Privacy Policy
Last updated: 17th December 2025
1. Introduction
This Privacy Policy describes how FlowstepDesign OÜ processes personal data when you access or use the Flowstep platform available at www.flowstep.ai, including any related applications, features, and services (the “Platform”).
This Policy applies to all users of the Platform (“User”, “you”), whether acting as a natural person or on behalf of a legal entity.
The controller of personal data is:
FlowstepDesign OÜ
Registry code: 16706771
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Liivalaia tn 36, 10132, Estonia
Email: hello@flowstep.ai
Flowstep processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable laws of the Republic of Estonia.
2. Categories of Personal Data
Flowstep may process the following categories of personal data:
- Account data: name, email address, avatar, company name, role, account identifiers
- Billing and payment data: billing name, address, VAT ID, company registry code, invoice email, subscription details (payment card data is processed by Stripe as an independent controller)
- User content: prompts, designs, diagrams, images, PDFs, text, files, projects, and other materials created, uploaded, or shared on the Platform
- Usage and interaction data: feature usage, message counts, interactions with generated outputs
- Technical data: IP address, device type, browser information, operating system, country-level location
- Analytics and telemetry data: usage events and performance metrics
- Support communications: emails and other communications with Flowstep
- Marketing data: contact details and consent status
3. Purposes and Legal Bases of Processing
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Account creation and management | Account data | Performance of contract (Art. 6(1)(b)) |
| Provision of the Platform | Account data, User content, Usage data | Performance of contract (Art. 6(1)(b)) |
| AI-based generation of outputs requested by the User | Prompts, uploaded files, references to canvas designs | Performance of contract (Art. 6(1)(b)) |
| Collaboration and sharing | Account data, User content | Performance of contract (Art. 6(1)(b)) |
| Billing and accounting | Billing data | Legal obligation (Art. 6(1)(c)) |
| Customer support | Support communications | Performance of contract (Art. 6(1)(b)) |
| Product improvement | Aggregated usage and feedback | Legitimate interest (Art. 6(1)(f)) |
| Analytics | Technical and analytics data | Consent where required (Art. 6(1)(a)) |
| Marketing communications | Marketing data | Consent (Art. 6(1)(a)) |
| Legal compliance | Relevant data | Legal obligation or legitimate interest |
4. AI Processing
Flowstep uses third-party AI model providers to generate outputs requested by Users.
For this purpose, Flowstep may process:
- User prompts,
- uploaded files (such as images and PDFs), and
- contextual information, including references to designs on the User’s canvas.
This data is processed solely to provide the requested functionality. Flowstep does not use personal data to train AI models and does not permit its AI providers to do so. Flowstep may use aggregated and anonymised feedback to improve its services.
AI model providers process data in accordance with their own data protection obligations. Flowstep remains responsible only for its own processing activities as data controller.
5. Sharing, Collaboration, and Administrative Access
The Platform enables collaboration and content sharing.
- Users may invite other Users to access files or workspaces.
- File owners may share content via public links for viewing.
- Workspace administrators may access content within their workspace by default.
Access by workspace administrators is determined by the account owner or organisation and does not constitute independent processing by Flowstep.
Users are responsible for managing sharing settings and access permissions.
6. Subprocessors and International Transfers
Flowstep uses third-party service providers (subprocessors) to operate and support the Platform.
An up-to-date list of subprocessors, including their purpose and links to their data protection documentation, is available here.
Some subprocessors may process personal data outside the European Economic Area. In such cases, Flowstep ensures appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
7. Cookies, Analytics, and Advertising
Flowstep uses cookies and similar technologies for essential functionality, analytics, and marketing purposes. Where required by applicable law, such technologies are used based on the User’s consent.
Flowstep may use online advertising services, including services that enable the display of advertisements based on Users’ interests or interactions with the Platform (such as interest-based or targeted advertising). This may involve the use of cookies or similar technologies provided by advertising partners.
Where required by law, such advertising-related processing is carried out only with the User’s consent, which can be managed via the cookie banner or other consent management tools made available on the Platform.
Users may withdraw or modify their consent at any time through cookie settings or browser controls.
8. Retention of Personal Data
Flowstep retains personal data only for as long as necessary for the purposes described in this Policy:
- Account data: until account deletion, then deleted without undue delay and in any event within 30 days
- User content: until deleted by the User or account deletion
- Billing and accounting data: 7 years (legal obligation)
- Support communications: until account deletion
- Marketing data: until consent is withdrawn
- Logs, telemetry, and analytics data: retained for limited periods, generally no longer than necessary for security, debugging, and performance analysis
- Backups: retained for up to 7 days and rotated; data may persist until overwritten
Aggregated or anonymised data may be retained indefinitely.
9. Deletion of Accounts
Users may initiate account deletion via the Platform or by contacting Flowstep.
Personal data is deleted or anonymised without undue delay and in any event within 30 days. Residual data may persist temporarily in logs or backups until rotation. Data required by law (e.g. accounting records) is retained as required.
10. Data Subject Rights
Users have all rights provided under GDPR, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
Requests may be submitted to hello@flowstep.ai. Flowstep may request additional information to verify identity before responding.
Users may lodge complaints with the Estonian Data Protection Inspectorate (AKI).
11. Security
Flowstep implements appropriate technical and organisational measures to protect personal data.
12. Children
The Platform is not directed to children under the age of 16. Flowstep does not knowingly process personal data of children under 16. If identified, such data will be deleted without undue delay.
13. Changes
Flowstep may update this Policy from time to time. Material changes will be communicated via the Platform or email.