Privacy Policy
Last updated: June 30, 2026
1. Data Controller
The data controller responsible for your personal data is:
- Flow Relay – operated by Adriano Sorbello (sole proprietor)
- Email: privacy@flowrelay.it
- Website: www.flowrelay.it
2. What we collect
Flow Relay collects work activity data from the integrations you explicitly connect. We only access data that is necessary to provide context synthesis features. Specifically:
- GitHub: Push events (commit messages, authors, file changes and code diffs) and pull request events (titles, descriptions, reviewers, labels and code diffs). We access repository metadata and contents via read-only permissions. We do NOT modify your repositories.
- GitLab: Push events (including code diffs), merge requests (including code diffs), issues, comments, pipelines, deployments, releases, wiki pages and milestones. We use read-only API access (read_api, read_user scopes).
- Slack: Messages in channels where Flow Relay is explicitly added, including thread replies and reactions. We do NOT access private DMs unless you opt in.
- Linear: Issues, comments, projects, project updates, cycles, documents, labels and initiatives.
- Jira: Issues (creation, updates, deletions), comments, project events, sprints, versions and worklogs.
- Notion: Page creation and update events. We retrieve page content via the Notion API to include in context summaries.
- Discord: When you install our bot in a Discord server, we ingest message text, server (guild) IDs, channel IDs, and the author's Discord username and display name to generate AI-powered handoff summaries. Discord does not provide us with email addresses. Message content is stored securely in our database and processed temporarily by the LLM; it is not retained longer than necessary for summarization.
- Azure DevOps: Push events (including code diffs) and pull request events. We access repository data via a personal access token (PAT) you provide.
- Bitbucket: Push events (including code diffs), pull requests, approvals and PR comments via webhook and read-only API access.
- Confluence: Page creation, page update, and comment events received via user-configured Atlassian Global Automation rules. When an event is received, we use your OAuth access token to fetch the full page content or comment text from the Confluence Cloud API (v2), along with metadata such as page titles, page IDs and space keys. The raw HTML is stripped to plain text before storage. This data processing is an essential functional component of the core service – it enables Flow Relay to include knowledge base context in handoff summaries. We do NOT modify your Confluence pages or comments.
- Microsoft Outlook: Email metadata and message content from your Outlook inbox, fetched securely via the Microsoft Graph API using your OAuth token. Data is used exclusively for Just-In-Time (JIT) AI handoff generation and respects your organization's global policies. We do NOT send, modify, or delete any emails.
- Microsoft Teams: Chat messages and channel messages fetched securely via the Microsoft Graph API using your OAuth token. Data is used exclusively for Just-In-Time (JIT) AI handoff generation and respects your organization's global policies. Connecting may require Workspace Administrator approval (Admin Consent). We do NOT send, modify, or delete any messages.
- Sentry: Issue and error events received via signed webhooks, including the issue title, culprit, stack traces, breadcrumbs, tags and the project and organization slugs. We use this to surface error context in handoffs and insights. We do NOT modify your Sentry projects.
- Datadog: Monitor and event notifications delivered to a Flow Relay webhook, including the alert title, body, priority and tags you configure. We use this to include observability context in summaries.
- Account data: Email address, name, and authentication tokens for connected services.
3. Legal basis for processing (GDPR Art. 6)
We process your personal data based on the following legal grounds:
- Contractual necessity (Art. 6(1)(b)): Processing your work activity data is necessary to deliver the core service you signed up for – generating context handoffs.
- Consent (Art. 6(1)(a)): You explicitly choose which integrations to connect and which data to share with Flow Relay. You can disconnect any integration at any time.
- Legitimate interest (Art. 6(1)(f)): For security monitoring and fraud prevention.
4. How we use your data
Your data is used exclusively to:
- Generate context summaries and handoff briefs.
- Create vector embeddings for semantic search within your own workspace.
- Improve the relevance of AI-generated summaries for your team.
We do not use your data to train AI models. Your work data is never shared with third parties for advertising or any purpose other than providing the service.
5. AI processing and data residency
We use third-party large language models to generate summaries and analyses. Which provider processes your data depends on the data residency you choose for each project:
- Default region: Google AI (Gemini), processed on Google's servers in the United States.
- EU residency: open-model endpoints hosted in the European Union – Qwen and Mistral (La Plateforme). When you select EU residency for a project, its context is not sent to providers outside the EU.
- Chinese providers (opt-in only): DeepSeek, processed on servers in China, is used only if an administrator explicitly enables Chinese providers for that workspace. It is off by default.
In all cases:
- Only the minimum necessary context is sent – event metadata, descriptions, semantically retrieved code excerpts and code diffs (truncated to a maximum length) – never your full repository contents or history.
- Data is transmitted via encrypted connections (TLS).
- Each provider's API data-usage policy applies; data sent via their APIs is not used to train their models, and we do not use your data to train any model.
6. Third-party services and international data transfers
Your data may be processed by the following third-party services:
- Vercel: The application is hosted on Vercel's edge network. Requests are served from the nearest region. Vercel complies with GDPR and offers a Data Processing Agreement (DPA).
- AI model providers: Depending on the data residency you choose (see section 5), text excerpts are sent to Google AI / Gemini (United States, under Standard Contractual Clauses), to EU-hosted Qwen and Mistral endpoints (European Union), or – only if you explicitly opt in – to DeepSeek (China).
- Supabase: Your database (PostgreSQL) is hosted in the region you selected during project creation. Supabase complies with GDPR and offers Data Processing Agreements (DPAs).
- Paddle: Paddle.com Market Ltd is our authorised reseller and Merchant of Record. It processes your payment data, billing details and tax information to handle subscriptions, invoices and refunds. We never receive or store your full card details. Paddle complies with GDPR.
- Upstash: Redis-based rate limiting and short-lived deduplication keys (IP- or account-scoped) used to protect the Service. These records are ephemeral and contain no message content.
- Sentry: Application error and performance data (used for our own monitoring) may include technical context such as stack traces and request metadata. Plan and quota errors are not forwarded.
- Brevo: Transactional emails (e.g., password resets, handoff notifications) are processed via Brevo's EU-based infrastructure.
- KIProtect (Klaro): Our cookie consent manager is loaded from KIProtect's CDN (Germany). Klaro does not collect or transmit any personal data – consent preferences are stored locally in your browser.
7. Data storage and security
- All data is stored in Supabase (PostgreSQL) with Row Level Security enabled.
- Integration access tokens are encrypted at rest.
- All connections use TLS encryption.
- Two-factor authentication (TOTP) is available for all accounts.
- API keys for the VS Code extension and MCP server are hashed before storage – we cannot see your raw key after creation.
- We do not store data longer than necessary – you can delete your data at any time.
8. Cookies and local storage
We use only essential cookies required for authentication. We do not use third-party tracking, advertising, or analytics cookies. We use Klaro as our consent management tool so you can review and manage your preferences at any time.
| Name | Purpose | Type | Storage | Duration |
|---|---|---|---|---|
sb-*-auth-token | Authentication session | Essential | Cookie | Session / 7 days |
flowrelay_consent | Stores your cookie preferences (Klaro) | Essential | localStorage | Until cleared |
flowrelay-theme | Stores your light/dark theme preference | Functional | localStorage | Until cleared |
No data stored in localStorage is transmitted to any server. These values remain entirely in your browser.
9. Your rights (GDPR)
If you are in the EU/EEA, you have the right to:
- Access your personal data (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data – "right to be forgotten" (Art. 17).
- Restrict processing (Art. 18).
- Port your data to another service (Art. 20).
- Object to processing (Art. 21).
- Withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7(3)).
To exercise these rights, contact us at privacy@flowrelay.it. We will respond within 30 days.
10. Supervisory authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In Italy, this is the Garante per la protezione dei dati personali.
11. Data retention
We retain your data for as long as your account is active. When you delete your account, all associated data (events, handoffs, embeddings and integration tokens) is permanently deleted within 30 days.
12. Children's privacy
Flow Relay is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.
13. Changes to this policy
We will notify you of material changes via email or in-app notification at least 30 days before they take effect. Continued use of the service after that period constitutes acceptance of the updated policy.