Last updated: March 20, 2026
This Privacy Policy explains how Flowpatrol ("we", "us", or "our") collects, uses, and protects your personal data when you use our website and services.
We take your privacy seriously. We collect only what we need, we never sell your data, and we give you full control over your information.
1. Who We Are
Flowpatrol is a security scanning service for web applications. We operate as a data controller for the personal data we collect from you.
Contact: contact@flowpatrol.ai
2. What Data We Collect
Account data
When you create an account, we collect your email address and name. If you sign up via a third-party provider (e.g., GitHub or Google), we receive your name, email, and profile picture from that provider.
Billing data
If you subscribe to a paid plan, our payment processor (Stripe) collects your payment details. We store your plan type, billing cycle, and transaction history. We do not store credit card numbers on our servers.
Scan data
When you run a scan, we store the target URL, scan configuration, and results (findings, severity, evidence screenshots). Scan data belongs to you — see our Terms of Service.
Usage data
We collect basic usage analytics to improve the Service: pages visited, features used, scan frequency, and error logs. We use privacy-friendly analytics that do not track you across sites.
Technical data
Our servers automatically log IP addresses, browser type, and request timestamps for security and performance purposes. These logs are retained for up to 90 days.
3. What We Do Not Collect
Flowpatrol is a black-box scanner. We never access your source code, repository, CI/CD pipeline, or internal infrastructure. We only interact with your application's publicly accessible URL — the same way any visitor would.
4. How We Use Your Data
We use your data to:
- Provide and maintain the Service;
- Process payments and manage your subscription;
- Send transactional emails (scan results, billing receipts);
- Improve the Service based on aggregate usage patterns;
- Prevent abuse and enforce our Terms of Service;
- Comply with legal obligations.
We do not use your data for advertising, profiling, or selling to third parties.
5. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your data based on:
- Contract performance — processing necessary to provide the Service you signed up for (account data, scan data, billing data);
- Legitimate interest — usage analytics to improve the Service, security logging to prevent abuse;
- Legal obligation — tax and accounting records, responding to legal requests;
- Consent — marketing emails (you can unsubscribe at any time).
6. Data Sharing & Subprocessors
We share your data only with service providers who help us operate the Service. Each subprocessor is bound by a Data Processing Agreement (DPA).
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Authentication & database | EU (Frankfurt) |
| Stripe | Payment processing | US (EU SCCs) |
| Vercel | Website hosting | US (EU SCCs) |
| Anthropic | AI-powered scan analysis | US (EU SCCs) |
| PostHog | Product analytics (opt-in only) | EU (Frankfurt) |
Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection.
We do not sell, rent, or trade your personal data to any third party.
7. Data Retention
- Account data: retained while your account is active, deleted within 30 days of account closure.
- Scan data: retained while your account is active. You can delete individual scan results at any time.
- Billing data: retained for up to 10 years as required by tax and accounting regulations.
- Server logs: automatically deleted after 90 days.
- Marketing consent records: retained for as long as consent is valid, plus 3 years for compliance evidence.
8. Your Rights
Under the GDPR (and similar laws like the UK GDPR and CCPA), you have the right to:
- Access — request a copy of the personal data we hold about you;
- Rectification — correct inaccurate or incomplete data;
- Erasure — request deletion of your data ("right to be forgotten");
- Restriction — request that we limit processing of your data;
- Portability — receive your data in a structured, machine-readable format;
- Objection — object to processing based on legitimate interest;
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email us at contact@flowpatrol.ai. We will respond within 30 days.
If you believe we have not handled your request properly, you have the right to lodge a complaint with your local data protection authority.
9. Security
We protect your data with industry-standard measures including:
- Encryption in transit (TLS) and at rest;
- Row-Level Security (RLS) for tenant data isolation;
- Regular security testing of our own infrastructure;
- Access controls limiting employee access to personal data on a need-to-know basis.
No system is 100% secure. If we discover a data breach that affects your personal data, we will notify you and the relevant authorities within 72 hours as required by GDPR.
10. Cookies
We use a minimal set of cookies. See our Cookie Policy for details.
11. Children
The Service is not intended for anyone under the age of 16. We do not knowingly collect data from children. If we learn that we have collected data from a child, we will delete it promptly.
12. International Transfers
Our primary infrastructure is hosted in the EU. Where data is transferred to subprocessors outside the EU/EEA, we use Standard Contractual Clauses (SCCs) and verify that adequate safeguards are in place.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice in the Service at least 30 days before they take effect.
14. Contact
For privacy-related questions or to exercise your rights, contact us at contact@flowpatrol.ai.