Legal

Privacy Policy

Flowtera AI Limited Effective: 1 April 2026 Version 1.0

1 About This Policy

Flowtera AI Limited ("Flowtera", "we", "us", "our"), incorporated in Northern Ireland (Company No. NI737880) and registered at Ebrington Square, Derry, Northern Ireland, operates the Flowtera platform — an AI governance and productivity SaaS solution comprising a web dashboard, browser extension, and associated services.

This Privacy Policy explains how we collect, use, store, and share personal data when you or your organisation uses the Flowtera platform. It applies to:

  • Employees and users of organisations ("Clients") that have subscribed to Flowtera
  • Administrators and account holders managing a Flowtera tenant
  • Visitors to our website and marketing pages
Flowtera operates primarily in a business-to-business (B2B) context. In most cases, your employer is the data controller for data collected about your workplace activity, and Flowtera acts as a data processor on their behalf. This policy should be read alongside your organisation's own AI acceptable use and monitoring policies.

2 Data We Collect

2.1 Browser Extension Activity Data

When the Flowtera browser extension is active and you are logged in, the extension collects:

  • The domain name of the active browser tab (e.g. chat.openai.com) to identify AI tool usage
  • Timestamps of when AI tool sessions begin and end
  • Duration of active and idle time within AI platforms
  • Prompt shortcuts accessed via the right-click context menu
The extension does not read, capture, or transmit the content of your prompts, AI responses, or any data you enter into AI platforms. It records only that you were active on a given platform during a given time period.

2.2 Account and Authentication Data

  • Your name and work email address
  • Your organisation tenant identifier
  • Encrypted authentication credentials (passwords are hashed and never stored in plain text)
  • Session tokens stored locally in your browser via the chrome.storage API

2.3 Platform Usage Data

  • Log data including IP addresses, browser type, and access timestamps
  • Feature usage patterns to improve the platform
  • Prompts saved or accessed through the approved prompt library

2.4 Aggregated Intelligence Data (Continuous Intelligence Layer)

Flowtera operates a Continuous Intelligence Layer (CIL) — a cross-client intelligence system that aggregates fully anonymised, non-identifiable metadata about AI usage patterns across our client base. This includes:

  • Anonymised frequency and category of prompt types used across sectors
  • Aggregate risk signal patterns used to improve compliance detection
  • Sector-level benchmarks for AI productivity and governance

No personal data, identifiable information, or organisation-specific data is included in the CIL. Aggregated data cannot be reverse-engineered to identify individuals or organisations.

3 How We Use Your Data

  • Delivering the Flowtera service, including activity tracking, dashboard reporting, and prompt library access
  • Authenticating your identity and maintaining your session
  • Enabling your organisation to monitor and govern AI tool usage in accordance with its internal policies
  • Generating anonymised aggregate insights for the Continuous Intelligence Layer
  • Improving the accuracy of compliance risk detection and prompt recommendations
  • Responding to support requests and managing your account
  • Meeting our legal and regulatory obligations

4 Legal Basis for Processing

We process personal data under the following lawful bases under UK GDPR:

  • Contract performance — processing necessary to deliver the Flowtera service to your organisation
  • Legitimate interests — aggregate platform improvement, security monitoring, and fraud prevention
  • Legal obligation — compliance with applicable law, including data protection, employment, and regulatory requirements
  • Consent — where we rely on consent, we will make this clear at the point of collection and you may withdraw it at any time

Where Flowtera processes data on behalf of your employer, your employer is the data controller and Flowtera is the processor. Employer monitoring of workplace AI usage in the UK is governed in part by the Investigatory Powers Act 2016 and associated employment law frameworks.

5 Data Sharing and Disclosure

Your data stays within your organisation's Flowtera tenant. We do not sell, rent, or share your personal data with third parties for marketing purposes. Data may be shared only in the following circumstances:

  • With your organisation's administrators, who have access to activity reports and dashboards for their tenant
  • With sub-processors who assist in operating the platform, subject to appropriate data processing agreements
  • With legal or regulatory authorities where required by law or court order
  • In connection with a business transfer or acquisition, where data will remain subject to equivalent protections

A list of our current sub-processors is available on request.

6 International Data Transfers

Flowtera is incorporated and primarily operates in the United Kingdom. Where personal data is transferred to or processed in countries outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR, including Standard Contractual Clauses or adequacy decisions where applicable.

7 Data Retention

  • Activity data and session logs — retained for the duration of your organisation's contract plus 12 months
  • Account data — retained for the duration of the account plus 30 days following termination
  • Anonymised aggregate data (CIL) — retained indefinitely as it contains no personal data
  • Legal and compliance records — retained for the period required by applicable law

Your organisation may configure shorter retention periods within the Flowtera dashboard.

8 Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your data in certain circumstances
  • Restriction — request that we limit how we use your data
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests

Because Flowtera primarily acts as a data processor on behalf of your employer, many of these rights should be exercised through your employer in the first instance. To exercise your rights directly with us, contact: privacy@flowtera.ai

9 Security

  • Encryption of data in transit (TLS) and at rest
  • Access controls and multi-factor authentication requirements
  • Regular security assessments
  • Tenant isolation ensuring one organisation cannot access another's data

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, affected individuals without undue delay.

10 Cookies & Tracking

The Flowtera browser extension uses chrome.storage to store your session token and login details locally within the browser. This is not a cookie and does not track your activity outside of AI platforms your organisation has configured for monitoring.

Our website may use essential cookies for session management and analytics cookies to understand how visitors interact with our site. You will be asked for consent for non-essential cookies when you visit our website.

11 Children

The Flowtera platform is intended for use by adults in a professional workplace context. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us at privacy@flowtera.ai.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to the platform, applicable law, or our practices. We will notify your organisation's administrator of material changes with reasonable notice. The current version will always be available at flowtera.ai/privacy.

13 Contact & Complaints

For any questions about this Privacy Policy or how we handle your data:

Flowtera AI Limited

Ebrington Square, Derry, Northern Ireland

Email: privacy@flowtera.ai

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.