← Back to Home

Privacy Policy

Last Updated: April 16, 2026

1. Information We Collect

This Privacy Policy describes how Flow, the operator of FLOW, collects, uses, and shares your personal information. We collect information necessary to provide and improve our services, including:

  • Account information (email, name)
  • Usage data (focus duration, habit streaks)
  • Calendar metadata (for Google Calendar integration users)

2. How We Use Information

We use your data to synchronize your tasks across devices, provide analytics on your productivity, and manage your subscription status.

3. Data Storage and Security

We use Supabase for secure data storage. Your data is encrypted in transit and at rest. We do not sell your personal data to third parties.

4. Data Sharing, Transfer, and Disclosure

We disclose Google user data only to the specific recipients below and only for the stated purpose:

  • Google APIs (Google LLC): Calendar data is sent to and retrieved from Google Calendar only to create, update, delete, and read events requested by the user.
  • Supabase (our processor): OAuth tokens and related account metadata are stored to keep the Google Calendar integration working securely across sessions.
  • Paddle (payment processor): Billing-related data is shared only to process subscriptions and payments.
  • Legal and safety disclosures: We may disclose limited data when required by law, regulation, legal process, or to investigate abuse, fraud, or security incidents.

We do not sell Google user data, we do not share Google user data with advertisers, and we do not use Google user data for AI/ML model training.

5. Your Rights

You have the right to access, rectify, or delete your personal data. You can manage your data settings within the FLOW application or contact us for assistance.

6. Google User Data Policy

FLOW's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. We only access the minimum necessary calendar data to provide task synchronization features.

FLOW requests only the following OAuth scopes — the minimum required to sign you in and synchronize events you create inside FLOW with your Google Calendar:

  • https://www.googleapis.com/auth/calendar.events — create, read, update, and delete events that FLOW authors on your behalf in your primary Google Calendar. FLOW does not read or modify any other events on your calendar.
  • https://www.googleapis.com/auth/userinfo.profile — read your basic Google profile (name and avatar) so FLOW can show you which Google account is connected. FLOW does not request email, openid, Google Drive, Gmail, Contacts, Tasks, People API, or any other Google scope.

7. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of any significant changes via the application or website.