Last updated: March 30, 2026
This policy describes how FlowTrux collects, uses, and protects your personal data. FlowTrux is operated by FlowTrux, registered in Lithuania. We act as the data controller for the personal data processed through our platform.
For privacy inquiries: support@flowtrux.com
Account data. When you sign up, we collect your name, email address, and password. Passwords are hashed using bcrypt and never stored in plaintext. If you sign in through an OAuth provider, we may also receive your profile image.
Organization and billing data. If you create an organization or subscribe to a paid plan, we collect your organization name, billing email, company name, address, and tax ID. Payment card details are handled entirely by Stripe. We do not store, see, or have access to your card numbers.
Workflow and usage data. We store the workflows you build, their execution history, and audit logs that record actions performed on the platform (including timestamps and IP addresses). We also track general feature usage and platform interactions to understand how the product is being used.
Technical data. We collect your IP address and browser user agent for security and audit purposes. Session tokens are stored in secure, httpOnly cookies.
We rely on four legal bases under GDPR Article 6:
Contractual necessity. We process your account, organization, and workflow data because we need it to provide the service you signed up for.
Legitimate interest. We process audit logs, IP addresses, and usage patterns for platform security, fraud prevention, and product improvement. You can object to processing based on legitimate interest at any time.
Legal obligation. We retain billing records and tax information as required by Lithuanian and EU tax law.
Consent. Where we ask for your explicit consent, such as for optional marketing communications, you can withdraw that consent at any time.
We use your data to operate and maintain the platform, authenticate your identity, process payments and manage subscriptions, send service notifications related to your account, billing, or security, monitor platform security and prevent abuse, maintain audit logs, and improve the product.
Stripe. Billing information (company name, address, email, tax ID) is shared with Stripe to process payments. Stripe acts as a data processor under a Data Processing Agreement. Their privacy policy is available at stripe.com/privacy.
Third-party services you configure. When you connect integrations such as MCP servers, Google Workspace, or Slack, data flows to those services based on the workflows you build. You control what data is sent through your workflow definitions.
AI providers. Workflow execution data may be sent to AI model providers (Anthropic, OpenAI, Google) depending on how your organization configures its workflows. API keys are encrypted at rest and managed per organization.
We do not sell your personal data. We do not use third-party analytics, advertising trackers, or remarketing tools.
Sensitive data such as API keys and server configurations is encrypted using AES-256-GCM. Passwords are hashed with bcrypt at 12 rounds. Session cookies use httpOnly, Secure, and SameSite attributes. All traffic is encrypted over HTTPS/TLS. Access to the platform is governed by role-based access control at the API level. Outbound requests include SSRF protection, and expression evaluation is sandboxed.
Account data is retained while your account is active and deleted when you delete your account.
Workflow execution history is retained based on your plan tier, typically between 7 and 30 days.
Audit logs are retained for 90 days for security and compliance purposes, then anonymized.
Billing records are retained as required by tax law, typically 7 years.
You have the right to:
To exercise any of these rights, contact support@flowtrux.com. We will respond within 30 days.
Your data may be processed outside the European Economic Area, for example when workflow execution involves AI providers hosted in the United States. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
FlowTrux is not intended for individuals under 16. We do not knowingly collect personal data from children.
If we make material changes, we will notify you by email or through a prominent notice on the platform before the changes take effect. Continued use of FlowTrux after notification constitutes acceptance of the updated policy.
For privacy inquiries: support@flowtrux.com
If you believe your data protection rights have been violated, you have the right to file a complaint with the Lithuanian State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija, VDAI) at ada.lt, or with the supervisory authority in your country of residence.