Privacy Policy

1. Who we are

FlowShot (“FlowShot”, “we”, “us”) is a project-management platform for photo and video production teams. Our service is available at flowshot.space and related subdomains. For privacy inquiries, contact us at privacy@flowshot.app.

2. What we collect

We collect the following categories of data:

• Account information — your name, email address, and password (stored as a salted hash via Firebase Authentication).
• Organisation data — your studio or company name, team member profiles, roles, and settings you configure inside FlowShot.
• Project data — project details, client information, notes, statuses, and any custom fields you create.
• Files and media — videos, photos, and documents you upload for review or gallery delivery. These are stored on our CDN provider.
• Usage data — pages visited, features used, and actions taken inside the application (e.g., which modules you open, button clicks that indicate feature usage).
• Device information — browser type, operating system, screen resolution, and device identifiers.
• Log data — IP address, request timestamps, HTTP method, and response codes collected automatically by our infrastructure.

We do not collect payment card numbers directly — all payment processing is handled by Stripe (see Section 4).

3. How we use your data

We use collected data to:

• Provide, operate, and improve the FlowShot service.
• Authenticate your account and enforce access controls.
• Send transactional emails (account verification, password reset, notifications) via Resend.
• Process subscription payments via Stripe.
• Detect and fix bugs via Sentry error monitoring.
• Translate review comments (DeepL) when you request translation.
• Send optional Telegram notifications if you connect your Telegram account.
• Generate e-signed contracts via DocuSeal when you use the Contracts module.

We do not use your data for advertising or sell it to third parties.

4. Third-party services

FlowShot relies on the following sub-processors:

• Google Firebase — authentication, Firestore database, and file storage. Data is stored on Google Cloud Platform infrastructure.
• Stripe — subscription billing and payment processing. Stripe handles all payment card data under their own PCI-DSS compliance.
• Video CDN — CDN and video streaming for uploaded media.
• Sentry — application error monitoring. Error events may include stack traces and anonymised request context.
• Resend — transactional email delivery.
• DeepL — machine translation of chat messages, video review comments, photo review comments, and team-board posts (opt-in per message).
• Voice note transcription (historical; feature removed from product as of 2026-04-24).
• Telegram (optional) — push notifications if you configure a Telegram bot integration. No data is sent unless you enable this feature.
• DocuSeal — e-signature infrastructure for the Contracts module.

Each sub-processor is bound by a data-processing agreement and we select only providers that maintain appropriate security certifications.

5. Data storage and security

All FlowShot data is stored on Google Cloud Platform infrastructure. Data in transit is protected by TLS 1.2+. Data at rest is encrypted using AES-256 (managed by Google Cloud). Media files uploaded to Bunny.net are served over HTTPS and access is controlled by signed URLs.

We maintain logical data isolation between organisations — one organisation cannot access another organisation's data by design.

6. Data retention

• Active accounts — data is retained for as long as your account exists.
• After account deletion — active data is purged within 30 days.
• Backup copies — may persist in encrypted backups for up to 90 days before being overwritten.
• Stripe billing records — retained as required by financial regulations (typically 7 years), but are Stripe's responsibility under their own policy.

7. Cookies

FlowShot uses only essential cookies required for the service to function — session authentication (Firebase) and Firestore offline persistence. We do not use advertising or tracking cookies. For the full list, see our Cookie Policy.

8. Your rights under GDPR (EEA residents)

If you are in the European Economic Area, you have the following rights under the General Data Protection Regulation:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion of your data (subject to legal retention requirements).
• Right to restriction — ask us to stop processing your data in certain circumstances.
• Right to data portability — receive your data in a machine-readable format.
• Right to object — object to processing based on legitimate interests.

To exercise any of these rights, email privacy@flowshot.app. We will respond within 30 days.

9. Your rights under CCPA (California residents)

California residents have the right to know what personal information we collect, to request deletion of that information, and to opt out of its sale. FlowShot does not sell personal information. To submit a request, contact privacy@flowshot.app.

10. Children's privacy

FlowShot is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact privacy@flowshot.app and we will delete it promptly.

11. Operational logging for abuse prevention

We log technical metadata associated with content delivery requests — IP-derived identifiers, timestamps, video and portal IDs, and view counts — to detect and prevent abuse. This data is retained for up to 30 days in operational logs and is not used for marketing or shared with third parties beyond our infrastructure providers (Firebase, Bunny.net).

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the account owner at least 14 days before they take effect. The date at the top of this page reflects the most recent revision.

13. Contact

For any privacy-related questions or to exercise your rights, contact us at privacy@flowshot.app.