Terms of Service

Effective Date: December 12, 2025
Last Updated: March 12, 2026

1. Acceptance of Terms

By creating a Flowsta identity, you agree to these Terms of Service and our Privacy Policy.

Requirements:

  • You must be 13+ years old (16+ in the European Union)
  • You are responsible for your account security
  • You understand the technical limitations of our zero-knowledge architecture
  • You agree to use Flowsta lawfully and in accordance with these Terms

2. Account & Security

Your Responsibilities

  • Keep your password secure - We cannot reset it due to our zero-knowledge architecture
  • Protect your recovery phrase - This is the only way to recover your account if you forget your password
  • Maintain access to your registered email - We use this for important account notifications
  • Notify us immediately of any unauthorized access to your account

Critical Zero-Knowledge Limitations

Due to our privacy-first architecture:

  • ❌ We cannot reset your password
  • ❌ We cannot recover your account without your recovery phrase
  • ❌ We cannot access your encrypted data
  • ⚠️ If you lose your recovery phrase, your account is permanently unrecoverable

3. Flowsta Vault Desktop App (Optional)

Flowsta Vault is an optional desktop application that runs a local Holochain conductor on your device.

Your Responsibilities

  • Secure your device — Your local signing keys are stored on your machine, encrypted with your password
  • Back up your data — Local Vault data is your responsibility; we have no access to it
  • Approve links carefully — Identity attestations created through Vault are permanent and cannot be revoked

Agent Linking

You can link your Vault identity with your web account or with third-party apps:

  • You see a clear approval dialog before any link is created
  • If you approve, a cryptographic attestation (IsSamePersonEntry) is committed to the public Holochain identity DHT
  • This attestation is immutable — it cannot be deleted or revoked after creation
  • The attestation contains only your public keys and signatures — no personal data
  • Your private keys never leave your device

Holochain Signing Service

Some apps may request permission to sign Holochain actions on your behalf:

  • Apps request signing permission through OAuth
  • You see a consent screen explaining what the app wants
  • If you approve, the app can sign actions using your Holochain agent key
  • Your private keys remain on Flowsta's conductor — only the signature is provided to the app
  • You can revoke signing permissions at any time
  • All signing activity is logged in your private Holochain data

3A. Two-Factor Authentication (Optional)

You can enable two-factor authentication (2FA) for additional login security.

How It Works

  • 2FA adds a time-based one-time password (TOTP) step after your password
  • Your TOTP secret and backup codes are stored encrypted in your private Holochain data (zero-knowledge)
  • We cannot recover your 2FA secret if you lose access to your authenticator app

Your Responsibilities

  • Save your backup codes — 8 backup codes are provided during setup; store them securely offline
  • Keep your authenticator app accessible — If you lose both your authenticator and all backup codes, you may be permanently locked out of your account
  • We cannot disable 2FA on your behalf due to our zero-knowledge architecture

4. Acceptable Use Policy

You May NOT Use Flowsta For:

1. Activities Creating Direct Legal Liability:

  • Child sexual abuse material (CSAM)
  • Credible threats of violence against specific individuals or groups

2. Infrastructure Abuse:

  • Automated attacks (DoS, spam)
  • API abuse beyond rate limits
  • Security compromise attempts

3. System Integrity Violations:

  • Large-scale identity theft
  • Systematic bot account creation
  • DHT manipulation attempts

What We Don't Enforce

  • We don't police speech or opinions
  • We don't moderate content on partner sites
  • Partner sites make their own moderation decisions
  • We provide identity infrastructure, not a content platform

5. Partner Site Independence

Each website using Flowsta sets its own policies:

  • ✅ Sites can ban users from their specific platform
  • ❌ Sites cannot delete your Flowsta identity
  • ✅ Your identity works across all sites unless specifically banned
  • ℹ️ Bans are site-specific, not system-wide

6. Enforcement & Suspension

If We Ban You

We will:

  • ✅ Delete your email from our database
  • ✅ Revoke all JWT tokens
  • ✅ Block API access

We cannot:

  • ❌ Delete your DID from Holochain DHT (immutable by design)
  • ❌ Access your encrypted private data
  • ❌ Stop you from using your keys
  • ❌ Block P2P DHT sync

Your Options After Ban

  • Your keys remain yours (via recovery phrase)
  • Your DID remains on DHT (censorship resistant)
  • You can self-host an Auth API if technically capable

7. Technical Limitations

You Acknowledge:

  1. Immutable DHT - Your DID cannot be deleted, by design for censorship resistance
  2. Immutable Agent Links - Identity attestations created via Vault cannot be deleted or revoked
  3. Zero-Knowledge - We cannot access your encrypted data, reset your password, or recover your 2FA secrets
  4. Recovery Phrase - The only way to recover your account - store it safely offline
  5. Vault Local Data - Data stored by the Vault desktop app is on your device and your responsibility

8. Cryptographic Autonomy License Compliance

Flowsta uses Holochain, which is licensed under the Cryptographic Autonomy License (CAL). This license ensures you maintain full control over your identity and data.

Your Data Rights Under CAL

  • Full Data Export: Export all your data at any time via Dashboard → Your Data
  • Recovery Phrase Access: Export your recovery phrase to set up your identity on any compatible Holochain conductor
  • No Data Withholding: We cannot and will not withhold your User Data (CAL Section 4.2.1)
  • No Technical Restrictions: We do not use technical measures to limit your access to your own data (CAL Section 4.2.2)
  • No Legal Restrictions: We do not contractually restrict your ability to use your data independently (CAL Section 4.2.3)
  • True Portability: Your identity can exist independently of Flowsta's services

What This Means

Your Flowsta identity is truly yours. Even if Flowsta ceased operations, you could use your recovery phrase to restore your identity on any compatible Holochain infrastructure. The export feature provides:

  • Your 24-word recovery phrase (BIP39 mnemonic)
  • Your DID and agent public key
  • Your email address (decrypted client-side)
  • Your activity history and connected sites
  • Your privacy settings

Zero-Knowledge Export

All decryption happens in your browser. We never see your decrypted data during export. Password verification is required to ensure only you can access your sensitive data.

9. Service Availability

  • We strive for 99.9% uptime
  • Service provided "as is" without warranty
  • Your identity survives on the DHT even if we shut down

10. Fees & Premium Features

10.1 Basic Identity (Free)

  • Account creation and login
  • 8+ character usernames
  • Use across all partner sites

10.2 Premium Subscription ($10/month or $120/year)

  • Priority support (ticket creation)
  • 6-7 character usernames included
  • Access to purchase Premium+ usernames
  • Auto-renews unless cancelled
  • Cancellation takes effect at end of billing period (no prorated refunds)

10.3 Premium+ Usernames (Annual Only)

Premium+ usernames allow shorter, more memorable usernames:

LengthAnnual Price
5 characters$50/year
4 characters$100/year
3 characters$200/year
2 characters$400/year
1 character$800/year

Requirements & Terms:

  • Requires active Premium subscription - You cannot purchase a Premium+ username without first having Premium
  • One username per account - You can only have one username at a time
  • First-come-first-serve - Username availability is not guaranteed
  • No refunds when changing to a different Premium+ username tier (your previous subscription is cancelled immediately)
  • Auto-cancelled when Premium subscription ends
  • Username released when subscription ends - It becomes available for others to claim

10.4 Username Changes

  • You may change your username at any time (subject to availability and tier restrictions)
  • Changing from a Premium+ username to another Premium+ tier requires a new purchase
  • Changing from a Premium+ username to a 6+ character username cancels your Premium+ subscription (no refund)
  • When Premium ends, your username is cleared and you must set a new 8+ character username (if desired)

10.5 Reserved Usernames

Some usernames may be reserved (brand names, offensive terms, etc.) and unavailable for purchase. Reserved usernames may be assigned to verified owners upon request.

11. Termination

You Can:

  • Delete your account via settings
  • Request data deletion (GDPR)

We Can:

  • Terminate for Terms violations
  • Terminate with 30 days notice

Effect:

  • API access revoked
  • Email deleted from database
  • DID remains on DHT (immutable)
  • Your keys remain yours

12. Governing Law & Contact

Jurisdiction: Victoria, Australia

Contact:

Changes to These Terms

We may update these Terms from time to time. We will notify you of material changes via:

  • Email notification (30 days advance notice)
  • Notice on this page

Continued use of Flowsta after changes constitutes acceptance of the new Terms.