Privacy Policy

Effective Date: December 12, 2025
Last Updated: January 24, 2026

---

1. Introduction

Flowsta provides censorship-resistant digital identity using zero-knowledge encryption and Holochain distributed technology.

Key Principle: By design, we CANNOT access your encrypted private data.

---

2. Data We Collect

2.1 Minimal Database Storage (PostgreSQL)

What We DON'T Store in Our Database:

• ❌ Passwords (zero-knowledge)
• ❌ Private keys (you control these)
• ❌ Recovery phrases
• ❌ Activity timestamps
• ❌ Profile pictures
• ❌ IP addresses
• ❌ Browser/device information

2.2 Your Private Data (Holochain - Encrypted)

Stored on your private Holochain source chain, encrypted with your password:

• Encrypted email
• Display name
• Recovery phrase
• Login history
• Dashboard activity
• OAuth authorizations
• Privacy settings

Critical: We cannot decrypt this data. Your password never leaves your device.

Data Export (CAL Compliance):

All your private Holochain data can be exported at any time via Dashboard → Your Data. The export includes your recovery phrase, which is required to restore your identity on another Holochain conductor. Export is performed with zero-knowledge - decryption happens entirely in your browser, and we never see your decrypted data.

2.3 Public Data (Holochain DHT - Immutable)

• W3C DID
• Profile picture (identicon or custom)
• Registration timestamp

Important: This data cannot be deleted - it's immutable by design for censorship resistance.

2.4 Premium Billing Data (If You Subscribe)

If you subscribe to Premium or purchase Premium+ usernames:

Stored in Our Database (Minimal):

Processed by Stripe (Third Party):

Privacy Protection:

• We use a proxy email when creating your Stripe customer account (your real email is not shared with Stripe)
• We do not store credit card numbers or payment details
• Stripe is PCI DSS compliant

2.5 Support Services (Gleap)

We use Gleap, a third-party support platform, to provide AI chat assistance and support ticket management.

For Anonymous (Not Logged In) Users:

For Authenticated Users:

Privacy Protection:

• Data is only shared when you open the support widget (AI chat or ticket creation)
• Anonymous users can access the AI chat without providing any personal information
• Authenticated users' data is shared to enable personalized support and ticket tracking
• Gleap is GDPR-compliant and bound by their privacy policy
• Support chat transcripts and tickets are retained by Gleap per their data retention policy

Your Control:

• You can use the AI assistant anonymously without logging in
• If authenticated, you can request deletion of your support data by contacting privacy@flowsta.com
• Ticket transcripts can be provided upon request

2.6 Holochain Signing Permissions (If You Grant Them)

If you authorize apps to sign Holochain actions on your behalf:

In Our Database:

• Which apps have permission
• When permission was granted/revoked
• Number of times each app has signed

In Your Holochain (Encrypted):

• Signing activity log (what actions were signed)
• Action timestamps
• Action hashes (SHA256 only - not actual content)

Privacy Protection:

• We never store the content of what was signed
• Your private signing keys never leave our Holochain conductor
• Apps receive only the signature, never your private key
• You can revoke permissions instantly

2.7 What We DON'T Log

Unlike most services, we do NOT collect:

• ❌ IP addresses (removed from all logs)
• ❌ Browser/device information (removed from all logs)
• ❌ Detailed browsing behavior
• ❌ Location data

Our API logs contain only: endpoint, method, status code, response time.

---

3. How We Use Your Data

Account Management

• Authenticate you when you log in
• Provide identity verification to partner sites

What We DON'T Do

• ❌ Sell your data
• ❌ Use for targeted advertising
• ❌ Share without consent
• ❌ Read your encrypted data (we can't)
• ❌ Train AI models on your data

---

4. Data Sharing

With Partner Sites (Your Consent)

• When you use "Sign in with Flowsta"
• Via OAuth consent screen
• They receive: DID, display name, username, profile picture, agent key
• They can request email (you approve on consent screen)
• If you grant holochain:sign permission, they can request signatures (but never receive your private keys)

With Service Providers

• Google Cloud (hosting)
• Stripe (Premium billing only) - we use a proxy email, your real email is not shared
• Gleap (support services) - receives contact data when you use the support widget
• Bound by confidentiality agreements

With Law Enforcement (When Required)

• Valid legal process only
• We provide: email, login method
• We cannot provide: encrypted data, passwords, activity logs

---

5. Your Rights

Right to Access

• Download your account data
• Export your Holochain data (you own it)

Right to Erasure

We will delete:

• ✅ Your email from our database
• ✅ Your session data

We cannot delete:

• ❌ Your DID from public DHT (immutable)
• ❌ Your profile picture from DHT (immutable)

Right to Portability (CAL Compliance)

Flowsta uses Holochain, licensed under the Cryptographic Autonomy License (CAL), which guarantees your right to full control of your data:

• Complete Data Export: Download all your data via Dashboard → Your Data, including:

  • Your recovery phrase (24-word BIP39 mnemonic)
  • Your DID and agent public key
  • Your email (decrypted client-side)
  • Activity history and connected sites
  • Privacy settings and metadata

• True Identity Portability: Your recovery phrase allows you to:

  • Restore your identity on any compatible Holochain conductor
  • Operate independently of Flowsta's infrastructure
  • Maintain your cryptographic identity even if Flowsta ceases operations

• Zero-Knowledge Export: All decryption happens in your browser. We never see your decrypted data during export.

• No Restrictions: In compliance with CAL Sections 4.2.1-4.2.3, we do not impose technical or legal restrictions on your ability to access or use your own data.

---

6. Cookies

Session Cookie (flowsta_session)

• Purpose: Maintain login across Flowsta services
• Duration: 7 days (auto-renewed)
• Security: HTTP-only, HTTPS-only
• Classification: Strictly necessary (cannot be disabled)

We Do NOT Use:

• ❌ Tracking cookies
• ❌ Advertising cookies
• ❌ Third-party cookies

---

7. Children's Privacy

• Flowsta is not for children under 13 (16 in EU)
• We require birthdate during registration
• Parents can request deletion: privacy@flowsta.com

---

8. Security

Our Protections

• Zero-knowledge encryption
• HTTPS/TLS for all communications
• Regular security audits
• No sensitive data in server logs

Your Responsibilities

• Keep password secure
• Protect recovery phrase
• Use strong, unique passwords

---

9. Changes to This Policy

• 30 days notice for material changes
• Email notification
• Continued use = acceptance

---

10. Governing Law

Jurisdiction: Victoria, Australia

This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of Victoria, Australia. Any legal proceedings shall be brought in the courts of Victoria, Australia.

---

11. Contact

• Privacy: privacy@flowsta.com
• Support: flowsta.com/support