Privacy Policy

This Privacy Policy explains what data Flowop collects, why we collect it, who we share it with, and the choices you have. It applies to flowop.io, the Flowop browser extension, and any other surface where this policy is linked.

Flowop is operated by GDF Design Inc., a British Columbia corporation in Vancouver, Canada ("Flowop", "we", "us"). We're a small team — a single founder at the time of this writing — and we built Flowop with the commitment that we wouldn't track our users across the web, sell their data, or use their content to train machine-learning models. This policy describes the technical reality of that commitment.

In short

• We collect the minimum we need to run the service: your email, the content you create in Flowop, and standard server logs.
• We do not sell your data. We do not rent it. We do not share it with advertisers.
• We do not use your saved URLs, your annotations, or your notes to train AI models.
• The Flowop preview renders third-party websites under flowop.io's domain. Third-party scripts inside those previews may set cookies on flowop.io. We do not author, read, or use any data those scripts collect. See "Previewed third-party content" below for what that means in practice.

What we collect

• Account information. When you sign up we collect your email address. If you sign in with Google, we additionally receive your name and profile photo from Google so we can show them in the app — we never receive your Google password. If you provide a display name during sign-up, we store that.
• Content you create in Flowop. This includes the URLs you save, the categories you organize them under, the annotations you draw, the notes you write, the comments you make, the workspace projects you create, the tags you apply, and any files (images, screenshots, video clips) you upload. This content stays yours; see the Terms of Service for the license you give us to host and display it.
• Usage data. Standard server logs — your IP address, your browser's user agent, request paths, response codes, timestamps. We use these for debugging, abuse prevention, and security. Server logs are retained for up to 30 days.
• Iframe-preview audit log. When you (or any viewer) loads a preview, the proxy records a structured log line with the URL, the HTTP status code returned by the upstream, the upstream content type, and the timestamp. This is operational data — used for debugging, abuse triage, and to satisfy any DMCA-style takedown audit requirement. Retained for up to 30 days alongside the standard server logs.
• Billing data (paid plans only). Stripe processes payments on our behalf. Stripe holds your payment method; we receive only your subscription status, your selected plan, and an opaque Stripe customer ID. We never see your full card number.
• Email engagement. When we send transactional email (sign-up confirmation, password reset, workspace invites, optional digest emails), the email-delivery provider (Resend) records standard delivery metadata (delivered, bounced, opened). We use this only to debug delivery failures.

What we don't collect

• We don't sell your data.
• We don't use your content to train machine-learning models.
• We don't track you across other websites. Flowop does not embed advertising pixels or third-party tracking scripts on its own pages.
• We don't read the websites you save in your bookmarks for any purpose other than rendering the preview you asked for. Server logs may record the URL you proxied (because the URL is the request path); we do not aggregate, analyze, or share those URLs.
• We don't ask the upstream sites you preview for any of your information. The proxy fetches with only User-Agent and Accept headers. No cookies. No Authorization token. No Accept-Language. No X-Forwarded-For. No Referer. The upstream site sees a generic browser user-agent and an HTML accept header, and nothing else from you.

Previewed third-party content

This section describes what Flowop does and does not do with the third-party websites you preview through Flowop. It is the part of this policy most likely to be unfamiliar; please read it.

The proxy round-trip. When you or someone with access to your share link loads a preview, Flowop's server fetches the URL on your behalf. We send only the two headers above (User-Agent, Accept). The upstream's response is parsed; we extract the HTML body and asset URLs, inject our own proxy scripts (for in-iframe scroll tracking, form interception, and sensitive-input warnings), and serve the result back to your browser as part of an iframe under flowop.io.

What we don't propagate. We do not propagate the upstream's Set-Cookie headers back to your browser. The upstream cannot install a cookie on your browser through Flowop's proxy.

What may execute inside the iframe. Once the proxied HTML reaches your browser, any third-party <script> tags it contains run inside the iframe. Because the iframe is served from flowop.io, those scripts execute under flowop.io's origin. Some of those scripts (analytics scripts, advertising pixels, customer-support widgets) may set cookies via document.cookie. Those cookies land on flowop.io, not on the upstream's domain.

What this means for you.

• Cookies set by third-party scripts inside Flowop previews are not authored or read by Flowop. We don't aggregate them, we don't sell them, we don't use them.
• If you want to clear those cookies, you can clear all flowop.io cookies in your browser's privacy settings. You'll be signed out of Flowop and the third-party-script cookies will be deleted at the same time.
• The upstream sites do not learn that you specifically viewed them through Flowop. Because we don't forward your IP or your cookies, the upstream cannot attribute your view to your account.

What we are honestly uncertain about. The legal posture for "third-party scripts on flowop.io" is not fully settled. We will update this policy as that posture clarifies.

How we use the data we collect

• To provide the service you signed up for (storing your bookmarks, rendering previews, supporting collaboration).
• To send transactional email (sign-up confirmation, password reset, workspace invites, optional daily-digest emails). You can mute the digest in Settings.
• To process payments and handle subscription changes (paid plans only).
• To detect abuse, debug crashes, and respond to legal requests where required.

We do not use your data for any other purpose without your explicit consent.

Who we share data with

Flowop runs on a small set of vendors (subprocessors). Each receives only the data needed to do its job.

• Supabase — authentication and database hosting. Stores your account, your content, your session token, and your password hash (not the password itself).
• Vercel — application hosting and CDN. Production functions currently execute in Vercel's iad1 region (US East). Vercel sees your IP address as part of its standard request handling.
• Stripe — payment processing for paid plans. Stripe stores your payment method directly; Flowop never sees your card details.
• Resend — transactional email delivery (account confirmation, password reset, invites, digests). Resend sees your email address and the body of the email.
• Microlink — third-party screenshot service used for static thumbnails when the live iframe preview isn't appropriate or has been opted out. Microlink fetches the URL from its own infrastructure; it does not see your IP or your account.
• Cloudflare — only when you submit certain anonymous forms (such as the public "Report this page" form on a public share). Cloudflare's Turnstile widget evaluates your interaction to protect the form from automated abuse. Turnstile is privacy-preserving by design (no third-party cookies, no fingerprinting beyond the verification check).
• Google — only if you choose Google sign-in. Google sees that you logged into Flowop. We receive your name, email, and profile photo via the OAuth scopes we request (openid, email, profile).

Where data is stored

Account data and content are stored with Supabase (PostgreSQL) and Vercel (static / serverless). Vercel's production region for Flowop is iad1 (US East). Supabase's region is the one Flowop selected at project setup time and may evolve as we scale.

If you are in the European Economic Area, the United Kingdom, Switzerland, or Canada, your data will be transferred to the United States as a result. Where required by law, this transfer is governed by Standard Contractual Clauses or an equivalent legally adequate mechanism.

Cookies and similar technologies

Cookies Flowop sets.

• A first-party authentication cookie used to keep you signed in. Lifetime: until you sign out, or until the session expires (~1 hour for short-lived tokens; configurable in Supabase).
• A small number of preference cookies (e.g. theme preference, dismissed-toast acknowledgment) that affect only the appearance of the app for you on this device.

Cookies Flowop does not set.

• We don't set advertising cookies.
• We don't set cross-site tracking cookies.
• We don't use Google Analytics or similar third-party analytics on flowop.io itself.

Cookies that may be set inside previewed content.

As described in "Previewed third-party content" above, third-party scripts inside the iframe may set cookies on flowop.io. Flowop does not author, read, or use those cookies. You can clear them by clearing flowop.io cookies in your browser.

Public sharing

You can mark collections, pages, or individual bookmarks as publicly shared. When you do, the content of the shared resource becomes accessible to anyone with the link. You control which content is public; we don't make anything public on your behalf.

Public shares may be viewed by anonymous visitors who have not agreed to this Privacy Policy. The proxy posture above applies to them too — we don't track them, we don't propagate cookies, we don't fingerprint them. Server logs of their requests follow the standard 30-day retention.

Retention and deletion

• Account record (email, profile, hashed password): while your account is active; deleted within 30 days of account closure.
• Content (bookmarks, annotations, notes, comments, files): while your account is active; deleted within 30 days of account closure.
• Server logs (request path, IP, timestamp): up to 30 days, then rotated.
• Iframe-preview audit log: up to 30 days, then rotated.
• Billing records (Stripe references, invoices): retained for the period required by Canadian tax law (typically 6 years).
• Email-delivery metadata (Resend): retained per Resend's own retention schedule.
• Database backups: up to 90 days, then expire on rotation. Deleted content stops being recoverable from backups when the rotation completes.
• DMCA / abuse audit records: retained as long as needed to satisfy legal obligations; typically 1–3 years from the event.

You can close your account at any time from Settings. After 30 days, your active records are removed; backups follow the rotation above.

Your rights

Depending on where you live, you may have rights over your personal information. Flowop honors the following rights for all users, regardless of location, to the extent we can:

• Access. See what we have about you. Available via Settings → Export.
• Correction. Fix inaccurate information. Available via Settings.
• Deletion ("right to be forgotten"). Delete your account and content. Available via Settings → Close Account.
• Portability. Receive a copy of your content in a machine-readable format. Available via Settings → Export.
• Restriction / objection. Tell us to stop processing your data for specific reasons. Email support@flowop.io.
• Withdraw consent. For any processing that relies on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

If you live in:

• The European Economic Area, the United Kingdom, or Switzerland (GDPR / UK GDPR): the rights above are codified in those laws. The lawful basis for our processing is generally (a) performance of the Terms of Service contract for service-provision data and (b) legitimate interest for security and abuse-prevention data. You have the right to lodge a complaint with your local data-protection authority.
• California (CCPA / CPRA): in addition to the rights above, you may opt out of "sale" or "sharing" of personal information. Flowop does not sell or share personal information; the CCPA opt-out applies to us trivially.
• Canada (PIPEDA / BC PIPA): you have the rights above and may file a complaint with the Office of the Privacy Commissioner of Canada or with the BC Office of the Information and Privacy Commissioner.
• Other jurisdictions: applicable local law governs. We try to honor reasonable requests regardless of jurisdiction.

For any request you cannot complete in-app, email support@flowop.io. We may need to verify your identity before acting on certain requests (especially deletion or portability) to protect against account takeover.

Children

Flowop is not designed for or directed to children under 13 in the United States or Canada. If you are in the European Economic Area or the United Kingdom, the minimum age is 16. Don't use Flowop if you are below the minimum age in your jurisdiction.

If we discover an account belongs to someone below the minimum age, we delete the account and any associated content.

Security

We take the following technical measures:

• TLS in transit for all connections to flowop.io and to the API.
• Supabase Postgres at-rest encryption (Supabase's default; see Supabase's own security documentation for current scope).
• Password hashing by Supabase Auth. We do not see, log, or store plaintext passwords. We do not have a way to recover a forgotten password (we only have a reset flow).
• Row-level security policies on Supabase tables, scoped per user, so a database-level bug or a leaked admin token does not transparently expose another user's content.
• No plaintext payment card data, ever. Stripe handles all card data directly.

No system is invulnerable. If you discover a security issue in Flowop, please report it confidentially to support@flowop.io.

Changes to this policy

We may update this Privacy Policy as the service changes. If a change is material — for example, a change to subprocessors, retention, or the categories of data we collect — we'll post the updated Policy at flowop.io/privacy, update the "Last updated" date, and notify active account holders by email at least 30 days before the change takes effect. For non-material changes (clarifications, link fixes), continued use after the change means you accept the updated Policy.

For material changes, we'll also ask you to re-confirm acceptance the next time you sign in.

Contact

General privacy questions, security reports, and data-subject requests (access, deletion, portability) reach us at support@flowop.io.

GDF Design Inc.
[mailing address — available on request via support@flowop.io]
Vancouver, British Columbia, Canada