Effective: 2026-04-10 · Last updated: 2026-04-10 · Version 0.1 (Draft)
Draft — pending legal review
This document is a working draft. It must be reviewed by qualified legal counsel before Flownex is made publicly available. Do not rely on this text as final legal terms.
Flownex is an Android Studio plugin operated by Flownex Ltd ("Flownex", "we", "us"), a company registered in England & Wales. Our registered address is [REGISTERED ADDRESS — to be filled]. For the purposes of the UK GDPR and EU GDPR, Flownex Ltd is the data controller for personal data processed through the Flownex service.
2. What we collect — and what we don't
What we collect
Account information: your email address, name (optional), password hash (bcrypt), OAuth provider identifier (GitHub or Google, if you sign in that way), tier (Solo / Pro / Team / Enterprise), and the organisation you belong to if any.
Usage metadata: WorkUnit ID (UUID), status (pending, running, verifying, review, done, failed), current node in the workflow graph, retry count, timestamps, execution mode, target framework (Native Android / KMP), and the outcome of each WorkUnit (completed, failed, cancelled).
Billing data: subscription tier, billing email, Stripe customer ID. Card numbers, CVVs, and bank details are processed entirely by Stripe and never reach Flownex's servers.
Support correspondence: emails you send to us and our replies.
Plugin diagnostics (opt-in): anonymised crash reports and performance metrics, only if you enable them in Settings. Off by default.
What we never collect
Your source code. No file contents, diffs, git history, or project structure. Ever. This is an architectural guarantee — the Flownex backend has no endpoint capable of receiving source code.
Your LLM prompts or responses. The Flownex plugin sends code directly to your chosen LLM provider (Gemini, Mistral, Ollama, etc.). Our servers are not in that data path.
Your LLM API keys. Keys are stored exclusively in your operating system's keychain via IntelliJ's PasswordSafe API. They never leave your machine.
Your Jira/Linear/Figma content. Ticket titles and descriptions are fetched from those providers directly by the plugin and passed to your LLM. Flownex's backend does not proxy or store them.
3. How we use your data
We process the personal data listed above to:
Authenticate you and provide access to the Flownex service.
Track WorkUnit usage against your tier's quota (Solo: 10 WorkUnits/month).
Bill you correctly if you are on a paid tier.
Respond to support requests.
Detect and prevent abuse, fraud, and security incidents.
Comply with our legal obligations.
Our legal bases under the UK GDPR are: contract (providing the service you signed up for), legitimate interests (fraud prevention, service improvement), and consent (optional diagnostics).
4. Your code and your LLM provider
Flownex is a BYOK (Bring Your Own Key) tool. When you run a WorkUnit, the plugin sends code and context directly from your machine to the LLM provider you configured (Gemini, Mistral Devstral, DeepSeek, Ollama, OpenRouter, etc.). Flownex Ltd is not a party to that data flow.
This means:
Your LLM provider's privacy policy and terms of service apply to anything the plugin sends to them.
If you use a free-tier LLM that trains on submitted data (for example, Gemini AI Studio free tier), your code may be used by that provider to train their models. Flownex warns you about this in the Privacy Disclosure screen before your first WorkUnit with any such provider.
If you use Ollama locally, your code never leaves your machine at all. This is the default recommendation for Enterprise customers.
We strongly recommend reviewing your chosen LLM provider's data handling policies before running a WorkUnit on proprietary code.
5. Cookies and tracking
The flownex.dev marketing site uses only strictly necessary cookies — session cookies for authenticated admin pages and a CSRF token. We do not use Google Analytics, Facebook Pixel, or other third-party trackers on the public marketing site. We do not serve advertising.
The Flownex Android Studio plugin itself does not set any cookies because it is not a browser application.
6. Who we share data with
We share personal data only with the following sub-processors, each under a data processing agreement:
Account data: retained while your account is active, deleted within 30 days of account closure.
WorkUnit metadata: retained for 90 days for support and debugging, then anonymised.
Backend logs: retained for 30 days maximum, then automatically purged.
Billing records: retained for 7 years as required by UK tax law.
Support correspondence: retained for 3 years from the last message.
8. Your rights
Under the UK GDPR and EU GDPR, you have the right to:
Access the personal data we hold about you.
Rectify inaccurate data.
Erase your data ("right to be forgotten") — subject to legal retention obligations.
Restrict or object to our processing.
Port your data in a machine-readable format.
Withdraw consent at any time (for optional processing).
Complain to the UK Information Commissioner's Office (ico.org.uk) or your local EU data protection authority.
To exercise any of these rights, email privacy@flownex.dev. We will respond within 30 days.
9. Security
We protect your data using TLS 1.3 in transit, AES-256 at rest, bcrypt for password hashing, JWT (RS256) for authentication, and Postgres row-level security. We run a 6-phase penetration test before every major release. For full technical details see our Security page.
10. Children
Flownex is a professional developer tool and is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has created an account, contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced via email to your account address and in the plugin changelog. Continued use of Flownex after a change constitutes acceptance of the updated policy.