Privacy Policy

Our commitment to protecting your privacy and personal data

2025/06/23

Last updated: June 23, 2025

Introduction

This Privacy Policy explains how FlowChart AI, a service operated by Chaowen Tan ("we," "our," or "us") collects, uses, and protects your personal information when you use our AI-powered flowchart generation services. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other international privacy regulations.

By using our services, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Personal Information You Provide

  • Account Information: Name, email address, username, and password
  • Profile Information: Optional profile details you choose to share
  • Payment Information: Billing address and payment method details (processed securely by our payment processor Creem)
  • Communication Data: Messages you send to us through contact forms or support channels
  • Content Data: Flowchart content, text prompts, and other content you input into our AI services
  • AI Conversation Data: Chat messages and interactions with our AI assistant

Information We Collect Automatically

  • Usage Data: Pages visited, features used, time spent on our service, and interaction patterns
  • Device Information: IP address, browser type, operating system, device identifiers
  • Log Data: Server logs, error reports, and system activity
  • Analytics Data: Aggregated usage statistics and performance metrics
  • Canvas Data: Flowchart elements, positions, and drawing interactions

Information from Third Parties

  • Payment Processors: Transaction status and payment verification data from Creem
  • AI Service Providers: Processing results and usage metrics (content not permanently stored)
  • Authentication Providers: Basic profile information if you sign in through Google or GitHub

We process your personal data based on the following legal grounds:

Contract Performance:

  • Account creation and management
  • AI flowchart generation and canvas services
  • Payment processing and billing through Creem
  • Customer support and service delivery
  • Security and fraud prevention

Legitimate Interests:

  • Service improvement and analytics
  • Security monitoring and threat detection
  • Marketing communications (with opt-out option)
  • Legal compliance and dispute resolution

Consent:

  • Optional analytics cookies
  • Marketing email subscriptions
  • Non-essential service features
  • AI conversation data processing for service improvement

Legal Obligation:

  • Tax and accounting records
  • Compliance with applicable laws
  • Response to legal requests

How We Use Your Information

Core Service Operations

  • Account Management: Creating and maintaining your user account
  • AI Services: Providing flowchart generation, AI chat assistance, and canvas functionality
  • Payment Processing: Handling subscriptions and billing through Creem (our Merchant of Record)
  • Customer Support: Responding to inquiries and resolving issues
  • Security: Protecting against fraud, abuse, and unauthorized access
  • Content Storage: Saving and managing your flowchart projects

Service Improvement

  • Analytics: Understanding usage patterns to improve our AI and canvas features
  • Performance Monitoring: Ensuring service reliability and optimization
  • Feature Development: Developing new AI capabilities based on user needs
  • Quality Assurance: Testing and maintaining service quality
  • AI Model Training: We do not use your AI conversation data for training purposes. All interactions are processed in real-time and are not stored or reused for model improvement.

Communications

  • Service Updates: Important notifications about your account or our services
  • AI Usage Limits: Notifications about usage quotas and billing
  • Marketing: Promotional emails about new features (with opt-out option)
  • Support: Responses to your inquiries and support requests

Third-Party Services

We work with trusted third-party service providers to deliver our services:

Payment Processing (Merchant of Record)

  • Provider: Creem (Armitage Labs OÜ)
  • Data Shared: Billing information, transaction details, customer contact information
  • Purpose: Secure payment processing, subscription management, tax compliance, refund processing
  • Data Location: Singapore, Estonia, and other regions as required by Creem
  • Protection: Industry-standard encryption and PCI compliance
  • Privacy Policy: https://creem.io/privacy
  • Role: Creem acts as our Merchant of Record and appears on customer billing statements

AI Services

  • Provider: OpenRouter (for AI models and processing)
  • Data Shared: User prompts, flowchart content, and conversation data for processing
  • Purpose: AI-powered flowchart generation and chat assistance
  • Data Retention: Typically not stored permanently by providers after processing
  • Data Location: Primarily United States
  • Protection: Secure API connections and data handling agreements

Hosting and Infrastructure

  • Provider: Vercel (for application hosting)
  • Data Shared: All service data as necessary for global operations
  • Purpose: Hosting, content delivery, and service performance
  • Data Location: Global edge network including United States, Europe, and Asia-Pacific
  • Protection: Enterprise-grade security and encryption

Email Services (Optional)

  • Provider: Resend
  • Data Shared: Email addresses and message content
  • Purpose: Transactional and marketing emails
  • Data Location: United States and other regions
  • Protection: Secure transmission and storage

Analytics

  • Provider: Self-hosted Plausible Analytics
  • Data Shared: Anonymized usage statistics
  • Purpose: Understanding service usage and performance
  • Data Location: Our controlled infrastructure
  • Protection: Privacy-focused analytics without personal tracking

File Storage

  • Current: Data stored within Vercel's infrastructure
  • Future: We may implement additional storage solutions (such as Cloudflare R2) for enhanced performance
  • Data Shared: Flowchart files, images, and project data
  • Purpose: Secure storage and backup of user content
  • Protection: Encrypted storage and secure access controls

Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

  • Account Data: While your account is active plus 3 years after closure
  • Payment Records: 7 years after transaction completion (legal requirement, managed by Creem)
  • Flowchart Content: While your account is active, or until you delete specific projects
  • AI Conversation Data: 30 days for service improvement, then anonymized or deleted
  • Support Communications: 2 years after resolution
  • Analytics Data: Aggregated data retained indefinitely (anonymized)
  • Log Files: 90 days for security and troubleshooting purposes
  • Marketing Data: Until you unsubscribe or withdraw consent

International Data Transfers

As a global service deployed on Vercel's edge network, we may transfer your personal data to countries outside your residence, including:

  • United States: For AI processing, hosting infrastructure, and some service providers
  • Singapore & Estonia: For payment processing through Creem (our Merchant of Record)
  • European Union: For users in EU/EEA regions when possible
  • Other Regions: Through Vercel's global edge network for optimal performance

We ensure appropriate safeguards for international transfers through:

  • Adequacy Decisions: Transfers to countries with adequate protection levels
  • Standard Contractual Clauses: EU-approved contract terms with service providers
  • Certification Programs: Providers with recognized privacy certifications
  • Data Processing Agreements: Comprehensive agreements with all processors

Your Rights and Choices

Data Subject Rights (GDPR/CCPA)

You have the following rights regarding your personal data:

Right to Access: Request a copy of the personal data we hold about you Right to Rectification: Request correction of inaccurate personal data Right to Erasure: Request deletion of your personal data Right to Restrict Processing: Request limitation of data processing Right to Data Portability: Request your data in a portable format (including flowchart exports) Right to Object: Object to processing based on legitimate interests Right to Withdraw Consent: Withdraw consent for consent-based processing

How to Exercise Your Rights

  • Email: support@flowchartai.org
  • Account Settings: Many preferences can be managed in your account dashboard
  • Data Export: Export your flowcharts and project data directly from the application
  • Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA)

California Residents (CCPA)

California residents have additional rights:

  • Right to Know: Categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the sale of personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices

Note: We do not sell personal information to third parties.

Data Security

We implement comprehensive security measures to protect your personal data:

Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and monitoring through Vercel
  • Regular Updates: Security patches and system updates
  • Secure Development: Security-focused coding practices and reviews
  • API Security: Secure connections to all third-party AI services

Organizational Safeguards

  • Access Limitation: Strict need-to-know access policies
  • Incident Response: Procedures for handling security incidents
  • Vendor Management: Security requirements for third-party providers
  • Regular Audits: Security assessments of our infrastructure
  • Data Minimization: Collecting only necessary data for service provision

Data Breach Response

In the event of a data breach, we will:

  • Immediate Response: Contain and assess the breach within 24 hours
  • Authority Notification: Notify relevant authorities within 72 hours if required
  • User Notification: Inform affected users without undue delay
  • Remediation: Take steps to prevent future incidents

Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that we have collected personal information from a child under 13, we will delete it immediately.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@flowchartai.org.

Cookies and Tracking

We use cookies and similar technologies to enhance your experience. For detailed information about our cookie practices, please see our Cookie Policy.

Essential Cookies

  • Session management and authentication
  • Security and fraud prevention
  • Basic functionality and preferences
  • Canvas state and flowchart autosave
  • Analytics and performance monitoring
  • Feature enhancement and personalization
  • AI conversation context (for better assistance)

You can manage cookie preferences through your browser settings or our cookie consent banner.

Marketing Communications

Email Marketing

  • Opt-In: We only send marketing emails with your explicit consent
  • Opt-Out: Unsubscribe links in all marketing emails
  • Frequency: Reasonable frequency with option to adjust preferences
  • Content: Relevant updates about our AI features and flowchart tools

Communication Preferences

You can manage your communication preferences:

  • Account Settings: Update preferences in your user dashboard
  • Unsubscribe Links: Use links in emails to opt-out
  • Contact Us: Email support@flowchartai.org for assistance

Automated Decision Making

We may use automated systems for:

  • AI Content Generation: Automated flowchart creation based on your prompts
  • Usage Limit Enforcement: Automated tracking of AI usage quotas
  • Fraud Detection: Automated analysis of payment and usage patterns
  • Content Moderation: AI-powered content filtering for safety
  • Service Optimization: Automated performance and reliability improvements

You have the right to:

  • Request Human Review: Ask for human intervention in automated decisions
  • Explanation: Understand the logic behind automated decisions
  • Challenge: Contest automated decisions that significantly affect you

Payment Processing and Creem Integration

Creem as Merchant of Record

  • Legal Entity: Creem (Armitage Labs OÜ) acts as our Merchant of Record
  • Billing: Creem's name appears on customer credit card statements
  • Responsibilities: Creem handles payment processing, tax collection, refunds, and chargebacks
  • Data Processing: Payment data is processed according to Creem's privacy policy
  • Dispute Resolution: Payment disputes are handled according to Creem's terms

Data Sharing with Creem

We share the following data with Creem for payment processing:

  • Customer billing information and contact details
  • Subscription details and pricing information
  • Usage data for billing purposes
  • Support communication related to payments

Your Responsibilities When Making a Payment

To ensure secure and successful payment processing through Creem, you agree to:

  • Ensure the accuracy of your billing information at the time of purchase.
  • Maintain secure access to your payment credentials and prevent unauthorized use.
  • Promptly notify us or Creem of any suspected fraudulent activity or billing issues.
  • Acknowledge that all disputes related to payments, subscriptions, or refunds are managed by Creem, our Merchant of Record.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes:

  • Notification: We will notify you via email or prominent notice on our website
  • Effective Date: Changes take effect 30 days after notification
  • Continued Use: Your continued use constitutes acceptance of the updated policy
  • Version History: Previous versions available upon request

Contact Information

Privacy Inquiries

For privacy-related inquiries, contact us at:

  • Email: support@flowchartai.org
  • Response Time: Within 5 business days for general inquiries
  • Data Requests: Within 30 days for formal data subject requests

General Contact

Regulatory Complaints

If you believe we have not addressed your privacy concerns adequately, you may file a complaint with:

  • EU/EEA: Your local data protection authority
  • UK: Information Commissioner's Office (ICO)
  • California: California Attorney General's Office
  • China: Relevant privacy regulatory authority in your jurisdiction

Definitions

Personal Data: Any information relating to an identified or identifiable natural person. Processing: Any operation performed on personal data, including collection, use, storage, and deletion. Data Controller: The entity that determines the purposes and means of processing personal data. Data Processor: The entity that processes personal data on behalf of the data controller. Consent: Freely given, specific, informed, and unambiguous indication of agreement to data processing. Merchant of Record: A legal entity responsible for selling goods or services, handling payments, taxes, and compliance.

Contact Us

If you have any questions about this Privacy Policy, please contact us.