Last updated: April 7, 2026
Flowzao is operated by Cosmneo. Our registered offices are in Porto, Portugal. When this policy mentions "Flowzao", "we", or "us", it refers to Cosmneo as the data controller responsible for your information. You can reach our data protection team at privacy@flowzao.com.
When you create an account, we collect your name, email address, and a password hash. If you sign in through Google or Microsoft, we receive your name, email, and profile picture from those providers. When you create an organization, we store the organization name, industry, and the members you invite. Ticket data, comments, attachments, time logs, and feedback ratings are stored as part of normal platform usage. We also collect technical data automatically: your IP address, browser type, device information, and pages visited. We use session cookies for authentication. We do not use advertising cookies or third-party tracking scripts.
We use your information to operate the platform: authenticating you, delivering notifications about tickets and ecosystems, processing payments, and generating reports. We send transactional emails for account verification, password resets, ticket assignments, and billing events. We do not send marketing emails unless you explicitly opt in. We analyze aggregate usage patterns to improve the product. This analysis does not identify individual users. We do not use your data to train machine learning models. We do not sell your personal information to anyone.
Your data is shared with the following service providers, each under a data processing agreement: Neon (PostgreSQL database hosting in eu-central-1, Frankfurt), Cloudflare (application hosting, CDN, and DDoS protection), Stripe (payment processing for paid plans), and Resend (transactional email delivery). Within the Flowzao platform, your data visibility depends on your role. Organization owners and admins see all data within their organization. Technicians see only the tickets assigned to them and their own performance data. In shared ecosystems, each organization can only manage its own users. The ecosystem owner cannot see individual users from other organizations.
Your primary data is stored in Neon PostgreSQL in the eu-central-1 region (Frankfurt, Germany), within the European Union. Application code runs on Cloudflare Workers, which are distributed globally but process requests close to the user. File attachments are stored in Cloudflare R2 object storage. Payment data is processed and stored by Stripe, which maintains PCI DSS Level 1 compliance. We do not store credit card numbers or full payment details on our servers.
All data in transit is encrypted using TLS 1.3. Data at rest in the database is encrypted by Neon. Passwords are hashed using scrypt with a unique salt per user. We do not store plaintext passwords. API authentication uses session tokens with configurable expiration. Access to production infrastructure is restricted and requires multi-factor authentication. We review access permissions regularly and follow the principle of least privilege.
If you are located in the European Economic Area, you have the following rights regarding your personal data. The right to access: you can request a copy of all personal data we hold about you. The right to rectification: you can update your information directly in the platform or request corrections. The right to erasure: you can delete your account, which triggers deletion of your personal data within 30 days. The right to restrict processing: you can request that we limit how we use your data. The right to data portability: you can request your data in a machine-readable format. The right to object: you can object to processing based on legitimate interests. To exercise any of these rights, email privacy@flowzao.com. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Portuguese Data Protection Authority (CNPD) or your local supervisory authority.
Account data is retained for as long as your account is active. If you delete your account, we remove your personal data within 30 days. Some data may persist in encrypted backups for up to 90 days before being purged. Billing records and invoices are retained for 7 years to comply with Portuguese tax law. Anonymized analytics data may be retained indefinitely as it cannot be linked back to an individual. Outbox events and system logs are retained for 90 days for debugging and audit purposes.
We use a single session cookie for authentication. This cookie is essential for the platform to function and cannot be disabled without losing access. We do not use analytics cookies, advertising cookies, or third-party tracking pixels. The session cookie is HTTP-only, secure, and uses SameSite=Lax or SameSite=None depending on the deployment context.
Flowzao is a business platform. It is not intended for use by anyone under 16 years of age. We do not knowingly collect information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.
We will update this policy when our practices change. If we make a significant change, we will notify you by email or through a notice in the platform before the change takes effect. Minor changes (clarifications, formatting) may be made without notice. The "Last updated" date at the top of this page reflects when the policy was last revised.
For any questions about this privacy policy or how we handle your data, contact us at privacy@flowzao.com. Our registered address is in Porto, Portugal.