Developer Privacy Policy

Effective Date: December 12, 2025
Last Updated: January 5, 2025

---

1. Introduction

This policy covers how we handle data from developers and businesses using Flowsta Auth API.

---

2. Developer Data We Collect

Account Data

• Organization name
• Contact email
• API keys
• Team members (user IDs, roles)
• Pending invites (email addresses - deleted after 7 days or acceptance)

Billing Data (via Stripe)

• Payment method (stored by Stripe)
• Billing address
• Invoice history

Usage Data

• API request counts
• Error rates
• Response times
• MAU counts (aggregate only)

Holochain Signing Data (If You Use Signing Service)

• Which apps you've enabled signing for
• Signing permission metadata (granted/revoked timestamps)
• Number of signing requests per app
• NOT stored: Actual content of what was signed (only SHA256 hashes in user's encrypted Holochain)

---

3. What We DON'T Collect About Your Users

Your users' data stays with your users.

---

4. Zero-Knowledge MAU Analytics

How MAU Tracking Works

1. User logs in via your app
2. Flowsta generates random analytics_id (stored in user's Holochain)
3. We record: analytics_id + your app_id + month
4. You see: "42 MAU this month"

What You CAN'T Do

• Identify which users logged in
• Link analytics_id to email or DID
• Access user activity logs
• See IP addresses or devices

This is by design. Zero-knowledge analytics protects your users' privacy while giving you the metrics you need.

---

5. Holochain Signing Service Data (If You Use It)

When users grant your app holochain:sign permission:

What We Collect

What We DON'T Collect

• ❌ The actual content that was signed
• ❌ User's private signing keys (never leave our conductor)
• ❌ Individual user identifiers in your analytics

User Privacy: Signing activity details are stored in the user's encrypted Holochain source chain. Users can see full signing history in their dashboard and revoke permissions at any time.

---

6. How We Use Developer Data

Service Provision

• Generate and manage API keys
• Monitor usage and enforce limits
• Bill for API usage

Communication

• Service announcements
• API changes
• Billing notifications
• Security alerts

---

7. Data Sharing

Service Providers

• Stripe (payments)
• Google Cloud (hosting)

We DON'T

• Sell developer data
• Share API keys
• Use your data to compete

---

8. Your Responsibilities

As a developer using Flowsta, you are the "Data Controller" for your users:

You Must

• Have a privacy policy
• Inform users Flowsta is used
• Obtain consent for data sharing
• Handle user data requests
• Comply with GDPR/CCPA

Data Processing Agreement

Enterprise customers can request formal DPA.

---

9. Developer Rights

• Access your account data
• Update business information
• Export usage analytics
• Delete your developer account

Account Deletion

• Request via dashboard
• Deleted within 30 days
• Billing records retained per tax law (7 years)

---

10. Data Retention

Active Accounts

• Data retained while active
• API logs: 90 days
• Usage analytics: 2 years (aggregated)
• Pending team invites: 7 days (auto-deleted if not accepted)
• Signing activity logs: 90 days

Deleted Accounts

• Account data: 30 days
• Billing records: 7 years (legal requirement)

---

11. Security

Our Protections

• Encrypted connections (TLS 1.3)
• API keys encrypted at rest
• Role-based access control
• Regular security audits

Your Responsibilities

• Keep API keys secure
• Rotate keys regularly
• Report security issues
• If using signing service: secure OAuth tokens (they grant signing access)

---

12. Changes to Policy

• 60 days notice for material changes
• Email notification
• Continued use = acceptance

---

13. Contact

• Developer Support: dev.flowsta.com/support
• Privacy: privacy@flowsta.com
• DPA Requests: legal@flowsta.com