Privacy Policy

1. Human-Friendly Summary

FlowDesk is a web-based productivity platform for software engineers. To run the app, we process account details, engineering-workflow data (for example tasks, focus sessions, notes, standups, and calendar events), and technical metadata needed for security and reliability.

We do not sell your personal information. We also do not use your personal data for third-party advertising profiling. You control optional integrations (such as GitHub or GitLab), and you can request access, correction, export, or deletion of your data at any time.

2. Scope and Data Controller

This Privacy Policy explains how Veldon Technologies ("Veldon", "FlowDesk", "we", "us", "our") collects, uses, discloses, and safeguards personal information when you use FlowDesk websites, web applications, APIs, plugins, support channels, and related services (collectively, the "Services").

For purposes of data protection laws, Veldon Technologies is the data controller for personal information processed through the Services, except where we process data solely on documented instructions from a business customer under a separate agreement.

3. Information We Collect

3.1 Information you provide directly

• Account and profile data: name, email address, username, timezone, and account preferences.
• Authentication data: sign-in credentials and verification artifacts (for example magic-link verification events and password reset records).
• Workspace content: tasks, notes, snippets, standup drafts, goals, calendar items, comments, tags, and productivity settings.
• Communications: messages you send to support, feedback, and legal/privacy requests.

3.2 Information from connected integrations

• If you connect code-hosting integrations (for example GitHub or GitLab), we may process repository metadata, pull request links/status, review state, and related synchronization data required to deliver FlowDesk features.
• Integration tokens and credentials are processed with technical safeguards and are intended to be scoped to the minimum permissions needed for the selected feature.

3.3 Information from plugins and custom widgets

• If you install or run plugins, we process plugin identifiers, permission scopes, local configuration, and plugin activity needed to execute requested actions.
• Some plugins may be created by third parties. In those cases, the plugin provider may independently process data according to its own privacy practices.

3.4 Information collected automatically

• Device and usage data: IP address, browser type, OS, app version, language settings, timestamps, referring URLs, and high-level interaction diagnostics.
• Security and performance logs: authentication events, API errors, abuse-prevention events, and service health telemetry.
• Session and preference cookies required to keep you signed in and preserve settings.

3.5 Sensitive data

FlowDesk is not intended for storing highly sensitive categories of personal data (for example medical, biometric, or government-issued identifiers) unless explicitly required and supported by written agreement. Please avoid submitting such data in free-form fields.

4. How We Use Information

We use personal information to:

• Provide, maintain, and improve the Services.
• Authenticate users, secure accounts, and prevent fraud or abuse.
• Synchronize tasks, focus sessions, standups, calendars, and integrations.
• Operate core product features, including dashboards, rankings, and reminders.
• Respond to support requests and communicate service or policy updates.
• Comply with legal obligations and enforce our terms.
• Conduct internal analytics for reliability and product quality (not for selling user profiles to advertisers).

5. GDPR Legal Bases for Processing

If you are in the EEA, UK, or Switzerland, we process personal data under one or more of the following legal bases:

Where we rely on legitimate interests, we apply balancing tests and safeguards to ensure processing is proportionate and does not override your fundamental rights.

6. Cookies and Tracking Technologies

We use cookies and similar technologies (such as local storage and session storage) to operate and secure FlowDesk.

6.1 Types of technologies used

• Strictly necessary cookies: session continuity, authentication, routing, and account security.
• Functional storage: UI state, dashboard preferences, and language/timezone settings.
• Performance diagnostics: limited telemetry for reliability and issue detection.

6.2 No cross-context advertising sale/share

FlowDesk does not use third-party advertising cookies to build cross-context behavioral profiles, and we do not sell personal information.

6.3 Managing cookies

You can control cookies through browser settings. Blocking essential cookies may reduce functionality (for example login/session continuity).

7. How We Share Information

We disclose personal information only as necessary in the following contexts:

• Service providers and subprocessors who help us deliver infrastructure, hosting, authentication, and customer support.
• Integration partners, only when you explicitly connect accounts and enable sync.
• Professional advisors (for example legal, audit, or compliance counsel) under confidentiality obligations.
• Corporate transactions, such as merger, acquisition, financing, or asset sale, where data transfer is legally permitted and protected.
• Legal and safety disclosures, where required to comply with law, valid legal process, or to protect rights, security, and platform integrity.

8. Third-Party Services and Integrations

Depending on enabled features and deployment choices, FlowDesk may rely on third-party categories such as:

• Cloud platform and data infrastructure providers (for example managed database, authentication, storage, and hosting services).
• Source-control providers that you choose to connect (for example GitHub or GitLab).
• Browser-native APIs (for example notifications) when you grant permission.
• Plugin ecosystems and custom widgets selected by you or your workspace admin.

Third-party services operate under their own terms and privacy policies. We evaluate vendors for security and data protection, and we seek contractual safeguards where required by law.

9. International Data Transfers

FlowDesk may process data in countries other than your own. Where required, we apply lawful transfer mechanisms such as Standard Contractual Clauses (SCCs), UK transfer addenda, adequacy decisions, or equivalent safeguards.

You may request additional information about cross-border safeguards by contacting us.

10. Data Retention

We retain personal information only for as long as needed for the purposes described in this policy, unless a longer period is required by law.

• Account profile data: retained while your account is active.
• Workspace content (tasks, notes, standups, focus logs, calendars): retained until you delete it or close the account, subject to backup windows.
• Security and audit logs: retained for a limited period necessary for abuse prevention, incident response, and legal compliance.
• Support interactions: retained as needed to resolve issues and document legal obligations.

Upon account deletion request, we delete or anonymize personal information within a commercially reasonable period, except where retention is legally required.

11. Data Security

We implement layered technical and organizational safeguards designed to protect personal information, including:

• Encryption in transit via HTTPS/TLS.
• Access controls and least-privilege permission models.
• Row-level data access patterns and tenant isolation controls.
• Credential management controls for integration tokens.
• Monitoring, logging, and incident response procedures.

No system is 100% secure. If a data incident occurs, we will investigate promptly and provide legally required notifications.

12. Your Rights and Choices

12.1 Global rights

• Access and obtain a copy of your personal information.
• Correct inaccurate or incomplete personal information.
• Request deletion of personal information, subject to legal exceptions.
• Request portability of certain data in a usable format.
• Manage integrations, notification permissions, and cookie settings.

12.2 EEA/UK/Switzerland rights

• Object to processing based on legitimate interests.
• Request restriction of processing in specific situations.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local supervisory authority.

12.3 California privacy rights (CCPA/CPRA)

• Right to know categories and specific pieces of personal information collected.
• Right to delete personal information, with statutory exceptions.
• Right to correct inaccurate personal information.
• Right to data portability.
• Right to opt out of sale/share (FlowDesk currently does not sell/share).
• Right to limit use/disclosure of sensitive personal information, where applicable.
• Right to non-discrimination for exercising privacy rights.

You may submit requests directly or through an authorized agent (where legally permitted). We will verify requests before processing.

Where required by law, we respond to verified privacy requests within applicable timelines (for example, typically within 30 days for many GDPR requests and within 45 days for many CCPA/CPRA requests, subject to lawful extensions).

13. Do Not Sell or Share My Personal Information

FlowDesk does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under California law.

13.1 California category-level notice (preceding 12 months)

For transparency, we generally collect the following categories of personal information to operate the Services: identifiers and account information, commercial and workspace records (for example tasks and productivity logs), internet/network activity data, device and diagnostics data, and customer support communications.

We disclose these categories to service providers and subprocessors for business purposes such as hosting, authentication, security monitoring, support operations, and product reliability.

13.2 Future changes and opt-out commitment

If this position changes in the future, we will update this policy and provide a clear, legally compliant opt-out mechanism titled "Do Not Sell or Share My Personal Information" before such processing begins.

We honor applicable browser-based opt-out preference signals, including Global Privacy Control (GPC), where legally required.

14. Children's Privacy

FlowDesk is designed for professional and adult users and is not directed to children under 16. We do not knowingly collect personal information from children under 16. If we learn that such data has been provided, we will take steps to delete it.

15. Policy Updates

We may update this Privacy Policy from time to time to reflect product changes, legal requirements, or improvements in privacy practices. Material changes will be communicated through the Services or by other appropriate means.

The "Last Updated" date at the top of this page indicates when the latest revision became effective.

16. Contact Information

For privacy requests, data subject rights, or questions about this policy, contact:

• Veldon Technologies, Privacy Team
• Email: veldontech@gmail.com

You can also submit privacy requests from in-app settings in the Privacy & Data section when available.

17. UI and UX Layout Recommendations

This page is designed to be legally complete and easy to scan quickly. For production usage, keep these presentation standards:

• Keep the sticky table of contents on desktop and convert it to a compact jump menu on mobile.
• Keep paragraphs short, section numbers visible, and headings explicit to reduce cognitive load.
• Use high-contrast callout cards for critical notices such as "No Sale/Share" and rights request instructions.
• Preserve deep-link anchors for every section so legal/support teams can cite specific clauses.
• Keep legal updates discoverable by showing the last updated date above the fold.