Privacy Policy

The data controller responsible for your personal data is:

• [Legal entity name]
• [Registered address, city, postal code, country]
• Company / VAT number: [number]
• Email: [privacy@yourdomain.com]

If you are based in the EU/EEA and have concerns we have not resolved, you may lodge a complaint with your local supervisory authority.

• Account data — email address and hashed password used to authenticate you.
• Workspace data — project briefs, generated proposals, milestones, client names, client email addresses, and payment-link URLs you choose to store.
• Billing data — subscription status, trial dates, and billing-provider identifiers. Card details are processed by our payment provider and never stored on our servers.
• Technical data — IP address, browser type, device, and minimal request logs needed to operate and secure the service.

• Performance of a contract (Art. 6(1)(b) GDPR) — to provide the account, generate proposals, host client portals, and process subscriptions.
• Legitimate interests (Art. 6(1)(f) GDPR) — to secure the service, prevent abuse, and improve product quality.
• Legal obligation (Art. 6(1)(c) GDPR) — to keep tax and accounting records.
• Consent (Art. 6(1)(a) GDPR) — for any optional analytics or marketing cookies, where applicable.

Data is stored in managed cloud infrastructure provided by our hosting and database processors. Access is restricted, traffic is encrypted in transit (TLS), and data at rest is encrypted by the underlying provider. We use Row-Level Security so each user can only access their own workspace data.

We rely on the following categories of subprocessors:

• Hosting & database (managed cloud backend)
• Payment & subscription processor (Merchant of Record for billing)
• AI model provider (used to generate proposal drafts from briefs you submit)
• Transactional email provider (used to deliver client portal & payment notifications)

Where a subprocessor is located outside the EEA, transfers are protected by Standard Contractual Clauses or an equivalent safeguard.

We keep account and workspace data for as long as your account is active. If you delete your account, we delete or anonymize personal data within 30 days, except where we are required to keep records for legal, tax, or accounting reasons (typically up to the period required by local law).

Under the GDPR you have the right to:

• Access a copy of the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure ("right to be forgotten") of your data.
• Restriction of processing in certain circumstances.
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Objection to processing based on our legitimate interests.
• Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, email [privacy@yourdomain.com]. We respond within 30 days.

FlowDesk uses strictly necessary cookies and local storage to keep you signed in and maintain your session. We do not use advertising cookies. If we add analytics that rely on non-essential cookies, we will request your consent through a cookie banner before they are set.

FlowDesk is not intended for individuals under 16. We do not knowingly collect data from children.

We may update this policy from time to time. Material changes will be communicated by email or in-app notice before they take effect.

Questions about this policy or your data: [privacy@yourdomain.com].