Flowline
Last updated: May 25, 2026

Privacy Policy

At Flowline, protecting your personal data is a priority. This policy transparently explains how we handle your information.

1. Introduction

Flowline is a personal productivity app that helps you organize your tasks, lists, subtasks, timers, and calendar events. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use Flowline, in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Data Controller

Flowline is the data controller responsible for processing your personal data. For any questions regarding this policy or to exercise your rights, contact us at privacy@flowline.app.

3. Data We Collect

3.1 Data you provide directly

  • Account information: email address, password (hashed), timezone
  • App content: tasks, lists, subtasks, mentions, tags, calendar events, categories, timers, and work sessions
  • Media files: images or attachments you upload (stored via Cloudinary)

3.2 Data collected automatically

  • Session data: session ID, authentication cookies, login timestamps
  • Technical data: IP address, browser type, operating system, pages visited

3.3 Data from third-party services

If you sign in with Google: email address, name, and profile picture via OAuth 2.0. If you enable the Google Calendar integration: calendar events (title, description, dates), OAuth access token and refresh token stored securely. Google Calendar events are fetched in read-only mode and are not permanently stored in our database.

5. Data Sharing

We never sell your data. It may be shared only with the technical sub-processors necessary to operate Flowline:

Vercel

Hosting and deployment · United States

Neon / PostgreSQL

Database · Cloud

Cloudinary

Media storage · United States

Resend

Transactional emails · United States

Inngest

Background job processing · United States

Google

OAuth & Calendar API · If used

These sub-processors only have access to data strictly necessary for their services and are bound by contractual confidentiality obligations.

6. International Data Transfers

Some of our sub-processors are established outside the European Economic Area (EEA), particularly in the United States. These transfers are governed by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Retention

Data typeRetention period
Account data (email, profile)Until account deletion
App content (tasks, events, timers)Until account deletion
Google OAuth tokensUntil Google disconnection or account deletion
Session data5 minutes (cache) then automatic expiry
Technical logsMaximum 90 days

8. Data Security

  • Passwords stored as hashes, never in plain text
  • OAuth tokens accessible server-side only
  • All communications encrypted via HTTPS/TLS
  • Secure sessions with httpOnly cookies
  • Data access restricted on a least-privilege basis
  • Secure infrastructure via Vercel and Neon

9. Your Rights

Right to access

Obtain a copy of your personal data

Right to rectification

Correct inaccurate or incomplete data

Right to erasure

Delete your account from the app settings

Right to portability

Receive your data in a structured format

Right to objection

Object to processing based on our legitimate interest

Right to restriction

Request restriction of processing in certain cases

Right to withdraw consent

Disconnect Google Calendar at any time

To exercise your rights, contact us at privacy@flowline.app. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in France: CNIL).

10. Cookies

Flowline only uses strictly necessary cookies to operate the application (maintaining your authentication session). We do not use any advertising, tracking, or third-party analytics cookies.

11. Google Calendar Integration

When you enable the Google Calendar integration:

  • Flowline requests read-only access to your calendars via scopes calendar.readonly and calendar.events.readonly
  • Flowline cannot create, modify, or delete events in your Google Calendar
  • Events are fetched on demand and not permanently stored in our database
  • Your OAuth token is stored securely on the server side only
  • Revocable at any time from the app or directly from myaccount.google.com/permissions
  • Disconnecting immediately removes the sync record and hides your Google events from Flowline

12. Account Deletion

You can delete your account at any time from the app settings. Deletion will result in:

  • Permanent deletion of all your personal data (profile, tasks, events, timers)
  • Revocation of all associated OAuth tokens
  • Deletion of all Google Calendar sync data

This action is irreversible.

13. Minors

Flowline is not intended for persons under the age of 16. If you become aware that a minor has provided us with personal data, please contact us at privacy@flowline.app.

14. Changes to This Policy

We may update this Privacy Policy from time to time. In the event of a material change, we will notify you by email or via an in-app notification before the changes take effect. The date of the last update is shown at the top of this page.

15. Contact

Questions about your data?

Contact us at privacy@flowline.app. We respond within 30 business days.

© 2026 Flowline. All rights reserved.

Privacy Policy — Flowline