Privacy Policy

Last updated: March 31, 2026

1. Data Controller

The data controller responsible for your personal data is:

2. What we collect

Flow Relay collects work activity data from the integrations you explicitly connect. We only access data that is necessary to provide context synthesis features. Specifically:

  • GitHub: Push events (commit messages, authors, file changes, and code diffs) and pull request events (titles, descriptions, reviewers, labels, and code diffs). We access repository metadata and contents via read-only permissions. We do NOT modify your repositories.
  • GitLab: Push events (including code diffs), merge requests (including code diffs), issues, comments, pipelines, deployments, releases, wiki pages, and milestones. We use read-only API access (read_api, read_user scopes).
  • Slack: Messages in channels where Flow Relay is explicitly added, including thread replies and reactions. We do NOT access private DMs unless you opt in.
  • Linear: Issues, comments, projects, project updates, cycles, documents, labels, and initiatives.
  • Jira: Issues (creation, updates, deletions), comments, project events, sprints, versions, and worklogs.
  • Notion: Page creation and update events. We retrieve page content via the Notion API to include in context summaries.
  • Discord: When you install our bot in a Discord server, we ingest message text, server (guild) IDs, channel IDs, and the author's Discord username and display name to generate AI-powered handoff summaries. Discord does not provide us with email addresses. Message content is stored securely in our database and processed temporarily by the LLM; it is not retained longer than necessary for summarization.
  • Azure DevOps: Push events (including code diffs) and pull request events. We access repository data via a personal access token (PAT) you provide.
  • Bitbucket: Push events (including code diffs), pull requests, approvals, and PR comments via webhook and read-only API access.
  • Figma: File update events, version publications, and comment activity. We access file metadata and comments via the Figma API using your OAuth token.
  • Confluence: Page creation, page update, and comment events received via user-configured Atlassian Global Automation rules. When an event is received, we use your OAuth access token to fetch the full page content or comment text from the Confluence Cloud API (v2), along with metadata such as page titles, page IDs, and space keys. The raw HTML is stripped to plain text before storage. This data processing is an essential functional component of the core service – it enables Flow Relay to include knowledge base context in handoff summaries. We do NOT modify your Confluence pages or comments.
  • Microsoft Outlook: Email metadata and message content from your Outlook inbox, fetched securely via the Microsoft Graph API using your OAuth token. Data is used exclusively for Just-In-Time (JIT) AI handoff generation and respects your organization's global policies. We do NOT send, modify, or delete any emails.
  • Microsoft Teams: Chat messages and channel messages fetched securely via the Microsoft Graph API using your OAuth token. Data is used exclusively for Just-In-Time (JIT) AI handoff generation and respects your organization's global policies. Connecting may require Workspace Administrator approval (Admin Consent). We do NOT send, modify, or delete any messages.
  • Account data: Email address, name, and authentication tokens for connected services.

3. Legal basis for processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

  • Contractual necessity (Art. 6(1)(b)): Processing your work activity data is necessary to deliver the core service you signed up for – generating context handoffs.
  • Consent (Art. 6(1)(a)): You explicitly choose which integrations to connect and which data to share with Flow Relay. You can disconnect any integration at any time.
  • Legitimate interest (Art. 6(1)(f)): For security monitoring and fraud prevention.

4. How we use your data

Your data is used exclusively to:

  • Generate context summaries and handoff briefs.
  • Create vector embeddings for semantic search within your own workspace.
  • Improve the relevance of AI-generated summaries for your team.

We do not use your data to train AI models. Your work data is never shared with third parties for advertising or any purpose other than providing the service.

5. AI processing

We use Google AI (Gemini) to generate summaries and analyses. When your data is sent to the AI model for processing:

  • Only the minimum necessary context is sent – this includes event metadata, descriptions, and code diffs (truncated to a maximum length) but never your full repository contents or history.
  • Data is transmitted via encrypted connections (TLS).
  • Google's API data usage policy applies – data sent via the API is not used to train their models.

6. Third-party services and international data transfers

Your data may be processed by the following third-party services:

  • Vercel: The application is hosted on Vercel's edge network. Requests are served from the nearest region. Vercel complies with GDPR and offers a Data Processing Agreement (DPA).
  • Google AI (Gemini): Text excerpts are sent to Google's API servers (United States) for AI processing. Google operates under Standard Contractual Clauses (SCCs) for GDPR compliance.
  • Supabase: Your database (PostgreSQL) is hosted in the region you selected during project creation. Supabase complies with GDPR and offers Data Processing Agreements (DPAs).
  • Brevo: Transactional emails (e.g., password resets, handoff notifications) are processed via Brevo's EU-based infrastructure.
  • KIProtect (Klaro): Our cookie consent manager is loaded from KIProtect's CDN (Germany). Klaro does not collect or transmit any personal data – consent preferences are stored locally in your browser.

7. Data storage and security

  • All data is stored in Supabase (PostgreSQL) with Row Level Security enabled.
  • Integration access tokens are encrypted at rest.
  • All connections use TLS encryption.
  • Two-factor authentication (TOTP) is available for all accounts.
  • API keys for the VS Code extension and MCP server are hashed before storage – we cannot see your raw key after creation.
  • We do not store data longer than necessary – you can delete your data at any time.

8. Cookies and local storage

We use only essential cookies required for authentication. We do not use third-party tracking, advertising, or analytics cookies. We use Klaro as our consent management tool so you can review and manage your preferences at any time.

NamePurposeTypeStorageDuration
sb-*-auth-tokenAuthentication sessionEssentialCookieSession / 7 days
flowrelay_consentStores your cookie preferences (Klaro)EssentiallocalStorageUntil cleared
flowrelay-themeStores your light/dark theme preferenceFunctionallocalStorageUntil cleared

No data stored in localStorage is transmitted to any server. These values remain entirely in your browser.

9. Your rights (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access your personal data (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erase your data – "right to be forgotten" (Art. 17).
  • Restrict processing (Art. 18).
  • Port your data to another service (Art. 20).
  • Object to processing (Art. 21).
  • Withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7(3)).

To exercise these rights, contact us at privacy@flowrelay.it. We will respond within 30 days.

10. Supervisory authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In Italy, this is the Garante per la protezione dei dati personali.

11. Data retention

We retain your data for as long as your account is active. When you delete your account, all associated data (events, handoffs, embeddings, and integration tokens) is permanently deleted within 30 days.

12. Children's privacy

Flow Relay is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.

13. Changes to this policy

We will notify you of material changes via email or in-app notification at least 30 days before they take effect. Continued use of the service after that period constitutes acceptance of the updated policy.