← Flotask

Privacy Policy

Last updated: 24 April 2026

What this covers

This policy describes what personal data Flotask collects when you use flotask.ai, how we use it, who we share it with, and the rights you have over it.

Data we collect

  • Account: email address (via Supabase Auth).
  • Flows & Pages: the Task Flows and Pages you create and their configuration.
  • Run history: inputs, AI outputs, error messages, timestamps.
  • Connections: OAuth tokens for services you connect (Gmail, Facebook, Instagram, Slack). Stored in Supabase with Row-Level Security; only you can read them.
  • Credentials: API keys you save in the credentials vault. Encrypted at rest by the database provider.
  • Usage: basic product analytics — page loads, feature use. No third-party trackers.

How we use it

To run your flows, deliver emails you configure, show you run history, and keep your data available across sessions. That's it.

Who we share it with

We send the bare minimum to third-party providers required to run your flows:

  • Anthropic, OpenAI, Google AI: prompts and any attached images when you use an AI step.
  • Resend: email content when you use a Send step with our default sender.
  • Google (Gmail API): email content when you use a Send step with your own connected Gmail.
  • Supabase: hosts the database and handles authentication.
  • Vercel: hosts the application.

We do not sell, rent, or trade your data. We do not use your flow content to train models.

Cookies & tracking

We use a session cookie from Supabase to keep you signed in. No advertising cookies, no Google Analytics, no Meta Pixel.

Your rights

  • Access: export all your data anytime via Settings → Account → Export my data.
  • Deletion: email us at hmfxglobal@gmail.com and we will delete your account + data within 30 days.
  • Correction: edit any data in place in the app.
  • EU/UK residents: you have rights under GDPR (access, rectification, erasure, portability, restriction, objection). Contact us to exercise them.

Security

Data is encrypted in transit (HTTPS) and at rest (Supabase default). OAuth tokens and credentials never leave the database except when executing your flow. We rotate secrets regularly.

Retention

Run history and flow configurations are kept while your account exists. Deleted accounts are purged within 30 days.

Children

Flotask is not intended for users under 13. We don't knowingly collect data from children.

Changes

If this policy changes materially, we'll notify signed-in users by email before the change takes effect.

Contact

hmfxglobal@gmail.com

This policy reflects our current practices. We recommend you have counsel review it before you launch to users in regulated jurisdictions (EU, UK, California).