Privacy Policy

Privacy Policy

Last Updated: November 12, 2025

Introduction

Welcome to Flowroom ("we," "our," or "us"). We are committed to protecting your privacy and being transparent about how we collect, use, and share your information. This Privacy Policy explains how we handle your data when you use our Pomodoro timer and virtual coworking application.

By using Flowroom, you agree to the collection and use of information in accordance with this Privacy Policy.

Information We Collect

1. Information You Provide

Account Information (Authenticated Users)

When you sign up for Flowroom using Google OAuth, we collect:

  • Email address (from your Google account)
  • Name (from your Google account profile)
  • Google user ID (to link your account)

We do not store or have access to your Google password.

Generated Profile Information

Upon account creation, we automatically generate:

  • A unique username (e.g., "Calm Panda 42")
  • An avatar URL (generated using the DiceBear API based on your username)

2. Information Automatically Collected

Usage and Session Data

When you use Flowroom, we collect:

  • Pomodoro session data (start time, duration, completion status)
  • Room participation data (which room you joined, when you joined/left)
  • Timer state information (idle, working, break)
  • Gamification statistics (total Pomodoros completed, daily streaks, longest streak)
  • Last session timestamp
  • Account creation and update timestamps

Real-Time Presence Data

While you're in a room, we temporarily store:

  • Your current timer phase (idle/work/break)
  • When your timer started
  • Your session duration
  • When you joined/left the room

This data is deleted when you leave the room or close your session.

Guest Mode Data

If you use Flowroom as a guest (without signing in):

  • Your guest identity (username and avatar) is stored only in your browser's localStorage
  • No guest data is stored on our servers
  • Guest data is lost if you clear your browser cache or use a different device

Technical and Usage Analytics

We collect:

  • Page views and navigation patterns
  • Feature usage events (timer started/completed, music played, room joined/left)
  • Browser type and version
  • Device type (desktop, tablet, mobile)
  • Operating system
  • IP address (for analytics and security purposes)
  • Session duration and frequency

3. Cookies and Similar Technologies

We use cookies and similar tracking technologies to:

  • Maintain your authentication session
  • Store user preferences
  • Track analytics and usage patterns
  • Improve application performance

You can control cookies through your browser settings, but disabling cookies may limit some functionality.

How We Use Your Information

We use your information for the following purposes:

Service Delivery

  • Authenticate your account and maintain your session
  • Track your Pomodoro sessions and calculate statistics
  • Enable real-time presence in virtual rooms
  • Provide personalized features (streak tracking, statistics)
  • Match you with other users in public rooms

Product Improvement

  • Analyze how users interact with Flowroom
  • Identify and fix bugs and performance issues
  • Understand feature usage and user preferences
  • Develop new features and improvements

Communication

  • Send important service updates and announcements
  • Respond to your support requests
  • Notify you about your account or subscription status

Security and Compliance

  • Detect and prevent fraud, abuse, or unauthorized access
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Protect our rights and the rights of other users

Premium Features (Future)

  • Process subscription payments
  • Manage premium tier access
  • Provide premium-only features (private rooms, custom timers, exclusive content)

How We Share Your Information

Information Visible to Other Users

When you're in a room, other participants can see:

  • Your username
  • Your avatar
  • Your current timer state (idle, working, break)

We do not share your email address, full name, or other personal information with other users.

Third-Party Service Providers

We use the following third-party services to operate Flowroom:

Supabase (Database, Authentication, and Realtime)

  • Purpose: User authentication (Google OAuth), database hosting, real-time presence updates
  • Data Shared: All user data, session data, room data, authentication tokens
  • Privacy Policy: https://supabase.com/privacy
  • Location: Data stored in US region

PostHog (Product Analytics)

  • Purpose: Usage analytics, event tracking, user behavior analysis
  • Data Shared: User ID, email, usage events, page views, session data, IP address
  • Privacy Policy: https://posthog.com/privacy
  • Location: US or EU region (configurable)
  • Data Retention: Event data retained according to our PostHog plan

Sentry (Error Tracking and Performance Monitoring)

  • Purpose: Error logging, performance monitoring, debugging
  • Data Shared: Error stack traces, performance metrics, request/response data (with sensitive headers removed)
  • Privacy Policy: https://sentry.io/privacy/
  • Data Filtering: Authorization headers and cookies are automatically removed
  • Sampling: 10% of transactions are sampled for performance monitoring

DiceBear API (Avatar Generation)

  • Purpose: Generate unique user avatars
  • Data Shared: Username (used as seed for avatar generation)
  • Service: https://dicebear.com/
  • Note: Avatars are generated client-side; no persistent data storage

Cloudflare R2 (Content Delivery)

  • Purpose: Host and deliver ambient scenes and music tracks
  • Data Shared: No personal data; only file download requests
  • Privacy Policy: https://www.cloudflare.com/privacypolicy/

Payment Processors (Future)

RevenueCat (Subscription Management)

  • Purpose: Manage cross-platform subscriptions (iOS, Android, Web)
  • Data Shared: User ID, subscription status, entitlements
  • Privacy Policy: https://www.revenuecat.com/privacy

Stripe (Web Payment Processing)

  • Purpose: Process web subscription payments via RevenueCat
  • Data Shared: Email, payment information (handled by Stripe, not stored by us)
  • Privacy Policy: https://stripe.com/privacy

Apple / Google (Mobile Payment Processing)

  • Purpose: Process iOS and Android in-app purchases
  • Data Shared: Handled entirely by Apple/Google App Stores
  • Privacy Policies:
    • Apple: https://www.apple.com/legal/privacy/
    • Google: https://policies.google.com/privacy

Note: Payment details (credit card numbers, etc.) are never stored by Flowroom. They are processed securely by Stripe (web) or Apple/Google (mobile).

Legal Requirements

We may disclose your information if required by law, including:

  • In response to valid legal requests (subpoenas, court orders)
  • To protect our rights, property, or safety
  • To investigate fraud, security issues, or violations of our Terms of Service
  • In connection with a business transfer (merger, acquisition, bankruptcy)

No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

Use of Google User Data

Google OAuth Authentication

Flowroom uses Google OAuth for sign-in, which allows you to authenticate using your Google account without creating a separate password. When you sign in with Google:

  1. You are redirected to Google's authentication page
  2. You grant Flowroom permission to access basic profile information
  3. We receive your email address and name from Google
  4. Google provides an authentication token to maintain your session

Scopes and Permissions

We only request the minimum scopes necessary for authentication:

  • openid: To verify your identity
  • email: To identify your account
  • profile: To get your name for the initial account setup

We do not request access to:

  • Your Gmail
  • Your Google Drive
  • Your Google Calendar
  • Any other Google services

Compliance with Google's User Data Policy

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only use your Google account data for authentication and account identification
  • We do not transfer Google user data to third parties (except as required for service operation with our service providers listed above)
  • We do not use Google user data for advertising purposes
  • We do not allow humans to read your Google user data, except with your explicit consent for support purposes or as required by law

Data Retention

Active Accounts

We retain your account data and session history indefinitely while your account remains active.

Account Deletion

If you request account deletion:

  • Your account information will be permanently deleted within 30 days
  • Your session data will be anonymized (user ID removed) for statistical purposes
  • Your presence in rooms will be immediately removed

Guest Sessions

Guest data stored in your browser's localStorage persists until you clear your browser data or use a different device. We do not retain any server-side data for guest sessions.

Analytics Data

Analytics data is retained according to our third-party providers' retention policies (PostHog, Sentry).

Your Privacy Rights

Depending on your location, you may have the following rights:

Access and Portability

  • Request a copy of your personal data
  • Export your session history and statistics

Correction

  • Update your email address through your Google account
  • Note: Usernames and avatars are auto-generated and cannot be changed (profile customization coming in future updates)

Deletion

  • Request deletion of your account and associated data
  • Note: This cannot be undone

Opt-Out

  • Disable analytics cookies through your browser settings
  • Use guest mode to avoid creating an account

Data Restrictions

  • Request restrictions on how we process your data
  • Object to certain data processing activities

Withdraw Consent

  • Revoke Flowroom's access to your Google account through Google's security settings
  • Disconnect your account and delete your data

To exercise any of these rights, contact us at privacy@flowroom.app (or use the contact information below).

European Users (GDPR)

If you are in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with a supervisory authority.

California Users (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information.

Children's Privacy

Flowroom is not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

If you believe we have inadvertently collected information from a child, please contact us immediately, and we will take steps to delete that information.

International Data Transfers

Flowroom operates globally and your data may be transferred to and processed in countries other than your country of residence, including the United States.

These countries may have different data protection laws than your jurisdiction. By using Flowroom, you consent to the transfer of your information to the United States and other countries where our service providers operate.

We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy and applicable laws.

Security

We implement industry-standard security measures to protect your personal information:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
  • Encryption at Rest: Database encryption is managed by Supabase
  • Authentication Security: JWT-based authentication with secure token validation
  • Access Controls: Restricted access to personal data on a need-to-know basis
  • Regular Monitoring: Error tracking and security monitoring via Sentry
  • Secure Infrastructure: Hosted on Fly.io and Supabase with enterprise-grade security

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • Legal or regulatory requirements
  • New features or services

When we make changes:

  • We will update the "Last Updated" date at the top of this policy
  • For material changes, we will notify you by email or through a prominent notice in the application
  • Your continued use of Flowroom after changes become effective constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@flowroom.app Website: https://flowroom.app

For Google OAuth-related privacy questions, you can also review:

Additional Resources

  • Terms of Service: [Link to Terms of Service]
  • Google OAuth Consent Screen: When you sign in, review the permissions we request
  • Manage Your Google Account Permissions: https://myaccount.google.com/permissions

This Privacy Policy is effective as of the "Last Updated" date above and applies to all users of Flowroom.