Legal

Privacy policy

Last updated: June 10, 2026

1. Data controller

The controller of your personal data is Flows (the "Provider"). For questions about how we handle your data, email us at privacy@rnflows.com.

2. What data we process

We process the following categories:

  • Account data: name, email, password (hashed), optional profile picture, language.
  • Workspace data: name, slug, plan, invited members.
  • Usage data: activity logs, audit log of changes, IP addresses, browser identifiers.
  • Billing data: handled by Stripe (we do not store card numbers on our servers).
  • Application data: the data you upload to your modules. We treat it as Customer Data under the Terms and, where applicable, the DPA.

3. Purposes of processing

  • Deliver the Service and keep it running.
  • Process payments and issue invoices.
  • Communicate with you about your account, support and changes to the Service.
  • Prevent fraud, abuse and Terms violations.
  • Comply with legal obligations (accounting, tax, judicial).
  • Improve the product based on aggregated, anonymous metrics.

5. Subprocessors

We use third parties to operate parts of the Service. Each one acts as a subprocessor under our instructions:

  • AWS (application and database hosting, regions us-east-1 and eu-west-1).
  • Cloudflare R2 (file storage).
  • Stripe (payment processing and billing).
  • Resend (transactional email).
  • OpenAI (schema inference from spreadsheets and natural language).
  • Sentry and PostHog (observability and anonymous usage analytics).

The updated list is published here. We will give reasonable prior notice before adding a new subprocessor.

6. Retention

We keep data while the account is active and for the term required to comply with our legal obligations. After termination, Customer Data is deleted after 30 days; accounting data is kept for the term required by applicable tax law.

7. Your rights

Under applicable law (GDPR, LGPD, LFPDPPP, others), you can exercise rights of access, rectification, erasure, objection, restriction and portability. To exercise them, email us at privacy@rnflows.com stating which right you want to exercise.

We respond within 30 calendar days.

8. International transfers

Some subprocessors process data outside your country of residence. These transfers use standard contractual clauses or equivalent mechanisms that ensure an adequate level of protection.

9. Security

We apply reasonable technical and organizational measures to protect your data: encryption in transit and at rest, per-workspace isolation, role-based access control, and audit logs. More detail at /en/security.

10. Changes to this policy

We may update this policy to reflect changes in the Service or applicable law. Material changes are notified by email to the workspace owner or via in-product notice.

Legal questions? Email us at hola@rnflows.com.

Start building today

Create your workspace in minutes. No credit card, nothing to install.