Privacy Policy

1. Data controller

The data controller for personal data is Flowly, based in France.

For any privacy-related question, reach us at support@myflowly.co.

2. Data we collect

We only collect what's necessary for the service to work:

• Account data: email address, first name or alias, Apple Sign-In identifier (if you use "Sign in with Apple").
• Habit data: goals, habits you create, completion history, streaks.
• Onboarding data: declared emotional state, past experience with routines, daily available time, preferred progression style, support preference.
• Subscription data: subscription status, transaction identifiers (Apple App Store, Google Play). We never receive your payment card number.
• Technical data: push notification token, language and theme preferences, device model and OS version (for diagnostics).
• Usage data: interactions with the app (screens opened, actions), timestamps, to improve the product.

3. How we collect this data

• Directly: when you create an account, complete onboarding, or use the app.
• Via Apple Sign-In: if you choose this sign-in method, we receive an anonymous identifier and, depending on your choice, your email (real or Apple relay).
• Automatically: non-identifying technical information (device type, system language) while you use the app.

4. Why we process this data

• To provide and maintain the Flowly service.
• To generate your personalized routines via AI.
• To send the notifications you've enabled.
• To understand aggregated app usage and improve the product.
• To handle support requests.
• To manage subscriptions and payments (via Apple and Google).

5. Legal basis (GDPR)

• Performance of a contract: to provide the service you subscribed to.
• Consent: for push notifications and sensitive data (emotional state).
• Legitimate interest: to improve the service and prevent abuse.
• Legal obligation: to retain transaction records.

6. Third-party services and processors

Flowly is a small team. To deliver the app we rely on a short list of carefully selected processors that handle data on our behalf under a Data Processing Agreement (DPA). We never sell your data. Each service applies its own privacy policy in addition to the protections described here:

• Supabase, Inc. (United States — hosting and database). Stores your account email, profile, goals, habits, completion history, streaks and AI generation history in a PostgreSQL instance hosted in the European Union. Legal basis: performance of the contract (Art. 6(1)(b) GDPR). DPA and Standard Contractual Clauses in place. https://supabase.com/privacy
• OpenAI, L.L.C. (United States — AI habit generation and weekly coaching reports). When you create a goal or request an AI-generated plan, we send the inputs needed to personalize it — goal title, goal description, anchor habits you have chosen, and onboarding answers such as time availability and motivation — to OpenAI's API so it can return a routine. OpenAI does not use API content to train its models. No data is sent to OpenAI for users who never trigger an AI feature. The disclosure is also shown in-app the first time AI generation runs. Legal basis: performance of the contract (Art. 6(1)(b) GDPR). DPA and Standard Contractual Clauses in place. https://openai.com/enterprise-privacy
• PostHog Inc. (EU region — eu.i.posthog.com — product analytics). Receives anonymous usage events (screen views, button taps, drop-off points) so we can understand how the app is used and improve it. We do not send your email, password, goal titles or habit content to PostHog. You can opt out at any time in Settings → Privacy & Data → Opt out of analytics. Legal basis: legitimate interest in product improvement (Art. 6(1)(f) GDPR), with the in-app opt-out as your right to object (Art. 21 GDPR). https://posthog.com/privacy
• Apple (Sign in with Apple, StoreKit, push notifications). https://www.apple.com/legal/privacy/
• Expo (builds, OTA updates, push notification routing). https://expo.dev/privacy

7. Data retention

Your data is retained as long as your account is active.

If you delete your account, all personally identifiable data is deleted within 30 days. Some anonymized data may be retained for statistical purposes, and some transaction records may be retained to meet our legal obligations (accounting, tax).

8. International transfers

Your data is hosted by Supabase on servers located in the European Union and/or the United States. Non-EU transfers are covered by Standard Contractual Clauses (SCCs) as required by the GDPR.

9. Your rights (GDPR — EU users)

If you reside in the European Union, you have the following rights:

• Access to your personal data.
• Rectification of inaccurate data.
• Erasure ("right to be forgotten").
• Portability of your data in a structured format.
• Restriction of processing.
• Objection to processing based on legitimate interest.
• Withdrawal of consent at any time.
• Lodging a complaint with a supervisory authority (in France: CNIL — https://www.cnil.fr).

To exercise your rights, email us at support@myflowly.co. We respond within 30 days.

10. Your rights (CCPA/CPRA — California residents)

If you reside in California, you additionally have the following rights:

• Right to know what personal data is collected and how it's used.
• Right to delete your personal data.
• Right to correct inaccurate data.
• Right to opt out of the sale or sharing of your data (Flowly does not sell or share your data for advertising purposes).
• Right to non-discrimination for exercising these rights.

11. Sensitive data

Some information you provide (emotional state, wellness goals) may be considered sensitive. It's used solely to personalize your routines. It's never shared with third parties for commercial purposes and is not used to train public AI models. Processing relies on your explicit consent, which you can withdraw at any time by deleting your account.

12. Minors

Flowly is not intended for users under 16. We do not knowingly collect data from minors under 16. If you believe a minor has provided us with data, contact us at support@myflowly.co for deletion.

13. Push notifications

If you enable notifications, we store an opaque token provided by Apple or Google to deliver the reminders you've configured. This token doesn't allow us to identify you personally. You can disable notifications any time in your device settings or in the app.

14. Microphone & voice input

Flowly uses your device's microphone for voice input (speech-to-text) when you choose to dictate a goal description. Audio is processed in real time on your device using native platform APIs (SFSpeechRecognizer on iOS, SpeechRecognizer on Android).

No audio recording is stored, sent to our servers, or retained after transcription. The resulting text is used solely to fill in the goal description field.

You activate the microphone manually each time — Flowly never listens in the background. The RECORD_AUDIO permission can be revoked at any time in your device settings.

15. Calendar access

Flowly may request access to your device calendar (Apple Calendar or Google Calendar). This access is used exclusively to analyze your busy time slots and suggest the best times for your habits.

No calendar events are copied, stored, or sent to our servers. The analysis is performed locally on your device.

Calendar access is entirely optional — the app works normally without it. You can revoke the permission at any time in your device settings.

16. Speech recognition

Voice input relies on your operating system's built-in speech recognition services (Apple Speech Recognition on iOS, Google Speech Services on Android). Flowly does not handle or process audio directly — the operating system does.

Apple's and Google's respective privacy policies apply to the system-level voice processing. Flowly only receives the transcribed text, never the raw audio.

17. Security

All communication between the app and our servers is encrypted via HTTPS (TLS). Data is stored securely with Supabase (Row Level Security enabled). On iOS, sensitive local information is stored via SecureStore (Keychain). No system is bulletproof, but we follow recognized industry standards.

18. Changes to this policy

We may update this policy to reflect product or legal changes. For material changes, we'll notify you by email or via an in-app notice before the changes take effect.

19. Contact us

For any question, rights request, or complaint, email us at support@myflowly.co. We aim to respond within 30 days.