Collect About Your Users

DataStatusNotes
User passwords❌ NeverZero-knowledge architecture
User IP addresses❌ NeverRemoved from all logs
User device info❌ NeverRemoved from all logs
User activity❌ NeverStored in user's Holochain

Your users' data stays with your users.

4. Zero-Knowledge MAU Analytics

How MAU Tracking Works

  1. User logs in via your app
  2. Flowsta generates random analytics_id (stored in user's Holochain)
  3. We record: analytics_id + your app_id + month
  4. You see: "42 MAU this month"

What You CAN'T Do

  • Identify which users logged in
  • Link analytics_id to email or DID
  • Access user activity logs
  • See IP addresses or devices

This is by design. Zero-knowledge analytics protects your users' privacy while giving you the metrics you need.

5. How We Use Developer Data

Service Provision

  • Generate and manage API keys
  • Monitor usage and enforce limits
  • Bill for API usage

Communication

  • Service announcements
  • API changes
  • Billing notifications
  • Security alerts

6. Data Sharing

Service Providers

  • Stripe (payments)
  • Google Cloud (hosting)

We DON'T

  • Sell developer data
  • Share API keys
  • Use your data to compete

7. Your Responsibilities

As a developer using Flowsta, you are the "Data Controller" for your users:

You Must

  • Have a privacy policy
  • Inform users Flowsta is used
  • Obtain consent for data sharing
  • Handle user data requests
  • Comply with GDPR/CCPA

Data Processing Agreement

Enterprise customers can request formal DPA.

8. Developer Rights

  • Access your account data
  • Update business information
  • Export usage analytics
  • Delete your developer account

Account Deletion

  • Request via dashboard
  • Deleted within 30 days
  • Billing records retained per tax law (7 years)

9. Data Retention

Active Accounts

  • Data retained while active
  • API logs: 90 days
  • Usage analytics: 2 years (aggregated)
  • Pending team invites: 7 days (auto-deleted if not accepted)

Deleted Accounts

  • Account data: 30 days
  • Billing records: 7 years (legal requirement)

10. Security

Our Protections

  • Encrypted connections (TLS 1.3)
  • API keys encrypted at rest
  • Role-based access control
  • Regular security audits

Your Responsibilities

  • Keep API keys secure
  • Rotate keys regularly
  • Report security issues

11. Changes to Policy

  • 60 days notice for material changes
  • Email notification
  • Continued use = acceptance

12. Contact

© {new Date().getFullYear()} Flowsta. All rights reserved.