Legal · Effective 2026-05-06

Privacy Policy

How Flowzart collects, uses, shares, retains, and protects your personal data, including the records we keep of your watt-hour consumption.

On this page
  1. 1. Introduction
  2. 2. Who is responsible
  3. 3. Scope of this policy
  4. 4. Personal data we collect
  5. Account data
  6. Billing & energy-consumption data
  7. Workflow & content data
  8. Communication data
  9. Technical & usage data
  10. Marketing data
  11. 5. Sources of personal data
  12. 6. How we use personal data
  13. 7. Sharing & disclosure
  14. 8. AI / ML training
  15. 9. International transfers
  16. 10. Retention
  17. 11. Security
  18. 12. Your rights (EEA / UK)
  19. 13. California privacy rights
  20. 14. Regional supplements
  21. 15. Cookies & tracking
  22. 16. Children
  23. 17. Changes to this policy
  24. 18. How to contact us

1. Introduction

This Privacy Policy explains how Royal Technology Limited (“Flowzart”, “we”, “our”, “us”) collects and uses personal data when you visit our website, sign up for an account, or use the Flowzart platform (the “Service”).

We have written this policy to be readable. Where we use defined terms (for example “Personal Data” as used in the EU/UK GDPR), they have the meanings given in applicable data-protection law.

2. Who is responsible

The data controller for personal data processed about you in connection with the Service is Royal Technology Limited, a company registered in Bulgaria (company number 203253637, VAT number BG203253637), with registered office at Mladost 122, Varna 9020, Bulgaria.

For privacy questions, including to exercise your rights under this policy, contact us at [email protected]. EEA / UK residents may also contact our representative at [EU/UK REPRESENTATIVE; if applicable].

3. Scope of this policy

This policy applies to personal data we process as a controller: for example, when you create an account, browse our marketing site, or contact us. It does not apply to personal data we process as a processor on your instructions when you use the Service to run workflows. That processing is governed by our Data Processing Addendum.

Linked third-party websites and services (for example, the SaaS platforms you connect to your workflows) are governed by their own privacy policies, not this one.

4. Personal data we collect

We collect the following categories of personal data:

Account data

Name, email address, password (stored only as a salted hash), organisation name, role, profile picture (if you upload one), authentication identifiers from third-party identity providers (e.g. Google, GitHub), and the workspaces and projects you are a member of.

Billing & energy-consumption data

Billing address, tax identifiers (where applicable), and a tokenised reference to the payment instrument held by our payment processor; we do not see or store full card numbers. We also keep:

  • Energy-consumption records: for each workflow run, the number of watt-hours (Wh) and kilowatt-hours (kWh) consumed across the four Flowzart-side resource categories (compute, memory, network traffic, and storage), the time of the run, and which workflow / node types contributed to the consumption. Energy-consumption records do not include amounts charged by third parties for services you call from your workflows (for example, language-model API tokens or webhook destinations); those are billed directly by the third party against your own credentials, as described in the Terms of Service section 5.1;
  • PAYG Bundle ledgers: the date of purchase, total Wh purchased, the Wh remaining, and the bundle's one-year expiry date;
  • Subscription cycle records: your plan, the start and end of each billing cycle, the Subscription Allowance issued, and the Allowance consumed in that cycle (the unconsumed remainder is forfeit at cycle reset and is not retained as a usable balance, only as an audit record); and
  • invoice history, payment status, refund history, and other transaction metadata.

Workflow & content data

The workflows you build, the configuration of their nodes, the credentials and connection details you choose to store with us, and any data that flows through your workflows when they run. To the extent this content includes personal data of your end users, employees, or contacts, you are the controller of that data and we process it on your behalf as a processor under our DPA.

Communication data

The content of messages you send to support, sales, or our community channels, plus any attachments, screenshots, or logs you choose to share.

Technical & usage data

IP address, device type, operating system, browser, language, referring page, the pages and features you use within the Service, error logs, performance telemetry, and similar diagnostic information. We may also collect data through cookies and similar technologies (see section 14).

Marketing data

Your communication preferences (e.g. whether you have opted in to product updates), your responses to surveys, and engagement metrics from emails we send you (e.g. whether an email was opened or a link clicked).

5. Sources of personal data

We collect personal data from three sources:

  • From you: directly, when you fill in forms, send us messages, or use the Service;
  • Automatically: when you interact with our website, our application, or our APIs (cookies, log files, telemetry); and
  • From third parties: for example, identity providers you authenticate with, our payment processor, fraud-prevention vendors, and publicly available business directories used for sales outreach.

6. How we use personal data

We process personal data for the purposes set out below. Where the EU / UK GDPR (or equivalent law) applies, we have indicated the lawful basis we rely on:

PurposeLawful basis
To provide, operate, and secure the Service, including authentication, workflow execution, and metering of energy consumptionPerformance of a contract
To bill you, take payment, issue invoices, and resolve billing disputesPerformance of a contract; legal obligation (tax/accounting records)
To respond to your support requests and other communicationsPerformance of a contract; legitimate interests (operating support)
To monitor for abuse, fraud, and security incidents, and to investigate themLegitimate interests (protecting the Service); legal obligation
To improve the Service: diagnose bugs, measure feature usage, prioritise the roadmapLegitimate interests (improving the Service)
To send you product announcements you have opted in to, and to measure engagementConsent (you can withdraw at any time)
To comply with legal obligations, respond to lawful requests, defend legal claims, and protect our rightsLegal obligation; legitimate interests (defending claims)

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms. You can object to such processing; see section 12.

7. Sharing & disclosure

We share personal data with:

  • Sub-processors who help us run the Service (cloud hosting, payment processing, email and notification delivery, customer support, error monitoring, analytics). They process personal data on our instructions, under written contracts that require them to protect it. The current list is in our DPA;
  • Third-party services you connect: when you choose to connect a Third-Party Service to a workflow, data flows to that service per your configuration. We are not responsible for what that service does with the data once it receives it;
  • Professional advisers (lawyers, accountants, auditors, insurers) under confidentiality obligations;
  • Authorities and courts: where required by law, lawful process, or to protect our or others' rights;
  • In a corporate transaction: if we are involved in a merger, acquisition, or sale of assets, personal data may be transferred to the counter-party, subject to equivalent protections; and
  • With your consent, for any other purpose disclosed at the time we ask.

We do not sell your personal data.

8. AI / ML training

We do not use Customer Content (the workflows you build and the data that flows through them) to train Flowzart's or any third party's generalised AI or machine-learning models, except where you have given specific, opt-in consent for a particular feature.

We may use de-identified, aggregated technical and usage data (for example, anonymised feature-usage counters) to improve the Service.

9. International transfers

We are based in Bulgaria. Customer data is processed on Flowzart-operated infrastructure in the United Kingdom, Bulgaria, and Germany. Transfers between the EEA and the United Kingdom are covered by mutual adequacy decisions. When we transfer personal data to a country outside these jurisdictions that is not the subject of an adequacy decision, we rely on appropriate safeguards, including:

  • the European Commission's Standard Contractual Clauses (Decision 2021/914) and the UK's International Data Transfer Addendum (or the UK IDTA) where applicable;
  • the EU-U.S. Data Privacy Framework, the Swiss-U.S. DPF, and the UK Extension where the recipient is a self-certified participant; and
  • supplementary technical and organisational measures, such as encryption in transit, access controls, and contractual restrictions on government-access requests.

You can request a copy of the safeguards in place for a specific transfer by contacting us at [email protected].

10. Retention

We keep personal data only for as long as we need it for the purposes set out in this policy, unless a longer retention period is required by law or to defend legal claims. Our default retention periods are:

Data categoryRetention period
Account dataFor the life of the Account, plus a 30-day grace period after closure for export.
Workflow & content dataPer your deletion instructions; otherwise deleted on Account closure (subject to backup-rotation cycles).
PAYG Bundle ledger entriesUntil the bundle's one-year expiry date, plus the statutory minimum required for tax/accounting in the relevant jurisdiction (typically 6–10 years).
Subscription cycle records & invoicesFor the duration of the subscription, plus the statutory minimum required for tax/accounting (typically 6–10 years).
Communication data (support tickets etc.)For the period needed to operate support and resolve disputes; typically up to 3 years from last contact.
Marketing dataUntil you withdraw consent or are inactive for 24 consecutive months, whichever is earlier.
Server logs, security logsUp to 12 months for security and abuse-investigation purposes.

Where we have anonymised data so that it can no longer identify you, we may retain and use it indefinitely for analytics and product-improvement purposes.

11. Security

We use a combination of technical, organisational, and physical measures designed to protect personal data, including encryption in transit (TLS 1.2+), role-based access control, multi-factor authentication for personnel with access to production, and continuous monitoring. We describe these in more detail in our Security Policy.

12. Your rights (EEA / UK)

If the EU GDPR or UK GDPR applies to your personal data, you have the following rights:

  • Access: to request a copy of the personal data we hold about you;
  • Rectification: to correct any personal data that is inaccurate or incomplete;
  • Erasure: to ask us to delete your personal data, in the circumstances set out in Article 17 GDPR;
  • Restriction: to ask us to restrict the processing of your personal data while we look into a request you have made;
  • Portability: to receive a machine-readable copy of certain personal data, or to ask us to transmit it to another controller;
  • Objection: to object to processing based on our legitimate interests, including profiling for direct-marketing purposes;
  • Withdraw consent: for any processing where we relied on your consent, at any time, without affecting the lawfulness of past processing; and
  • Complain to a supervisory authority: your local data-protection authority. EEA residents can find the relevant authority via the European Data Protection Board; UK residents can complain to the Information Commissioner's Office; Royal Technology Limited's lead supervisory authority is the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни), which any data subject may also approach.

To exercise any of these rights, email [email protected]. We will respond within one month, or tell you why we need longer (up to two further months for complex requests). We do not charge for honouring your rights, except where requests are manifestly unfounded or excessive.

13. California privacy rights

If you are a resident of California, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you the following rights with respect to personal information about you:

  • To know what personal information we collect, use, disclose, and retain;
  • To delete the personal information we have collected from you, subject to certain exceptions;
  • To correct inaccurate personal information we hold about you;
  • To opt out of "sale" or "sharing" of your personal information for cross-context behavioural advertising. We do not sell or share your personal information as those terms are defined under the CCPA;
  • To limit the use of sensitive personal information beyond purposes permitted by law; and
  • To non-discrimination for exercising these rights.

To exercise these rights, email [email protected] or use the request form linked from our website footer. We will verify your request using information already associated with your Account. You may use an authorised agent, who must provide written permission from you and verify their own identity.

14. Regional supplements

If you are a resident of one of the regions below, the following supplemental disclosures apply in addition to the rights described above. Where a region we currently serve is not listed, please contact us at [email protected] for guidance on local rights.

EEA / UK

In addition to the rights described in section 12, you can lodge a complaint with your local data-protection authority. Where required, our Article 27 GDPR / UK GDPR representative can be reached at [EU/UK REPRESENTATIVE; if applicable].

Brazil (LGPD)

If you are a data subject in Brazil under the Lei Geral de Proteção de Dados, you have rights of access, correction, anonymisation, blocking or deletion, portability, information about sharing, and revocation of consent. To exercise them, contact [email protected]. Our Brazilian representative, where required, is [BRAZIL REPRESENTATIVE; to confirm at Brazilian launch].

South Korea (PIPA)

If you are a data subject in the Republic of Korea under the Personal Information Protection Act, you have rights of access, correction, deletion, and suspension of processing. To exercise them, contact [email protected]. Our Korean representative, where required, is [KOREA REPRESENTATIVE; to confirm at Korean launch].

Canada (PIPEDA)

If you are a resident of Canada, you have rights of access and correction of personal information we hold about you under the Personal Information Protection and Electronic Documents Act and applicable provincial laws. To exercise them, contact [email protected]. You can also escalate concerns to the Office of the Privacy Commissioner of Canada.

15. Cookies & tracking

We and our service providers use cookies and similar technologies on our website and within the Service. We use:

  • Strictly necessary cookies for authentication, session management, and security. These cannot be turned off without breaking the Service;
  • Functional cookies that remember preferences such as your theme or language;
  • Analytics cookies that help us understand how the Service is used. We only set non-essential cookies after you give consent through our cookie banner; and
  • Marketing cookies on our marketing pages, for measuring the effectiveness of campaigns. You can opt out at any time via the cookie banner or your browser settings.

We honour the Global Privacy Control (GPC) signal where it is sent by your browser.

16. Children

The Service is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it.

17. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Effective” date at the top and, where the change is material, give you reasonable notice (by email or through the Service) before the change takes effect. Past versions of the policy are available on request.

18. How to contact us

For questions about this policy, to exercise any of your rights, or to raise a concern, contact us at:

  • Email: [email protected]
  • Post: Royal Technology Limited, Mladost 122, Varna 9020, Bulgaria, attn. Privacy Team

Effective: 2026-05-06 · v1.0