🏭 Flowcell

Privacy Policy

Last updated: 1 March 2026 · Applies to users in the UK and EEA

    We keep this short and plain. We collect only what we need to run the service, we don't sell your data, and you can delete your account at any time.
  

1. Who We Are (Data Controller)

[COMPANY NAME] ("Flowcell", "we", "us") is the Data Controller for personal data processed through flowcell.io.

Registered in England and Wales (Company No. [COMPANY NUMBER])
Registered office: [REGISTERED ADDRESS]
ICO Registration: [ICO REGISTRATION NUMBER]

Privacy contact: [email protected]

2. What We Collect and Why

Data	Why we collect it	Legal basis
Email address	Account login and identification; contacting you about your account	Contract performance
First name, last name	Personalising the product experience	Contract performance
Company name, job title	Understanding how the service is used and tailoring features for business users	Legitimate interests
Password (hashed)	Authenticating your account. We never store your plain-text password.	Contract performance
Simulation saves	Storing and syncing your saved simulation setups across sessions	Contract performance
Session token	Keeping you signed in; enforcing single-session security policy	Contract performance / Legitimate interests
Subscription and plan status	Managing access to paid features; processing payments via Paddle	Contract performance
Account activity timestamps	Security (detecting suspicious activity) and service administration	Legitimate interests

We do not collect browsing behaviour, use third-party tracking pixels, or build advertising profiles.

3. Cookies and Local Storage

Flowcell does not use tracking cookies. We store your session token in your browser's localStorage to keep you signed in. This is strictly necessary for the service to function and does not require your consent under PECR.

We use Cloudflare as our infrastructure provider. Cloudflare may set technical cookies for security and DDoS protection — these are exempt from cookie consent requirements.

4. Who We Share Your Data With

We do not sell your personal data. We share it only with the processors listed below, all of whom are bound by data processing agreements:

Processor	Purpose	Location
Cloudflare, Inc.	Hosting, database (D1), CDN and DDoS protection	USA (adequacy / SCCs)
Paddle.com Market Limited	Payment processing and subscription management (Merchant of Record)	UK / Ireland

Paddle acts as Merchant of Record and is an independent data controller for payment data they collect directly from you at checkout. Please review Paddle's Privacy Policy for details.

5. International Data Transfers

Your data is processed on Cloudflare's global infrastructure which includes data centres in the USA. Cloudflare participates in the EU-US Data Privacy Framework and provides Standard Contractual Clauses (SCCs) as a transfer mechanism. For UK users, equivalent UK transfer safeguards apply.

6. How Long We Keep Your Data

Active account data: Retained for as long as your account exists.
After account deletion: Your account and all simulation saves are permanently deleted immediately when you request deletion via the app.
Payment records: Paddle retains payment transaction records as required by their legal obligations (typically 7 years for financial records). Contact Paddle directly for payment data queries.
Inactive accounts: We may delete accounts that have been inactive for more than 24 months, with 30 days' notice to your registered email.

7. Your Rights Under UK GDPR

As a UK resident (or EEA resident under GDPR), you have the following rights:

Right of Access Request a copy of the personal data we hold about you.

Right to Rectification Ask us to correct inaccurate or incomplete data.

Right to Erasure Delete your account and all associated data — available directly in the app via Account → Delete account.

Right to Portability Request your data in a structured, machine-readable format.

Right to Restriction Ask us to restrict processing while a dispute is resolved.

Right to Object Object to processing based on legitimate interests.

To exercise any of these rights, email [email protected]. We will respond within 30 days. The right to erasure is also available instantly by using the "Delete account" option within the app.

Right to Lodge a Complaint

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint. EEA residents may contact their local supervisory authority.

8. Security

We take reasonable technical measures to protect your data:

Passwords are hashed using PBKDF2 with 100,000 iterations — we cannot recover your plain-text password
All data is transmitted over HTTPS (TLS) enforced by Cloudflare
Data at rest is encrypted by Cloudflare's D1 database service
Session tokens are single-use and invalidated on sign-out

No system is completely secure. If you believe your account has been compromised, please contact us immediately at [email protected].

9. Children

Flowcell is a business tool and not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, contact us to have the account removed.

10. Changes to This Policy

We will notify you by email or in-app notice at least 14 days before making material changes to this Privacy Policy. The date at the top of this page indicates when it was last updated.

11. Contact

For privacy enquiries: [email protected]
General enquiries: [email protected]