privacy policy

1. introduction

welcome to flowengine ("company," "we," "us," or "our"). this privacy policy explains how we collect, use, disclose, and safeguard your information when you use our platform, services, and website (collectively, the "services"). by accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by this privacy policy and our terms of service.

if you do not agree with the terms of this privacy policy, please do not access or use the services.

2. information we collect

2.1 personal information

we collect information that you voluntarily provide to us when you register for an account, use our Services, or otherwise contact us. This may include:

• Name and contact information (email address, phone number)
• Account credentials (username, password)
• Payment information (processed through third-party payment processors)
• Profile information and preferences
• Communications with us (support requests, feedback)

2.2 workflow and usage data

when you use our services, we automatically collect and store the following information to provide, maintain, and improve our Services:

• Workflow Data: Complete workflows you create, including all nodes, connections, configurations, credentials, API keys, and any data processed through your workflows
• Conversation Data: All chat conversations with our AI assistant, including prompts, responses, and context
• Usage Analytics: Feature usage, workflow execution history, frequency of use, error logs, performance metrics, and interaction patterns
• Technical Data: IP addresses, browser type, device information, operating system, access times, pages viewed, and clickstream data
• Device Fingerprinting: Browser and device characteristics used to generate a unique identifier for fraud prevention, trial abuse detection, and identifying repeat visitors
• Browser Mode Detection: Detection of private/incognito browsing mode to prevent abuse of free trial offers
• Cookies and Tracking Technologies: We use cookies, web beacons, pixels, and similar technologies to track activity and store preferences

2.3 third-party service data

when you integrate third-party services (such as n8n, APIs, or other automation tools) with our platform, we may collect and store authentication credentials, API keys, tokens, and data transmitted through these integrations to facilitate the Services.

3. how we use your information

we use the information we collect for the following purposes, and you expressly consent to such use:

• Service Provision: To provide, operate, maintain, and improve our Services, including workflow generation, AI assistance, and automation features
• Product Development: To analyze usage patterns, develop new features, train and improve our AI models, and enhance user experience
• Machine Learning: Your workflows, conversations, and usage data may be used to train, test, and improve our artificial intelligence and machine learning models. Google user data obtained via Google APIs is explicitly excluded from AI model training and is never used for this purpose.
• Analytics and Research: To understand how users interact with our Services, conduct research, create aggregated statistics, and generate insights
• Communications: To send administrative information, updates, security alerts, technical notices, and marketing communications
• Security and Abuse Prevention: To detect, prevent, and address fraud, security issues, technical problems, abuse of free trial offers, and violations of our Terms of Service
• Legal Compliance: To comply with legal obligations, respond to lawful requests, and protect our rights and interests
• Business Operations: For internal business purposes including auditing, data analysis, and quality assurance

4. open source and licensed software

4.1 use of n8n and other open source software

our services integrate with and utilize n8n, an open-source workflow automation tool, and other open-source software components. We comply with all applicable open-source licenses, including but not limited to:

• the n8n sustainable Use License and n8n Enterprise License as applicable to our use case
• attribution requirements for all open-source components
• distribution and modification terms as specified in respective licenses

4.2 user license grant

by using our services, you grant FlowEngine a worldwide, non-exclusive, royalty-free license to:

• Use, reproduce, modify, adapt, publish, and distribute your workflows, data, and content for the purposes described in this Privacy Policy
• Create derivative works and improvements based on user-generated workflows and data
• With your consent, incorporate user data and workflows into our AI training datasets and models (you may opt-out at any time). Google user data obtained via Google APIs is never incorporated into AI training datasets, regardless of consent.
• Anonymize, aggregate, and use your data for analytics, research, and product development

For EU/EEA users: This license is subject to your GDPR rights. You may withdraw consent or exercise your right to erasure at any time by contacting our Data Protection Officer. Upon valid request, we will cease processing your personal data and delete it in accordance with Section 6.

For non-EU users, this license survives termination of your account unless you exercise applicable data protection rights under your local laws.

4.3 third-party service integration

when you use our services with self-hosted or third-party instances of n8n or other automation tools, you acknowledge that we may access, collect, and process data from these instances to provide our Services. we are not responsible for the privacy practices of third-party services you integrate with our platform.

5. data sharing and disclosure

we may share your information in the following circumstances:

• Service Providers: With third-party vendors, contractors, and service providers who perform services on our behalf (cloud hosting, analytics, payment processing, AI/ML services)
• AI and ML Partners: With artificial intelligence and machine learning service providers (including but not limited to OpenAI, Anthropic, and other LLM providers) to provide and improve our Services. Google user data obtained via Google APIs is not transferred to AI/ML service providers and is never shared for this purpose.
• Business Transfers: In connection with any merger, sale of company assets, financing, acquisition, or transfer of all or a portion of our business
• Legal Requirements: When required by law, court order, or government request, or to protect our rights, property, or safety
• Consent: With your explicit consent or at your direction
• Aggregated Data: We may share anonymized, aggregated, or de-identified data that cannot reasonably be used to identify you

6. data retention

we retain your personal information and usage data for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy. After account deletion or termination:

• Your personal data will be deleted within 30 days of your request, except where retention is required by law
• Backup copies of your data may persist in our systems for up to 90 days, after which they are permanently deleted
• Anonymized or aggregated data that cannot be used to identify you may be retained for analytics and research purposes
• For EU/EEA users: We will not use your data for AI model training after you exercise your right to erasure or object to processing
• We may retain certain information as necessary for legal compliance, dispute resolution, and enforcement of our agreements, with retention periods not exceeding what is strictly necessary

7. data security

we implement reasonable administrative, technical, and physical security measures to protect your information. However, no method of transmission over the Internet or electronic storage is 100% secure. we cannot guarantee absolute security of your data.

you acknowledge and accept the inherent security risks of transmitting data over the internet and storing data electronically. you agree that we have no liability for any unauthorized access, disclosure, alteration, or loss of your data.

8. your rights and choices

depending on your jurisdiction, you may have certain rights:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your personal information (subject to legal and operational limitations)
• Opt-Out: Opt-out of marketing communications (note: you cannot opt-out of service-related communications)

to exercise these rights, contact us at [email protected]. We will respond within the timeframes required by applicable law.

For EU/EEA/UK users: Your rights under GDPR are absolute and cannot be waived. We will honor all valid erasure requests in accordance with Article 17 of the GDPR, subject only to the exceptions provided by law.

Note: Truly anonymized data (which cannot be linked back to you) may be retained for analytics purposes, as it no longer constitutes personal data under GDPR.

9. international data transfers

our services are operated from the United States. If you are located outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For EU/EEA/UK users: We transfer your personal data outside the European Economic Area using the following safeguards:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses with our service providers and partners
• Adequacy Decisions: Where applicable, we transfer data to countries that have received an adequacy decision from the European Commission
• Supplementary Measures: We implement additional technical and organizational measures to ensure your data remains protected

You may request a copy of the safeguards we use for international transfers by contacting our Data Protection Officer at [email protected].

10. children's privacy

our services are not intended for children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. third-party links and services

our services may contain links to third-party websites, applications, and services. this privacy policy does not apply to such third-party services. We are not responsible for the privacy practices of third parties. We encourage you to review their privacy policies before providing any information.

12. google api services disclosure

FlowEngine integrates with Google APIs to enable workflow automation with Google Workspace services (Gmail, Google Drive, Google Sheets, Google Calendar, and Google Docs).

12.1 limited use requirements

FlowEngine's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

12.2 data handling practices

When you connect your Google account to FlowEngine workflows:

• Scope of Access: We only request access to the specific Google services needed for your workflows (e.g., sending emails, managing calendar events, accessing Drive files).
• Data Storage: OAuth tokens are encrypted and stored securely in your isolated n8n instance. We do not have access to your Google data unless explicitly required for workflow execution.
• Data Usage: Google data accessed through workflows is used solely to execute your automation workflows. We do not use Google user data for advertising, AI model training, or any purposes unrelated to your workflows.
• Data Transfer: Google data is only transferred to services you explicitly configure in your workflows (e.g., sending an email attachment to Slack). We do not sell or share Google user data with third parties.
• User Control: You maintain full control over which workflows can access your Google data. You can revoke FlowEngine's access to your Google account at any time through your Google Account permissions page.

12.3 security measures

We implement industry-standard security measures to protect your Google data:

• OAuth tokens are encrypted at rest and in transit
• Each user has an isolated n8n instance with separate credentials
• Credentials are never shared between users or instances
• Access is logged and monitored for suspicious activity
• We comply with Google's security assessment requirements

12.4 your google data rights

You retain all rights to your Google data. FlowEngine acts as a data processor when accessing your Google information. To exercise your rights or revoke access:

• Visit Google Account permissions to revoke FlowEngine's access
• Delete your FlowEngine workflows that use Google credentials
• Contact [email protected] to request deletion of stored credentials

13. california privacy rights (ccpa)

if you are a california resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (subject to exceptions)
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising your privacy rights

Notice of Sale: We may share data with third parties in a manner that could be considered a "sale" under CCPA. To opt-out, email [email protected] with subject line "Do Not Sell My Personal Information".

14. gdpr rights (european users)

if you are located in the european Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to access, rectify, and erase your personal data
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

Legal Basis for Processing: We process your data based on:

• Consent (Article 6(1)(a)): For AI model training and marketing communications — you may withdraw consent at any time
• Contract Performance (Article 6(1)(b)): To provide and maintain our Services as agreed
• Legitimate Interests (Article 6(1)(f)): For security, fraud prevention, and service improvement, balanced against your rights
• Legal Obligations (Article 6(1)(c)): To comply with applicable laws and regulations

Data Protection Officer: For any GDPR-related inquiries or to exercise your rights, contact our Data Protection Officer at [email protected].

EU Representative: If required under Article 27 of the GDPR, our EU representative can be contacted at [email protected].

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

15. changes to this privacy policy

we reserve the right to modify this Privacy Policy at any time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of our Services after changes constitutes acceptance of the updated Privacy Policy.

16. limitation of liability

to the maximum extent permitted by law, flowengine and its affiliates, officers, directors, employees, agents, and licensors shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenue, data, or use, arising out of or related to this privacy policy or your use of the services, even if we have been advised of the possibility of such damages.

you expressly waive any claims against flowengine arising from our collection, use, or disclosure of your data as described in this privacy policy.

17. contact us

if you have questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:

18. governing law

this privacy policy shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions.

For EU/EEA/UK users: Nothing in this Privacy Policy affects your rights under the GDPR or other applicable data protection laws. Where there is a conflict between this Privacy Policy and the GDPR, the GDPR shall prevail. You may bring legal proceedings in the courts of your country of residence.

For all other users, you agree to submit to the exclusive jurisdiction of the courts located in Delaware, United States, for the resolution of any disputes.