Privacy Policy
Last updated: March 27, 2026
OSAIX LLC ("OSAIX," "we," "us," or "our") operates the Flo.Studio platform ("the Platform"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Platform. It applies to all users worldwide and addresses specific requirements under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA), and other applicable privacy laws.
This Privacy Policy is part of our Terms of Service and End User License Agreement. By using the Platform, you consent to the practices described herein.
1. Information We Collect
Account Information
When you create an account, we collect your name, email address, and organization name. If you sign in via a third-party provider (Google, Microsoft), we receive your name and email from that provider.
Billing Information
When you subscribe to a paid plan, payment information (credit card number, billing address) is collected and processed directly by Stripe. We receive only a tokenized reference, the last four digits of your card, card type, and billing status. We never see or store your full card number.
Content You Create
Process flows, discovery notes, feedback, RACI assignments, task assignments with due dates, compliance tags, AI-generated reports, and any other content you create within the Platform ("User Content").
Usage Data
We collect anonymous usage data including pages visited, features used, session duration, and device type. This data is used to improve the Platform and is not linked to your identity.
Technical Data
Browser type, operating system, IP address (for security and rate limiting only), and device characteristics.
Communication Data
If you contact us via email, submit a support request, or participate in surveys, we collect the content of those communications.
2. How We Use Your Information
- Provide the Service — Store and display your process flows, enable collaboration, generate exports, and manage task assignments.
- AI Features — When you use AI features, your flow data is sent to Anthropic's Claude API to generate analyses, reports, and sub-processes. This data is processed in real-time and not retained by Anthropic for training purposes.
- Improve the Platform — Anonymous usage analytics help us understand which features are most valuable and prioritize development.
- Communication — Account-related emails (password resets, billing confirmations, subscription changes) via Resend, and optional product updates (you can unsubscribe at any time).
- Security — Detect and prevent unauthorized access, fraud, and abuse.
- Legal Compliance — Comply with legal obligations, respond to lawful requests, and enforce our agreements.
3. What We Do NOT Do
- ✓We do NOT sell your personal information or User Content to third parties.
- ✓We do NOT use your User Content to train AI models.
- ✓We do NOT share your data with other customers or organizations.
- ✓We do NOT access your User Content unless required for support at your request.
- ✓We do NOT use advertising cookies or third-party tracking pixels.
- ✓We do NOT engage in "sharing" of personal information as defined under the CCPA/CPRA for cross-context behavioral advertising.
4. Lawful Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom (UK), and Switzerland, we process personal data under the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Providing the Platform | Performance of contract (Art. 6(1)(b)) |
| Processing payments | Performance of contract (Art. 6(1)(b)) |
| AI-powered analysis of Your Content | Performance of contract (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Platform improvement analytics | Legitimate interest (Art. 6(1)(f)) |
| Transactional emails | Performance of contract (Art. 6(1)(b)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
5. Data Storage & Security
Your data is stored on Supabase (PostgreSQL) with the following protections:
- Encryption at rest — All database content is encrypted using AES-256.
- Encryption in transit — All connections use TLS 1.3.
- Row-Level Security — Database policies ensure users can only query their own organization's data.
- Access controls — Administrative access requires multi-factor authentication.
- Backups — Daily automated backups with 30-day retention.
- Monitoring — Continuous security monitoring with automated alerting for anomalous access patterns.
The Platform is hosted on Vercel's edge network with global CDN distribution. Primary data processing occurs in the United States.
6. AI Data Processing
When you use AI features (sub-process generation, analysis, custom reports, compliance suggestions), the following data is sent to Anthropic's Claude API:
- Process flow node labels and descriptions
- Edge connections between nodes
- Discovery feedback (status, notes, pain points)
- Client name and industry (if provided)
- Your custom prompt (for custom reports)
Anthropic processes this data under their Privacy Policy. Under their commercial API terms, your data is not used for model training and is not retained beyond the request processing window.
Automated Decision-Making Disclosure
The Platform's AI features involve automated processing of Your Content to generate outputs such as sub-process flows, compliance tags, RACI suggestions, and analysis reports. These AI Outputs are recommendations only and are always presented for your review before being incorporated into your work. No automated decisions are made that produce legal or similarly significant effects on users without human review. You have the right to not use AI features and to override or discard any AI-generated output.
7. Third-Party Services & Subprocessors
| Service | Purpose | Data Shared | Processing Location |
|---|---|---|---|
| Supabase | Database, authentication | Account info, User Content | United States |
| Vercel | Hosting, deployment | Request logs (anonymized) | Global (edge network) |
| Anthropic (Claude) | AI analysis, generation | Flow data (per-request only) | United States |
| Stripe | Payment processing | Billing info (tokenized; we never see full card numbers) | United States |
| Resend | Transactional email delivery | Email address, email content (account notifications, password resets) | United States |
We maintain agreements with each subprocessor that include data protection obligations substantially similar to those in this Privacy Policy. We will update this list when subprocessors change and provide notice as required by applicable law.
8. International Data Transfers
The Platform is operated from the United States. If you are accessing the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries where our subprocessors operate.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on:
- Standard Contractual Clauses (SCCs) — We use the European Commission's Standard Contractual Clauses as the primary mechanism for lawful data transfers to countries without an adequate level of data protection.
- Data Processing Agreements — Our subprocessors maintain appropriate transfer mechanisms, including SCCs and, where applicable, certifications under recognized frameworks.
- Supplementary Measures — We implement technical and organizational measures (encryption, access controls, pseudonymization where feasible) to supplement transfer mechanisms and protect personal data during and after transfer.
Enterprise customers may request a Data Processing Agreement (DPA) that includes Standard Contractual Clauses by contacting privacy@flostudio.ai.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
Rights for All Users
- Access — Request a copy of all personal data we hold about you.
- Export — Download your process flows and data at any time via the Platform's export features.
- Delete — Request deletion of your account and all associated personal data.
- Correct — Update or correct your account information at any time.
- Restrict — Opt out of optional analytics and marketing communications.
Additional Rights Under GDPR (EEA, UK, Switzerland)
- Right to object — Object to processing based on legitimate interests.
- Right to data portability — Receive your personal data in a structured, commonly used, machine-readable format.
- Right to withdraw consent — Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
- Right to lodge a complaint — Lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.
- Right to restrict processing — Request that we restrict processing of your personal data under certain circumstances (e.g., while we verify the accuracy of your data).
Additional Rights Under CCPA/CPRA (California Residents)
- Right to know — Request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share personal information.
- Right to delete — Request deletion of your personal information, subject to certain exceptions.
- Right to opt out of sale or sharing — We do not sell or share (as defined under CCPA/CPRA) your personal information for cross-context behavioral advertising. No opt-out is necessary, but you may still submit a request for confirmation.
- Right to correct — Request correction of inaccurate personal information.
- Right to limit use of sensitive personal information — We do not use or disclose sensitive personal information for purposes beyond those permitted under CCPA/CPRA.
- Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge different prices, provide a different level or quality of service, or suggest that you will receive a different price or level of service for exercising your rights.
To exercise any of these rights, contact privacy@flostudio.ai. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before fulfilling your request.
10. Data Controller & Contact
OSAIX LLC is the data controller for personal data processed through the Platform.
- Data controller: OSAIX LLC
- Privacy inquiries & DPO contact: privacy@flostudio.ai
- General support: support@flostudio.ai
For GDPR-related inquiries, EEA and UK residents may also contact their local data protection supervisory authority. A list of EU data protection authorities is available at the European Data Protection Board website.
11. Data Retention
We retain your data according to the following schedule:
| Data Category | Retention Period |
|---|---|
| Account information (name, email, org) | Duration of account + 30 days after deletion request |
| User Content (process flows, notes, tasks) | Duration of account + 30 days after deletion request |
| Billing records | 7 years (legal/tax compliance requirement) |
| Usage analytics (anonymized) | Retained indefinitely (not linked to identity) |
| Security logs (IP addresses, access logs) | 90 days |
| Support communications | 3 years after last interaction |
| AI request/response logs | Not retained (processed in real-time, discarded after response) |
| Backup copies | Purged within 90 days after primary data deletion |
When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymized.
12. Cookies & Local Storage
Cookies We Use
| Cookie Type | Purpose | Required? |
|---|---|---|
| Authentication cookies | Login sessions (Supabase auth) | Yes (essential) |
| Session preferences | UI state, theme, language | Yes (functional) |
Local Storage
We use browser localStorage to store autosaved work, UI preferences, and AI subflow cache locally on your device. This data does not leave your browser unless synced to Supabase.
Cookies We Do NOT Use
We do not use advertising cookies, third-party tracking pixels, social media tracking widgets, or analytics cookies that link to personal identity. No cookie consent banner is required because we only use strictly necessary and functional cookies.
Cookie Preferences
Since we only use essential and functional cookies, there are no optional cookies to manage. If future updates introduce optional cookies (e.g., analytics), we will implement a cookie consent mechanism and update this policy accordingly.
13. Children's Privacy (COPPA)
The Platform is not directed at children under the age of 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If we become aware that we have inadvertently collected personal information from a child under the applicable age, we will take prompt steps to delete such information from our systems.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@flostudio.ai so we can take appropriate action.
14. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, OSAIX will:
- GDPR (EEA/UK): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. Affected individuals will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
- CCPA/CPRA (California): Notify affected California residents without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach.
- General: Notify affected users without unreasonable delay via email and/or in-app notification.
Breach notifications will include: a description of the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the breach.
15. Data Processing Agreements
Enterprise and Team plan customers who require a Data Processing Agreement (DPA) for GDPR compliance or other regulatory requirements may request one by contacting privacy@flostudio.ai.
Our standard DPA includes:
- Standard Contractual Clauses (SCCs) for international transfers
- Technical and organizational security measures (Annex II)
- Subprocessor list and notification procedures
- Data subject rights assistance obligations
- Breach notification procedures
- Data return and deletion upon termination
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via email or in-app notification at least thirty (30) days before such changes take effect.
We encourage you to review this page periodically. The "Last updated" date at the top of this page indicates when this Privacy Policy was most recently revised. Your continued use of the Platform after the effective date of any changes constitutes acceptance of the revised Privacy Policy.
17. Contact
For privacy inquiries, data subject requests, or to exercise any of your rights:
- Privacy & DPO contact: privacy@flostudio.ai
- General support: support@flostudio.ai
- Entity: OSAIX LLC