Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

Account Information: When you create an account, we collect:

• Full name
• Email address
• Password (encrypted and hashed)
• Phone number (optional)
• Company name and business information (optional)
• Profile picture (optional)

Payment Information: When you subscribe to a paid plan, we collect:

• Billing name and address
• Credit card information (processed securely by our payment processor; we do not store full card numbers)
• Tax identification numbers (if applicable)
• Transaction history and invoices

User Content: Content you create, upload, or generate using our Service:

• Website content (text, images, videos, audio files)
• AI prompts and instructions
• Custom code, HTML, CSS, JavaScript
• Website configurations, settings, and preferences
• Files uploaded to your websites
• Comments, feedback, and support communications

Communications: When you contact us, we collect:

• Email correspondence
• Support ticket information
• Chat messages
• Survey responses and feedback
• Phone call recordings (with your consent)

1.2 Information Collected Automatically

Device and Usage Information:

• IP address and geolocation data
• Device type, model, and operating system
• Browser type, version, and language settings
• Screen resolution and device identifiers
• Referring and exit pages
• Pages viewed and features used
• Time spent on pages and interaction patterns
• Click and scroll behavior
• Search queries within the Service

Technical and Log Data:

• Access times and dates
• Error logs and crash reports
• Performance metrics and load times
• API usage and request logs
• Server logs and debugging information

Cookies and Tracking Technologies:

• Session cookies (to keep you logged in)
• Preference cookies (to remember your settings)
• Analytics cookies (to understand usage patterns)
• Advertising cookies (for targeted marketing, if applicable)
• Local storage and session storage data
• Web beacons and pixel tags

1.3 Information from Third Parties

We may receive information about you from:

• Social media platforms (if you connect your account)
• Payment processors (transaction confirmations)
• Analytics providers (aggregated usage data)
• Marketing partners (campaign performance)
• Public databases and data enrichment services
• Business partners and affiliates

1.4 AI Training Data

To improve our AI models and Service, we may collect and analyze:

• Anonymized and aggregated AI prompts and responses
• Plugin selection patterns and preferences
• Website design choices and customizations
• User interaction patterns with AI features
• Error rates and AI performance metrics

Important: We anonymize and aggregate this data before using it for AI training. We do not use your personal information or identifiable content for AI training without your explicit consent.

2. How We Use Your Information

2.1 Service Provision and Operation

• Create, maintain, and manage your account
• Provide access to the AI website builder and all features
• Generate websites using AI based on your prompts
• Store, host, and deploy your websites
• Process and customize your content
• Enable collaboration features (if applicable)
• Provide customer support and respond to inquiries
• Send service-related notifications and updates

2.2 AI Processing and Improvement

• Process your prompts through AI models (Anthropic Claude API)
• Generate and customize website content, colors, and layouts
• Select and recommend appropriate plugins and templates
• Train and improve our AI algorithms (using anonymized data)
• Develop new AI features and capabilities
• Optimize AI performance and accuracy

2.3 Payment Processing and Billing

• Process subscription payments and transactions
• Manage billing cycles and renewals
• Generate invoices and receipts
• Handle refunds and chargebacks
• Detect and prevent payment fraud
• Comply with tax and accounting requirements

2.4 Communication and Marketing

• Send transactional emails (account confirmations, password resets)
• Provide customer support and technical assistance
• Send product updates, newsletters, and announcements (with your consent)
• Conduct surveys and request feedback
• Send promotional offers and marketing materials (you can opt-out)
• Personalize marketing communications based on your interests

2.5 Analytics and Service Improvement

• Analyze usage patterns and user behavior
• Understand feature adoption and engagement
• Identify and fix bugs, errors, and performance issues
• Conduct A/B testing and experiments
• Develop new features and improvements
• Optimize user experience and interface design
• Generate aggregated statistics and reports

2.6 Security and Fraud Prevention

• Detect, prevent, and investigate fraud, abuse, and security threats
• Monitor for unauthorized access and suspicious activity
• Enforce our Terms of Service and policies
• Protect our systems, infrastructure, and intellectual property
• Verify user identity and prevent account takeovers
• Conduct security audits and vulnerability assessments

2.7 Legal Compliance and Protection

• Comply with legal obligations and regulatory requirements
• Respond to legal processes (subpoenas, court orders, warrants)
• Protect our rights, property, and safety
• Protect the rights, property, and safety of our users and the public
• Enforce our agreements and policies
• Resolve disputes and investigate complaints

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, we process your personal information based on the following legal grounds:

3.1 Contractual Necessity

Processing is necessary to perform our contract with you (Terms of Service), including:

• Account creation and management
• Service provision and delivery
• Payment processing
• Customer support

3.2 Legitimate Interests

Processing is necessary for our legitimate business interests, including:

• Improving and optimizing our Service
• Detecting and preventing fraud and security threats
• Analyzing usage and conducting research
• Marketing and promoting our Service
• Enforcing our Terms and policies

3.3 Consent

Where required by law, we obtain your consent for:

• Marketing communications
• Non-essential cookies
• Processing sensitive personal information
• AI training using your content (if identifiable)

3.4 Legal Obligations

Processing is necessary to comply with legal obligations, such as:

• Tax and accounting requirements
• Responding to legal processes
• Regulatory compliance

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers and Business Partners

We share information with trusted third-party service providers who perform services on our behalf:

• AI Providers: Anthropic (Claude API) for AI-powered website generation and content processing
• Cloud Hosting: AWS, Google Cloud, or similar providers for infrastructure and data storage
• Payment Processors: Stripe, PayPal, or similar services for payment processing
• Email Services: SendGrid, Mailchimp, or similar providers for transactional and marketing emails
• Analytics: Google Analytics, Mixpanel, or similar tools for usage analytics
• Customer Support: Zendesk, Intercom, or similar platforms for support tickets and chat
• CDN and Performance: Cloudflare, Fastly, or similar services for content delivery
• Security: Auth0, reCAPTCHA, or similar services for authentication and fraud prevention

These service providers are bound by confidentiality agreements and are only permitted to use your information for the specific purposes we authorize.

4.2 Business Transfers

If FLOWMINDS is involved in a merger, acquisition, reorganization, sale of assets, bankruptcy, or similar transaction, your information may be transferred as part of that transaction. We will:

• Notify you via email and/or prominent notice on our Service
• Provide information about the acquiring entity
• Inform you of any choices you may have regarding your information

4.3 Legal Requirements and Protection

We may disclose your information if required by law or in good faith belief that such disclosure is necessary to:

• Comply with legal obligations, court orders, subpoenas, or government requests
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of FLOWMINDS, our users, or the public
• Detect, prevent, or investigate fraud, security breaches, or illegal activities
• Defend against legal claims or litigation

4.4 With Your Consent

We may share your information with third parties when you explicitly consent or direct us to do so, such as:

• Integrating with third-party services or APIs
• Sharing content publicly (if you choose to publish)
• Participating in promotions or partnerships

4.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you, for purposes such as:

• Industry research and benchmarking
• Marketing and promotional materials
• Improving AI models and algorithms
• Public reporting and transparency

5. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your country of residence, including Australia, the United States, and other countries where our service providers operate. These countries may have different data protection laws than your jurisdiction.

5.1 Safeguards for International Transfers

When we transfer personal information internationally, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by relevant data protection authorities
• Binding Corporate Rules (BCRs) where applicable
• Encryption and security measures during transit and at rest
• Contractual obligations with service providers to protect your data

5.2 Your Consent

By using our Service, you consent to the transfer of your information to countries outside your jurisdiction, including countries that may not provide the same level of data protection as your home country.

6. Data Security

We implement industry-standard technical, administrative, and physical security measures to protect your information from unauthorized access, use, disclosure, alteration, or destruction.

6.1 Technical Security Measures

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Authentication: Secure password hashing (bcrypt) and optional two-factor authentication (2FA)
• Access Controls: Role-based access control (RBAC) and principle of least privilege
• Firewalls: Network firewalls and intrusion detection/prevention systems
• Monitoring: 24/7 security monitoring and logging
• Vulnerability Management: Regular security scans and penetration testing
• Secure Development: Security code reviews and secure coding practices

6.2 Administrative Security Measures

• Employee Training: Regular security awareness training for all staff
• Background Checks: Screening of employees with access to sensitive data
• Confidentiality Agreements: All employees sign confidentiality agreements
• Incident Response: Documented incident response and breach notification procedures
• Vendor Management: Due diligence and security assessments of third-party providers

6.3 Physical Security Measures

• Data centers with restricted physical access
• 24/7 surveillance and security personnel
• Environmental controls (fire suppression, climate control)
• Backup power and redundancy systems

6.4 Limitations

While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for:

• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords
• Enabling two-factor authentication when available
• Promptly notifying us of any suspected security breach

6.5 Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify affected users within 72 hours of becoming aware of the breach
• Notify relevant data protection authorities as required by law
• Provide information about the nature of the breach and steps being taken
• Offer guidance on protective measures you can take

7. Data Retention

7.1 Retention Periods

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained while your account is active and for 90 days after account deletion
• User Content: Retained while your account is active; deleted 90 days after account deletion (unless you export it)
• Payment Records: Retained for 7 years for tax and accounting purposes
• Support Communications: Retained for 3 years for quality assurance and dispute resolution
• Usage Logs: Retained for 12 months for security and analytics purposes
• Marketing Data: Retained until you opt-out or for 2 years of inactivity

7.2 Retention Criteria

We determine retention periods based on:

• The nature and sensitivity of the information
• The purposes for which we process the information
• Legal, regulatory, tax, and accounting requirements
• Potential legal claims and statute of limitations
• Legitimate business needs

7.3 Deletion and Anonymization

When we no longer need your information, we will:

• Securely delete or destroy the information
• Anonymize the information so it can no longer identify you
• Aggregate the information with other data

Some information may be retained in backup systems for a limited time before permanent deletion.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 Access and Portability

• Right to Access: Request a copy of the personal information we hold about you
• Right to Data Portability: Receive your information in a structured, commonly used, machine-readable format
• Right to Export: Download your User Content and website data

8.2 Correction and Update

• Right to Rectification: Correct inaccurate or incomplete personal information
• Account Settings: Update your profile information, email, and preferences directly in your account

8.3 Deletion and Erasure

• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal information
• Account Deletion: Delete your account and associated data through account settings
• Limitations: We may retain certain information as required by law or for legitimate business purposes

8.4 Restriction and Objection

• Right to Restriction: Request that we limit how we use your information
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Opt-Out: Unsubscribe from marketing emails using the link in each email

8.5 Consent Withdrawal

• Right to Withdraw Consent: Withdraw consent for processing at any time (where consent is the legal basis)
• Cookie Consent: Manage cookie preferences through your browser settings or our cookie banner

8.6 Complaint and Appeal

• Right to Complain: Lodge a complaint with a data protection authority
• Australian Users: Contact the Office of the Australian Information Commissioner (OAIC)
• EU/UK Users: Contact your local data protection authority
• Internal Complaint: Contact our Privacy Officer at info@flowminds.com.au

8.7 Exercising Your Rights

To exercise any of these rights, please:

• Email us at info@flowminds.com.au
• Use the privacy controls in your account settings
• Include sufficient information to verify your identity

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

Essential Cookies (Always Active):

• Authentication and session management
• Security and fraud prevention
• Load balancing and performance
• User interface preferences

Functional Cookies:

• Remember your settings and preferences
• Provide enhanced features and personalization
• Remember your language and region

Analytics Cookies:

• Understand how you use the Service
• Measure performance and engagement
• Identify usage patterns and trends
• Improve our Service based on insights

Advertising Cookies (If Applicable):

• Deliver relevant ads based on your interests
• Measure ad campaign effectiveness
• Limit ad frequency

9.2 Third-Party Cookies

We may allow third-party service providers to place cookies on your device for:

• Google Analytics (usage analytics)
• Stripe (payment processing)
• Intercom or Zendesk (customer support chat)
• Social media platforms (if you share content)

9.3 Managing Cookies

You can control cookies through:

• Browser Settings: Most browsers allow you to block or delete cookies
• Cookie Banner: Manage preferences through our cookie consent banner
• Opt-Out Tools: Use industry opt-out tools like NAI or DAA
• Do Not Track: Enable "Do Not Track" in your browser (we honor this signal)

Note: Disabling cookies may affect your ability to use certain features of the Service.

9.4 Other Tracking Technologies

We may also use:

• Web Beacons: Small graphics to track email opens and clicks
• Pixel Tags: Track conversions and ad performance
• Local Storage: Store data locally on your device
• Session Storage: Store temporary session data
• Device Fingerprinting: Identify devices for fraud prevention

10. Children's Privacy

Our Service is not intended for children under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

10.1 Age Verification

By using the Service, you represent and warrant that you are at least 18 years old. If you are under 18, you may only use the Service with the involvement and consent of a parent or legal guardian.

10.2 Parental Rights

If you believe we have collected information from a child without proper consent, please contact us immediately at support@flowminds.ai. We will promptly:

• Investigate the matter
• Delete the child's information from our systems
• Terminate the child's account
• Take steps to prevent future unauthorized access

11. Third-Party Links and Services

Our Service may contain links to third-party websites, applications, or services that are not owned or controlled by FLOWMINDS. We are not responsible for the privacy practices of these third parties.

11.1 Third-Party Privacy Policies

When you access third-party services, you are subject to their privacy policies and terms. We encourage you to review their policies before providing any personal information.

11.2 User-Generated Links

Websites you create using our Service may contain links to third-party sites. You are responsible for ensuring compliance with privacy laws when collecting information through your websites.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Right to Know

You have the right to request:

• Categories of personal information we collect
• Categories of sources from which we collect information
• Business purposes for collecting information
• Categories of third parties with whom we share information
• Specific pieces of personal information we hold about you

12.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

12.3 Right to Opt-Out of Sale

We do not sell your personal information. If our practices change, we will update this Policy and provide an opt-out mechanism.

12.4 Right to Non-Discrimination

You have the right to not receive discriminatory treatment for exercising your CCPA rights.

12.5 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We may require proof of authorization.

12.6 Shine the Light Law

California residents may request information about our disclosure of personal information to third parties for direct marketing purposes once per year.

13. Australian Privacy Principles (APPs)

As an Australian company, FLOWMINDS complies with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth).

13.1 APP Compliance

We adhere to the 13 APPs, which cover:

• Open and transparent management of personal information
• Anonymity and pseudonymity options where practicable
• Collection of solicited and unsolicited information
• Dealing with unsolicited personal information
• Notification of collection
• Use and disclosure of personal information
• Direct marketing
• Cross-border disclosure
• Adoption, use, or disclosure of government-related identifiers
• Quality of personal information
• Security of personal information
• Access to personal information
• Correction of personal information

13.2 Complaints Process

If you have a complaint about how we handle your personal information:

• Contact our Privacy Officer at info@flowminds.com.au
• We will acknowledge your complaint within 7 days
• We will investigate and respond within 30 days
• If you are not satisfied, you may contact the OAIC

13.3 OAIC Contact

Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.1 Notification of Changes

When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy
• Send you an email notification (if you have an account)
• Display a prominent notice on our Service
• Provide a summary of material changes
• Give you at least 30 days' notice before changes take effect (for material changes)

14.2 Your Acceptance

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the modified Policy, you must stop using the Service and may delete your account.

14.3 Prior Versions

We maintain an archive of prior versions of this Privacy Policy. You may request access to previous versions by contacting info@flowminds.com.au.

15. Contact Us

If you have any questions, concerns, requests, or complaints about this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days (or as required by applicable law). For urgent privacy matters, please mark your communication as "URGENT - PRIVACY MATTER."