Legal

Privacy Policy

We are committed to protecting your personal data and your right to privacy. This policy explains what information we collect, why we collect it, and how we use it.

Last updated: May 12, 2026

Overview

Flowxar ("we", "us", or "our") operates the website flowxar.com and the Flowxar platform (the "Service"). This Privacy Policy describes how we handle personal data when you use our Service, and the rights you have in relation to that data.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

Definitions

  • Personal Data — Any information that identifies or can identify a natural person.
  • Usage Data — Data collected automatically from your use of the Service (e.g., page views, session duration).
  • Cookies — Small text files stored on your device by your browser.
  • Data Controller — Flowxar, which determines the purposes and means of processing personal data.
  • Data Processor — Third-party service providers that process data on our behalf.
  • End User — Visitors to our customers' websites who interact with onboarding flows delivered by our SDK.

Data We Collect

Account Data

When you register for Flowxar, we collect your name, email address, and organization name. This data is necessary to provide the Service.

Billing Data

Payment information is collected and processed directly by Stripe, our payment processor. We do not store full credit card numbers. We retain billing history (plan type, invoices, subscription status) to manage your account.

Usage Data

We collect information about how you use the Service, including pages visited, features used, and actions taken within the dashboard. This helps us improve the product.

SDK & End-User Data

Our JavaScript SDK is installed on customers' websites to deliver onboarding flows to their end users. The SDK collects only anonymized, non-personally-identifiable behavioral data: flow views, step completions, and dismissals. We do not collect names, email addresses, or any sensitive information about end users. All data is aggregated and used solely to power the analytics dashboard for our customers.

Analytics

We use Google Analytics 4 (GA4) to understand how visitors use our marketing website. GA4 may collect:

  • Pages visited and time on page
  • Referral source (e.g., Google Search, direct)
  • Device type, browser, and approximate geographic region
  • Anonymized IP addresses

GA4 data is processed by Google LLC under their Privacy Policy. You can opt out of GA4 tracking via the Google Analytics Opt-out Browser Add-on.

We also use Supabase internal analytics for product usage metrics (feature adoption, flow performance). This data is never sold to third parties.

Advertising

We may run advertising campaigns on the following platforms to reach potential customers:

  • Google Ads— We use Google's conversion tracking pixel to measure ad performance. Google may use cookies to serve ads based on your browsing behavior.
  • Meta Ads (Facebook & Instagram) — We use the Meta Pixel to track conversions and build lookalike audiences. Meta may associate your activity with your Facebook profile.
  • TikTok Ads— We may use TikTok's pixel for conversion tracking and audience targeting on the TikTok platform.
  • LinkedIn Ads — We may use LinkedIn Insight Tag for B2B retargeting and conversion measurement.

Each of these platforms processes data under their own privacy policies. You can manage your ad preferences through your account settings on each platform, or via your browser's cookie settings.

Cookies

We use the following types of cookies:

  • Strictly Necessary — Authentication session cookies required for login. Cannot be disabled.
  • Analytics — GA4 cookies to understand site usage (can be disabled).
  • Marketing — Advertising pixels from Google, Meta, TikTok, LinkedIn (can be disabled).

You can control cookies through your browser settings. Note that disabling cookies may affect the functionality of the Service.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion:

  • Account data is deleted within 30 days.
  • Anonymized, aggregated analytics data may be retained indefinitely for product improvement.
  • Billing records are retained for up to 7 years to comply with financial regulations.

End-user behavioral data collected by the SDK is retained for 12 months and then automatically purged.

Security

We take the security of your data seriously and implement industry-standard measures:

  • All data is transmitted over HTTPS/TLS.
  • Data is stored on Supabase (PostgreSQL), which enforces Row-Level Security (RLS) so no customer can access another customer's data.
  • Passwords are never stored — we use magic link and OAuth authentication only.
  • Access to production systems is restricted to authorized personnel.

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate data.
  • Erasure — Request deletion of your personal data ("right to be forgotten").
  • Portability — Request your data in a machine-readable format.
  • Objection — Object to processing of your data for direct marketing.
  • Restriction — Request that we restrict processing of your data.

To exercise any of these rights, contact us at support@flowxar.com. We will respond within 30 days.

Third-Party Services

We rely on the following third-party services to operate:

  • Supabase — Database, authentication, and file storage.
  • Stripe — Payment processing and billing management.
  • Vercel — Hosting and serverless infrastructure.
  • Google Analytics 4 — Website analytics.
  • OpenAI — AI-powered copywriting features (content is not used to train models).

Each of these providers has their own privacy policy and data processing agreements with us. We do not sell your personal data to any third party.

Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us immediately and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you via email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

Contact

If you have any questions about this Privacy Policy, please contact us: