Privacy Policy

Last updated: May 27, 2026

Effective date: May 27, 2026

1. Introduction

This Privacy Policy describes how Gabriele Merigo, an individual operating as a sole proprietor based in Turin, Italy ("Flowo", "we", "us", or "our"), collects, uses, processes, discloses, and protects your personal data when you use the Flowo web application, accessible at www.flowospace.com (the "Service").

We are committed to protecting your privacy and complying with applicable data protection laws, including the European Union General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Italian Personal Data Protection Code (Legislative Decree 196/2003 as amended by Legislative Decree 101/2018), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Brazilian General Data Protection Law ("LGPD"), and other applicable privacy laws.

By using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is:

Gabriele Merigo
Turin, Italy
Email: privacy@flowospace.com

For any matters relating to your personal data or this Privacy Policy, you may contact us using the details above.

3. Personal Data We Collect

3.1 Data You Provide Directly

  • Account information: email address, name, profile picture (when signing in with Google), password (hashed if using email/password authentication).
  • Profile data: any information you choose to add to your profile, including preferences and settings.
  • User-generated content: habits, tasks, reading entries, budget entries (income and expenses categories you create), weekly goals, notes, calendar events, and any other content you create or store in the Service.
  • Communications: messages you send us via email or support channels.
  • Payment information: when you subscribe to a paid plan, payment is processed by Lemon Squeezy, our payment processor (see Section 5). We do not store your full payment card details on our servers; we receive limited information such as your name, billing country, the last four digits of your card, and subscription status.

3.2 Data Collected Automatically

  • Usage data: pages visited, features used, click events, time spent on the Service, referring URL, collected via PostHog (EU cloud) for product analytics.
  • Device and technical data: IP address, browser type and version, operating system, device type, screen resolution, language preferences, time zone.
  • Cookies and similar technologies: see Section 11 and our Cookie Policy.
  • Log data: error logs, request logs, performance metrics, generated by Vercel (our hosting provider).

3.3 Data from Third-Party Integrations

If you connect your Google account to enable Google Calendar or Google Tasks synchronization, we receive:

  • Read and write access to your Google Calendar events (only events created or synced by Flowo)
  • Read and write access to your Google Tasks
  • Your Google account email and basic profile information

We only access this data to provide the synchronization feature. We do not store the contents of your other Google Calendar events permanently; only events relevant to Flowo are synchronized to our database.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4. Legal Bases for Processing (GDPR)

We process your personal data on the following legal bases under Article 6 of the GDPR:

  • Contract (Art. 6(1)(b)): to provide the Service you have subscribed to, including account creation, authentication, feature delivery, and customer support.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and other legal requirements (e.g., retention of invoices for 10 years under Italian law).
  • Legitimate interests (Art. 6(1)(f)): to operate, secure, and improve the Service, prevent fraud and abuse, conduct analytics, and communicate with you about service-related matters.
  • Consent (Art. 6(1)(a)): for non-essential cookies, push notifications, marketing emails (where applicable), and any processing requiring explicit consent. You may withdraw consent at any time.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

  • Creating and managing your account
  • Providing the Service and its features (habits, tasks, reading, budget, planner, AI Coach, etc.)
  • Processing payments and managing subscriptions through Lemon Squeezy
  • Sending transactional emails (welcome, billing, password reset, account changes)
  • Sending push notifications for reminders (only if you have granted permission)
  • Providing AI-powered features (Coach, weekly summaries) via Gemini API
  • Synchronizing data with Google Calendar/Tasks if you have connected your Google account
  • Analyzing usage patterns to improve the Service (via PostHog)
  • Detecting and preventing fraud, abuse, and security incidents
  • Complying with legal obligations
  • Responding to your inquiries and providing customer support

6. Third-Party Service Providers (Sub-Processors)

We share your personal data with carefully selected third-party service providers who process data on our behalf under strict contractual obligations (Data Processing Agreements pursuant to Art. 28 GDPR):

ProviderPurposeLocationSafeguards
SupabaseDatabase hosting, authenticationEU (Frankfurt)DPA, EU data residency
VercelApplication hosting, edge functionsUSA / Global edgeDPA, SCCs (EU-US Data Privacy Framework certified)
Lemon SqueezyPayment processing, Merchant of RecordUSADPA, SCCs, PCI-DSS compliant
PostHogProduct analyticsEU (Germany)DPA, EU data residency
ResendTransactional email deliveryUSADPA, SCCs
Google (OAuth, Calendar, Tasks, Gemini API)Authentication, calendar sync, AI featuresGlobalDPA, SCCs (Data Privacy Framework certified)
IubendaPrivacy/cookie policy hosting, consent managementItaly / EUDPA, EU-based

We do not sell your personal data to third parties. We do not share your personal data for cross-context behavioral advertising.

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), including in the United States. When we transfer personal data outside the EEA, we ensure adequate protection through:

  • European Commission adequacy decisions (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The EU-US Data Privacy Framework (where the recipient is certified)
  • Other appropriate safeguards under Chapter V of the GDPR

You may request a copy of the safeguards in place by contacting us at privacy@flowospace.com.

8. Data Retention

We retain your personal data only for as long as necessary:

  • Account data and user content: retained for as long as your account is active. If you delete your account, your data is permanently deleted within 30 days, except where retention is required by law.
  • Invoices and billing records: retained for 10 years as required by Italian tax law (Art. 2220 Civil Code).
  • Marketing consents and logs: retained for the duration of your consent plus 2 years after withdrawal for proof purposes.
  • Server logs: retained for up to 90 days for security and debugging purposes.
  • Analytics data: retained in aggregated/pseudonymized form for up to 24 months.

9. Your Rights

9.1 Rights Under GDPR (EU/EEA Residents)

  • Right of access (Art. 15): obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18): request limitation of processing.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing.
  • Right not to be subject to automated decision-making (Art. 22): we do not currently use solely automated decision-making with legal effects.
  • Right to withdraw consent (Art. 7(3)): withdraw any consent you have given, at any time.
  • Right to lodge a complaint: with the Italian Data Protection Authority (Garante per la protezione dei dati personali, www.gpdp.it) or your local supervisory authority.

9.2 Rights Under CCPA/CPRA (California Residents)

  • Right to know: what personal information we collect, use, disclose, and (if applicable) sell.
  • Right to delete: request deletion of personal information we hold about you.
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: we do not sell or share personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes beyond providing the Service.
  • Right to non-discrimination: we will not discriminate against you for exercising your rights.

9.3 Rights Under LGPD (Brazilian Residents)

Brazilian residents have rights under Articles 17–22 of the LGPD, substantially similar to GDPR rights, including access, correction, anonymization, blocking, deletion, portability, and information about sharing.

9.4 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@flowospace.com. We will respond within 30 days (or as required by applicable law). You may also delete your account and export your data directly from your account settings.

We may need to verify your identity before processing your request. We will not discriminate against you for exercising your rights.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption in transit (HTTPS/TLS) and at rest (AES-256)
  • Strict access controls and authentication (OAuth, hashed passwords using bcrypt)
  • Sensitive data isolated in a private database schema with audit logging
  • Regular security audits and dependency updates
  • Row-Level Security where appropriate
  • Secure development practices and code review
  • Incident response procedures

However, no method of transmission or storage is 100% secure. In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, and analyze usage. For detailed information, please see our Cookie Policy.

You can manage your cookie preferences at any time through the consent banner or by clicking the "Cookie Settings" link in the footer.

12. Children's Privacy

The Service is not intended for individuals under 16 years of age (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@flowospace.com.

13. Automated Decision-Making and AI Features

The Service includes AI-powered features (Coach AI, weekly summaries) that use Google's Gemini API. These features generate personalized suggestions based on your usage data within the Service. The output is advisory only and does not produce legal or similarly significant effects on you. You are not subject to decisions based solely on automated processing within the meaning of Art. 22 GDPR.

Data sent to Gemini API is processed under Google's terms and is not used to train Google's models per our enterprise agreement settings.

14. Marketing Communications

We may send you transactional emails (account-related) and, with your consent, product updates and marketing emails. You can unsubscribe from marketing emails at any time using the unsubscribe link in any marketing email or by adjusting your notification preferences in your account settings.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by email or by displaying a prominent notice in the Service before the changes take effect.

The "Last updated" date at the top of this Privacy Policy indicates when it was last revised. Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Gabriele Merigo
Turin, Italy
Email: privacy@flowospace.com

For matters specifically relating to data protection under the GDPR, you may also contact the Italian Data Protection Authority:

Garante per la protezione dei dati personali
Piazza Venezia, 11 — 00187 Roma, Italy
Web: www.gpdp.it