Privacy Policy
Effective Date: December 12, 2025
Last Updated: December 12, 2025
1. Introduction
Flowsta provides censorship-resistant digital identity using zero-knowledge encryption and Holochain distributed technology.
Key Principle: By design, we CANNOT access your encrypted private data.
2. Data We Collect
2.1 Minimal Database Storage (PostgreSQL)
| Data | Purpose | Can We Read It? |
|---|---|---|
| Email address | Login lookup | ✅ Yes |
| Agent public key | Identity verification | ✅ Yes |
| W3C DID | Decentralized identifier | ✅ Yes |
| Login method | Password vs SSO | ✅ Yes |
What We DON'T Store in Our Database:
- ❌ Passwords (zero-knowledge)
- ❌ Private keys (you control these)
- ❌ Recovery phrases
- ❌ Activity timestamps
- ❌ Profile pictures
- ❌ IP addresses
- ❌ Browser/device information
2.2 Your Private Data (Holochain - Encrypted)
Stored on your private Holochain source chain, encrypted with your password:
- Encrypted email
- Display name
- Recovery phrase
- Login history
- Dashboard activity
- OAuth authorizations
- Privacy settings
Critical: We cannot decrypt this data. Your password never leaves your device.
2.3 Public Data (Holochain DHT - Immutable)
- W3C DID
- Profile picture (identicon or custom)
- Registration timestamp
Important: This data cannot be deleted - it's immutable by design for censorship resistance.
2.4 Premium Billing Data (If You Subscribe)
If you subscribe to Premium or purchase Premium+ usernames:
Stored in Our Database (Minimal):
| Data | Purpose | Can We Read It? |
|---|---|---|
| Subscription tier | Determine features | ✅ Yes |
| Billing interval | Monthly/annual | ✅ Yes |
| Subscription status | Active/cancelled | ✅ Yes |
| Period dates | Billing cycle | ✅ Yes |
| Invoice history | Billing records | ✅ Yes |
Processed by Stripe (Third Party):
| Data | Purpose | Can We Read It? |
|---|---|---|
| Payment method | Process payments | ❌ No (Stripe only) |
| Billing address | Tax calculation | ❌ No (Stripe only) |
| Payment history | Receipts | ❌ No (Stripe only) |
Privacy Protection:
- We use a proxy email when creating your Stripe customer account (your real email is not shared with Stripe)
- We do not store credit card numbers or payment details
- Stripe is PCI DSS compliant
2.5 What We DON'T Log
Unlike most services, we do NOT collect:
- ❌ IP addresses (removed from all logs)
- ❌ Browser/device information (removed from all logs)
- ❌ Detailed browsing behavior
- ❌ Location data
Our API logs contain only: endpoint, method, status code, response time.
3. How We Use Your Data
Account Management
- Authenticate you when you log in
- Provide identity verification to partner sites
What We DON'T Do
- ❌ Sell your data
- ❌ Use for targeted advertising
- ❌ Share without consent
- ❌ Read your encrypted data (we can't)
- ❌ Train AI models on your data
4. Data Sharing
With Partner Sites (Your Consent)
- When you use "Sign in with Flowsta"
- Via OAuth consent screen
- They receive: DID, display name, username, profile picture, agent key
- They can request email (you approve on consent screen)
With Service Providers
- Google Cloud (hosting)
- Stripe (Premium billing only) - we use a proxy email, your real email is not shared
- Bound by confidentiality agreements
With Law Enforcement (When Required)
- Valid legal process only
- We provide: email, login method
- We cannot provide: encrypted data, passwords, activity logs
5. Your Rights
Right to Access
- Download your account data
- Export your Holochain data (you own it)
Right to Erasure
We will delete:
- ✅ Your email from our database
- ✅ Your session data
We cannot delete:
- ❌ Your DID from public DHT (immutable)
- ❌ Your profile picture from DHT (immutable)
Right to Portability
- Export all data in JSON format
- Export your keys
- Take your identity to compatible services
6. Cookies
Session Cookie (flowsta_session)
- Purpose: Maintain login across Flowsta services
- Duration: 7 days (auto-renewed)
- Security: HTTP-only, HTTPS-only
- Classification: Strictly necessary (cannot be disabled)
We Do NOT Use:
- ❌ Tracking cookies
- ❌ Advertising cookies
- ❌ Third-party cookies
7. Children's Privacy
- Flowsta is not for children under 13 (16 in EU)
- We require birthdate during registration
- Parents can request deletion: privacy@flowsta.com
8. Security
Our Protections
- Zero-knowledge encryption
- HTTPS/TLS for all communications
- Regular security audits
- No sensitive data in server logs
Your Responsibilities
- Keep password secure
- Protect recovery phrase
- Use strong, unique passwords
9. Changes to This Policy
- 30 days notice for material changes
- Email notification
- Continued use = acceptance
10. Contact
- Privacy: privacy@flowsta.com
- Support: hello@flowsta.com
- Data Requests: flowsta.com/data-request
© {new Date().getFullYear()} Flowsta. All rights reserved.