Terms of Service

Effective Date: December 12, 2025
Last Updated: January 24, 2026

1. Acceptance of Terms

By creating a Flowsta identity, you agree to these Terms of Service and our Privacy Policy.

Requirements:

  • You must be 13+ years old (16+ in the European Union)
  • You are responsible for your account security
  • You understand the technical limitations of our zero-knowledge architecture
  • You agree to use Flowsta lawfully and in accordance with these Terms

2. Account & Security

Your Responsibilities

  • Keep your password secure - We cannot reset it due to our zero-knowledge architecture
  • Protect your recovery phrase - This is the only way to recover your account if you forget your password
  • Maintain access to your registered email - We use this for important account notifications
  • Notify us immediately of any unauthorized access to your account

Critical Zero-Knowledge Limitations

Due to our privacy-first architecture:

  • ❌ We cannot reset your password
  • ❌ We cannot recover your account without your recovery phrase
  • ❌ We cannot access your encrypted data
  • ⚠️ If you lose your recovery phrase, your account is permanently unrecoverable

3. Holochain Signing Service (Optional)

Some apps may request permission to sign Holochain actions on your behalf using your agent key. This is completely optional.

How It Works

  • Apps request holochain:sign permission during login
  • You see a clear consent screen explaining what the app can do
  • If you approve, the app can request cryptographic signatures using your identity
  • Your private keys never leave Flowsta - only signatures are provided to apps

Your Control

  • View all apps with signing permission in your dashboard
  • See signing activity (when apps signed on your behalf)
  • Revoke permissions instantly at any time
  • All activity is logged in your private Holochain data

4. Acceptable Use Policy

You May NOT Use Flowsta For:

1. Activities Creating Direct Legal Liability:

  • Child sexual abuse material (CSAM)
  • Credible threats of violence against specific individuals or groups

2. Infrastructure Abuse:

  • Automated attacks (DoS, spam)
  • API abuse beyond rate limits
  • Security compromise attempts

3. System Integrity Violations:

  • Large-scale identity theft
  • Systematic bot account creation
  • DHT manipulation attempts

What We Don't Enforce

  • We don't police speech or opinions
  • We don't moderate content on partner sites
  • Partner sites make their own moderation decisions
  • We provide identity infrastructure, not a content platform

5. Partner Site Independence

Each website using Flowsta sets its own policies:

  • ✅ Sites can ban users from their specific platform
  • ❌ Sites cannot delete your Flowsta identity
  • ✅ Your identity works across all sites unless specifically banned
  • ℹ️ Bans are site-specific, not system-wide

6. Enforcement & Suspension

If We Ban You

We will:

  • ✅ Delete your email from our database
  • ✅ Revoke all JWT tokens
  • ✅ Block API access

We cannot:

  • ❌ Delete your DID from Holochain DHT (immutable by design)
  • ❌ Access your encrypted private data
  • ❌ Stop you from using your keys
  • ❌ Block P2P DHT sync

Your Options After Ban

  • Your keys remain yours (via recovery phrase)
  • Your DID remains on DHT (censorship resistant)
  • You can self-host an Auth API if technically capable

7. Technical Limitations

You Acknowledge:

  1. Immutable DHT - Your DID cannot be deleted, by design for censorship resistance
  2. Zero-Knowledge - We cannot access your encrypted data or reset your password
  3. Recovery Phrase - The only way to recover your account - store it safely offline

8. Cryptographic Autonomy License Compliance

Flowsta uses Holochain, which is licensed under the Cryptographic Autonomy License (CAL). This license ensures you maintain full control over your identity and data.

Your Data Rights Under CAL

  • Full Data Export: Export all your data at any time via Dashboard → Your Data
  • Recovery Phrase Access: Export your recovery phrase to set up your identity on any compatible Holochain conductor
  • No Data Withholding: We cannot and will not withhold your User Data (CAL Section 4.2.1)
  • No Technical Restrictions: We do not use technical measures to limit your access to your own data (CAL Section 4.2.2)
  • No Legal Restrictions: We do not contractually restrict your ability to use your data independently (CAL Section 4.2.3)
  • True Portability: Your identity can exist independently of Flowsta's services

What This Means

Your Flowsta identity is truly yours. Even if Flowsta ceased operations, you could use your recovery phrase to restore your identity on any compatible Holochain infrastructure. The export feature provides:

  • Your 24-word recovery phrase (BIP39 mnemonic)
  • Your DID and agent public key
  • Your email address (decrypted client-side)
  • Your activity history and connected sites
  • Your privacy settings

Zero-Knowledge Export

All decryption happens in your browser. We never see your decrypted data during export. Password verification is required to ensure only you can access your sensitive data.

9. Service Availability

  • We strive for 99.9% uptime
  • Service provided "as is" without warranty
  • Your identity survives on the DHT even if we shut down

10. Fees & Premium Features

10.1 Basic Identity (Free)

  • Account creation and login
  • 8+ character usernames
  • Use across all partner sites

10.2 Premium Subscription ($10/month or $120/year)

  • Priority support (ticket creation)
  • 6-7 character usernames included
  • Access to purchase Premium+ usernames
  • Auto-renews unless cancelled
  • Cancellation takes effect at end of billing period (no prorated refunds)

10.3 Premium+ Usernames (Annual Only)

Premium+ usernames allow shorter, more memorable usernames:

LengthAnnual Price
5 characters$50/year
4 characters$100/year
3 characters$200/year
2 characters$400/year
1 character$800/year

Requirements & Terms:

  • Requires active Premium subscription - You cannot purchase a Premium+ username without first having Premium
  • One username per account - You can only have one username at a time
  • First-come-first-serve - Username availability is not guaranteed
  • No refunds when changing to a different Premium+ username tier (your previous subscription is cancelled immediately)
  • Auto-cancelled when Premium subscription ends
  • Username released when subscription ends - It becomes available for others to claim

10.4 Username Changes

  • You may change your username at any time (subject to availability and tier restrictions)
  • Changing from a Premium+ username to another Premium+ tier requires a new purchase
  • Changing from a Premium+ username to a 6+ character username cancels your Premium+ subscription (no refund)
  • When Premium ends, your username is cleared and you must set a new 8+ character username (if desired)

10.5 Reserved Usernames

Some usernames may be reserved (brand names, offensive terms, etc.) and unavailable for purchase. Reserved usernames may be assigned to verified owners upon request.

11. Termination

You Can:

  • Delete your account via settings
  • Request data deletion (GDPR)

We Can:

  • Terminate for Terms violations
  • Terminate with 30 days notice

Effect:

  • API access revoked
  • Email deleted from database
  • DID remains on DHT (immutable)
  • Your keys remain yours

12. Governing Law & Contact

Jurisdiction: Victoria, Australia

Contact:

Changes to These Terms

We may update these Terms from time to time. We will notify you of material changes via:

  • Email notification (30 days advance notice)
  • Notice on this page

Continued use of Flowsta after changes constitutes acceptance of the new Terms.