Developer Privacy Policy
Effective Date: December 12, 2025
Last Updated: January 24, 2026
1. Introduction
This policy covers how we handle data from developers and businesses using Flowsta Auth API.
2. Developer Data We Collect
Account Data
- Organization name
- Contact email
- API keys
- Team members (user IDs, roles)
- Pending invites (email addresses - deleted after 7 days or acceptance)
Billing Data (via Stripe)
- Payment method (stored by Stripe)
- Billing address
- Invoice history
Usage Data
- API request counts
- Error rates
- Response times
- MAU counts (aggregate only)
Holochain Signing Data (If You Use Signing Service)
- Which apps you've enabled signing for
- Signing permission metadata (granted/revoked timestamps)
- Number of signing requests per app
- NOT stored: Actual content of what was signed (only SHA256 hashes in user's encrypted Holochain)
3. What We DON'T Collect About Your Users
| Data | Status | Notes |
|---|---|---|
| User passwords | ❌ Never | Zero-knowledge architecture |
| User IP addresses | ❌ Never | Removed from all logs |
| User device info | ❌ Never | Removed from all logs |
| User activity | ❌ Never | Stored in user's Holochain |
Your users' data stays with your users.
4. Zero-Knowledge MAU Analytics
How MAU Tracking Works
- User logs in via your app
- Flowsta generates random
analytics_id(stored in user's Holochain) - We record:
analytics_id+ yourapp_id+ month - You see: "42 MAU this month"
What You CAN'T Do
- Identify which users logged in
- Link analytics_id to email or DID
- Access user activity logs
- See IP addresses or devices
This is by design. Zero-knowledge analytics protects your users' privacy while giving you the metrics you need.
5. Holochain Signing Service Data (If You Use It)
When users grant your app holochain:sign permission:
What We Collect
| Data | Retention |
|---|---|
| User + App ID (who granted permission) | Until revoked |
| Granted/revoked timestamps | Permanent (audit trail) |
| Last used timestamp | Updated on each use |
| Sign count (number of signatures) | Updated on each use |
| Action type (e.g., 'create_entry') | 90 days |
| Action hash (SHA256 - not content) | 90 days |
What We DON'T Collect
- ❌ The actual content that was signed
- ❌ User's private signing keys (never leave our conductor)
- ❌ Individual user identifiers in your analytics
User Privacy: Signing activity details are stored in the user's encrypted Holochain source chain. Users can see full signing history in their dashboard and revoke permissions at any time.
6. Support Services (Gleap)
We use Gleap, a third-party support platform, to provide AI chat assistance and support ticket management.
For Anonymous (Not Logged In) Users
| Data | Shared with Gleap? | Purpose |
|---|---|---|
| ❌ No | N/A | |
| Authentication status | ✅ Yes (false) | Workflow routing |
For Authenticated Developers
| Data | Shared with Gleap? | Purpose |
|---|---|---|
| User ID | ✅ Yes | Contact identification |
| Email address | ✅ Yes | Support ticket communication |
| Organization name | ✅ Yes | Context for support |
| Authentication status | ✅ Yes (true) | Workflow routing |
| Developer plan | ✅ Yes | Support prioritization |
Privacy Protection
- Data is only shared when you open the support widget (AI chat or ticket creation)
- Anonymous users can access the AI chat without providing any personal information
- Authenticated users' data is shared to enable personalized support and ticket tracking
- Gleap is GDPR-compliant and bound by their privacy policy
- Support chat transcripts and tickets are retained by Gleap per their data retention policy
Your Control
- You can use the AI assistant anonymously without logging in
- If authenticated, you can request deletion of your support data by contacting privacy@flowsta.com
- Ticket transcripts can be provided upon request
7. How We Use Developer Data
Service Provision
- Generate and manage API keys
- Monitor usage and enforce limits
- Bill for API usage
Communication
- Service announcements
- API changes
- Billing notifications
- Security alerts
8. Data Sharing
Service Providers
- Stripe (payments)
- Google Cloud (hosting)
- Gleap (support services)
We DON'T
- Sell developer data
- Share API keys
- Use your data to compete
9. Your Responsibilities
As a developer using Flowsta, you are the "Data Controller" for your users:
You Must
- Have a privacy policy
- Inform users Flowsta is used
- Obtain consent for data sharing
- Handle user data requests
- Comply with GDPR/CCPA
Data Processing Agreement
Enterprise customers can request formal DPA.
10. Developer Rights
- Access your account data
- Update business information
- Export usage analytics
- Delete your developer account
Account Deletion
- Request via dashboard
- Deleted within 30 days
- Billing records retained per tax law (7 years)
11. Data Retention
Active Accounts
- Data retained while active
- API logs: 90 days
- Usage analytics: 2 years (aggregated)
- Pending team invites: 7 days (auto-deleted if not accepted)
- Signing activity logs: 90 days
Deleted Accounts
- Account data: 30 days
- Billing records: 7 years (legal requirement)
12. Security
Our Protections
- Encrypted connections (TLS 1.3)
- API keys encrypted at rest
- Role-based access control
- Regular security audits
Your Responsibilities
- Keep API keys secure
- Rotate keys regularly
- Report security issues
- If using signing service: secure OAuth tokens (they grant signing access)
13. Changes to Policy
- 60 days notice for material changes
- Email notification
- Continued use = acceptance
14. Governing Law
Jurisdiction: Victoria, Australia
This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of Victoria, Australia. Any legal proceedings shall be brought in the courts of Victoria, Australia.
15. Contact
- Developer Support: dev.flowsta.com/support
- Privacy: privacy@flowsta.com
- DPA Requests: legal@flowsta.com