Legal

GDPR compliance

Effective: 2026-04-10 · Last updated: 2026-04-10 · Version 0.1 (Draft)

Flownex was built to be GDPR-compliant by architecture, not by policy. The most effective data protection measure is to never collect the data in the first place — which is why the Flownex backend has no endpoint capable of receiving source code, LLM prompts, or LLM responses. This page explains how we comply with the UK GDPR and EU GDPR and what your rights are as a data subject.

Data controller

For personal data processed through Flownex, the data controller is:

Flownex Ltd
[REGISTERED ADDRESS — to be filled]
Email: privacy@flownex.dev

Lawful bases for processing

We process personal data under the following bases (UK GDPR Article 6):

Performance of a contract (Art. 6(1)(b)) — to provide the Flownex service you signed up for: account management, WorkUnit execution tracking, billing.
Legitimate interests (Art. 6(1)(f)) — fraud prevention, abuse detection, security monitoring, anonymised aggregate analytics.
Consent (Art. 6(1)(a)) — optional plugin diagnostics (off by default), marketing emails.
Legal obligation (Art. 6(1)(c)) — retaining billing records for UK tax law.

Data minimisation

Flownex's architecture enforces data minimisation:

No source code on Flownex servers. The plugin sends code directly to your chosen LLM provider. Our backend has no API endpoint that accepts source code. This is enforced in the code, not in a policy.
No LLM prompts or responses. Your prompts and the LLM's replies never reach Flownex Ltd.
No credentials. LLM API keys, Jira tokens, Figma tokens, and GitHub PATs are stored exclusively in your operating system's keychain and never leave your machine.
Minimal WorkUnit metadata. We store status, node name, retry count, timestamps, and outcome — nothing about the actual content of a WorkUnit.
Logs are redacted. Backend logs contain WorkUnit IDs and error codes, never code content or PII.
30-day log retention. Automatic purging after 30 days.

Your GDPR rights

ART. 15

Right of access

Request a copy of the personal data we hold about you.

ART. 16

Right to rectification

Correct inaccurate or incomplete personal data.

ART. 17

Right to erasure

"Right to be forgotten" — have your data deleted.

ART. 18

Right to restriction

Limit how we process your data.

ART. 20

Right to portability

Receive your data in a structured, machine-readable format.

ART. 21

Right to object

Object to processing based on legitimate interests.

ART. 22

Automated decisions

No solely automated decisions with legal or significant effects.

ART. 7(3)

Withdraw consent

Withdraw any consent at any time without affecting prior processing.

To exercise any right, email privacy@flownex.dev. We respond within 30 days (extendable by 60 days for complex requests). Verification of identity may be required.

Data residency

Flownex's production backend runs in Fly.io's Frankfurt (fra) region — European Union. Your account data, WorkUnit metadata, and backend logs are stored in the EU.

Some sub-processors may process data in other jurisdictions under Standard Contractual Clauses (SCCs):

Stripe (payment processing) — US/EU, GDPR-compliant, SCCs in place.
Sentry (backend error tracking) — EU region selected; source code never included in error payloads.

A full sub-processor list with data residency information is in our DPA.

International transfers

Where personal data is transferred outside the UK/EEA, we rely on:

Adequacy decisions by the UK government or European Commission, where available.
Standard Contractual Clauses (SCCs) issued by the European Commission, with supplementary measures where required.
Your explicit consent, where none of the above applies.

Breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office within 72 hours and, where required, notify you without undue delay.

Data Protection Officer

Flownex Ltd has not appointed a Data Protection Officer because we do not meet the mandatory thresholds under Article 37 (we are not a public authority and our core activities do not require large-scale systematic monitoring or large-scale processing of special category data). For all data protection questions, contact privacy@flownex.dev.

Complaints

You have the right to lodge a complaint with a supervisory authority. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk). EU residents can lodge a complaint with the supervisory authority in their country of residence.