FlowDrop LogoFlowDrop

Flowdrop Privacy Policy

Effective Date: December 19, 2024

1. Who We Are

Flowdrop, Inc. ("Flowdrop," "we," "our," or "us") provides an AI‑powered visual workflow builder available at https://flowdrop.xyz (the "Service").

2. Scope

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Service, including when you sign in with Google OAuth.

3. Information We Collect

3.1 Google Account Information (OAuth)

  • Google user ID
  • Name
  • Email address
  • Profile picture URL

Scopes requested: baseline "email" and "profile" for sign‑in. Optional Google Workspace scopes are requested only when you connect an integration or enable a node that needs them (see §3.4).

3.2 Other Information You Provide

  • Account credentials you set (e.g., password if you create one)
  • Content created in the Flowdrop builder (workflow metadata)
  • Support requests, feedback, or survey responses

3.3 Automatically Collected Information

  • Usage data (pages visited, nodes created, interactions)
  • Device and log data (IP address, browser type, date/time)

3.4 Google Workspace Scopes (Optional Integrations)

If you connect Google integrations or enable nodes that operate on your Google content, Flowdrop may request additional scopes. We request the minimum scope needed and prefer per‑file access whenever possible.

Gmail (Restricted)

  • Scopes: https://www.googleapis.com/auth/gmail.readonly, .../gmail.modify, .../gmail.compose, .../gmail.send, and related label/settings scopes (no IMAP/SMTP unless explicitly configured).
  • Use: Read message metadata/bodies as required by a node you create; draft and send messages; manage labels; process replies.
  • Storage: By default we do not store email bodies. We may store message IDs, thread IDs, label names, timestamps, and delivery status for workflow logs. If you configure a node to persist content (e.g., save an email to a database), we store only what your node instructs.

Drive (Sensitive)

  • Scopes: Prefer drive.file (per‑file access to files created/opened with Flowdrop). We may request drive.readonly or broader access only if your workflow requires cross‑Drive operations you explicitly enable.
  • Use: Read/write files referenced by your workflows; manage file metadata necessary for automation (e.g., IDs, revisions).

Docs (Sensitive)

  • Scopes: https://www.googleapis.com/auth/documents.readonly, https://www.googleapis.com/auth/documents.
  • Use: Read and update Google Docs specified by your workflows (e.g., generate a report, replace placeholders).

Sheets (Sensitive)

  • Scopes: https://www.googleapis.com/auth/spreadsheets.readonly, https://www.googleapis.com/auth/spreadsheets.
  • Use: Read ranges and write updates in spreadsheets selected in your nodes (e.g., append a row, update cells).

Calendar (Sensitive)

  • Scopes: https://www.googleapis.com/auth/calendar.events.readonly, https://www.googleapis.com/auth/calendar.events.
  • Use: Read, create, update, and delete events in calendars you select in a node.

3.5 Offline Access & Tokens

Some automations need to run when you are offline. If you opt in, we request offline access (refresh tokens) and store tokens encrypted at rest. You can revoke access at any time from in‑app settings or at https://myaccount.google.com/permissions.

3.6 Data Minimization & Retention for Google Data

We minimize collection and storage: we process content in memory where feasible; we store IDs, file paths, ranges, and metadata needed for reliability and auditing. We retain logs for the shortest period necessary and purge or anonymize them per §8.

3.7 Human Access

Humans do not read your Google content except (i) with your explicit consent for support, (ii) for security/abuse review, or (iii) where required by law. Access is limited to authorized personnel under confidentiality and logging.

3.8 Third‑Party Transfers

We do not sell Google user data. We do not transfer Google user data except to sub‑processors necessary to provide the Service (e.g., hosting) under data‑processing agreements, or as required by law.

4. How We Use Information

We use your information to:

  • Authenticate and secure your account
  • Save and synchronize your workflows
  • Personalize your experience
  • Provide customer support
  • Monitor, analyze, and improve the Service
  • Communicate product updates and marketing (with your opt‑out consent)

5. Google User Data – Limited Use Compliance

We handle Google user data in accordance with Google's Limited Use requirements:

  • We only use Google user data to provide user‑facing features that are prominent in Flowdrop (e.g., signing in and displaying your name and avatar).
  • We do not transfer or sell Google user data to third parties, except as necessary to operate the Service with your consent, for security, or to comply with the law.
  • Humans do not read Google user data unless (i) you give us explicit permission; (ii) it is required for security or legal compliance; or (iii) the data is aggregated and anonymized for internal operations.
  • We do not use Google user data for advertising, creditworthiness, or lending decisions.

6. Legal Bases (EEA/UK)

We rely on contract (Art. 6(1)(b) GDPR) to process Google OAuth data needed to provide the Service, and on legitimate interests (Art. 6(1)(f)) or consent (Art. 6(1)(a)) for analytics and marketing.

7. Sharing of Information

We share information only with:

  • Service providers who process data under strict data‑processing agreements (e.g., hosting on Vercel and Supabase, analytics, payment processors).
  • Authorities if required by law or to protect rights and safety.
  • In connection with a merger, acquisition, or sale of assets, with notice to you.

We do not sell personal information.

8. Data Retention & Deletion

We retain account data while your account is active. You may delete your account at any time from your profile settings; this permanently deletes your workflows and Google user data within 30 days unless longer retention is required by law.

You may revoke Flowdrop's access to your Google account at https://myaccount.google.com/permissions.

9. Security

We use TLS encryption in transit, AES‑256 encryption at rest, least‑privilege access controls, periodic security reviews, and continuous monitoring. No method of transmission or storage is completely secure, but we strive to protect your data.

10. Your Rights

Depending on where you live, you may have rights to access, correct, delete, or restrict your personal information, object to processing, opt out of marketing, or export your data. Email [email protected] to exercise these rights. California residents may exercise CCPA rights; we do not sell personal information.

11. Children

Flowdrop is not directed to children under 13, and we do not knowingly collect their data.

12. International Transfers

We store data in the United States. When transferring data internationally, we rely on Standard Contractual Clauses or other lawful mechanisms.

13. Changes to This Policy

We may update this Policy periodically. We will post the new version on our site and, if material, notify you by email or in‑product notice. The "Effective Date" above will reflect the latest revision.

14. Contact

Flowdrop, Inc.
Attn: Flowdrop Team
7905 Hope Valley Ct, Adamstown, MD, 21710, USA
Email: [email protected]