Privacy Policy

Flowt (“we”, “our”, or “us”) operates the Flowt hiring platform available at useflowt.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. By using Flowt you agree to the collection and use of information in accordance with this policy.

2.1 Account Information

When you register, we collect your name, work email address, company name, and password (stored as a salted hash via Supabase Auth).

2.2 OAuth Tokens

If you choose to connect your Google or Microsoft account, we store OAuth access and refresh tokens. These tokens are encrypted using AES-256-GCM before being written to our database and are used solely to send outreach emails on your behalf. We request only the minimum scopes required: gmail.send (Google) and Mail.Send (Microsoft). We never read, index, or store the contents of your inbox.

2.3 Candidate Data

We store professional profile information about candidates you source (name, job title, company, LinkedIn URL, skills). This data is sourced from publicly available professional networks via third-party APIs. It is stored within your organisation’s isolated workspace and is never shared with other organisations.

2.4 Usage Data

We collect standard server logs including IP addresses, browser type, pages visited, and timestamps. This is used for security monitoring and product improvement.

2.5 Email Activity

We log when outreach emails are sent and, if a tracking pixel is included, when they are opened. This data is attributed to your account only and is not shared with third parties.

• To provide, operate, and maintain the Flowt platform
• To send outreach emails on your behalf using your connected email account
• To generate AI-powered candidate summaries and outreach sequences
• To enforce plan limits and billing
• To respond to support requests
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data to train AI models.

All data is stored on servers located in the European Union (AWS eu-west-1 via Supabase). We implement the following security measures:

• AES-256-GCM encryption for all OAuth tokens at rest
• TLS 1.3 for all data in transit
• Row-level isolation — your organisation’s data is strictly separated from other organisations at the database query level
• Role-based access control — only members of your workspace can access your candidates, campaigns, and settings
• Rate limiting on all API endpoints to prevent abuse
• Regular security audits of API routes for cross-tenant data leakage

We use the following third-party processors:

• Supabase — authentication and database hosting
• OpenAI — AI candidate summaries and outreach generation (data is not retained for training)
• Crustdata — professional profile search
• Resend — transactional emails (password resets, invite emails)
• Vercel — application hosting and CDN
• Google / Microsoft — OAuth authentication and email sending via your connected account

Flowt’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We request only the gmail.send scope — we do not read, copy, or analyse your email messages or attachments
• We do not transfer your Google data to third parties except as necessary to provide the email sending feature
• We do not use your Google data for advertising purposes
• Humans at Flowt do not read your Gmail data unless required for security incident response or at your explicit request

When you connect your Microsoft / Outlook account, we request only the Mail.Send and User.Read scopes. We never access your inbox, calendar, contacts, or any other Microsoft data. Refresh tokens are encrypted with AES-256-GCM and rotated on each use.

You have the right to:

• Access — request a copy of the data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your account and all associated data
• Portability — receive your data in a machine-readable format
• Disconnect OAuth — revoke connected email accounts at any time from Settings → Email Connections
• Object — object to certain processing activities

To exercise these rights, email admin@useflowt.com. We will respond within 30 days.

We retain your account data for as long as your account is active. If you delete your account, we will delete all associated personal data within 30 days, except where retention is required by law.

We use strictly necessary cookies for session management and authentication. We do not use advertising or analytics cookies.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notification at least 14 days before the change takes effect.

For privacy enquiries or to exercise your rights:

Email: admin@useflowt.com
Website: useflowt.com