Flow Studio Privacy Policy
Last updated: 2026-04-13
Owner: Flow Studio Solutions
1. Who we are
Flow Studio products are operated by Flow Studio Solutions, based in Sydney, New South Wales, Australia.
This policy covers the public Flow Studio website, Flow Studio App, Flow Studio for Teams / Governance, and Flow Studio MCP.
For privacy questions, contact support@flowstudio.app.
2. Data we collect
2.1 Account data
When you sign in via Microsoft Entra ID, we may receive:
- Display name and email address
- Microsoft Entra object ID
- Tenant ID
- Account and workspace identifiers
This data is used to identify your account, resolve your workspace, manage access, and support the service.
2.2 Subscription and payment data
Payment processing is handled by Stripe. Flow Studio does not receive or store your credit card number, CVV, or bank details.
Flow Studio may receive from Stripe:
- Stripe customer ID
- Subscription status and plan tier
- Billing email
- Subscription dates and entitlement status
2.3 Power Platform data
Depending on the product and features you use, Flow Studio may access Power Platform data through Microsoft delegated permissions granted by you or your administrator.
Examples include:
- Power Platform environment inventory
- Power Automate flow metadata
- Power Automate run metadata
- Connection and connector inventory
- Maker and owner metadata
- Governance fields such as tags, business impact, monitoring state, support group, or compliance scoring
Flow Studio does not receive Microsoft passwords and does not store connector secrets.
2.4 MCP usage data
Flow Studio MCP logs tool-call metadata for usage metering, security review, diagnostics, and support:
- Timestamp and tool name
- User ID, tenant ID, and workspace
- Status, duration, and error message
Flow Studio MCP is not intended to store full flow definitions, connector secrets, or run payload bodies as routine product data. Runtime payloads may be fetched transiently only when a user or agent explicitly asks to inspect run details for debugging.
2.5 Analytics
We use analytics on public pages to understand site traffic and improve the product. We do not intentionally send personal data in analytics events.
Analytics are not used in the MCP JSON-RPC agent request path.
3. How we use data
We use data to:
- Provide the service
- Authenticate users and resolve workspace access
- Call Microsoft Power Platform APIs on your behalf
- Meter usage and enforce plan limits
- Manage subscriptions and billing
- Diagnose issues you report
- Improve product reliability and user experience
- Send service, product, or support communications
We do not sell customer data.
4. Third-party services
| Service | Purpose | Data involved |
|---|---|---|
| Microsoft Entra ID | Authentication and delegated OAuth consent | Identity claims and OAuth tokens |
| Microsoft Power Platform APIs | Product data source and action target | Flow, app, environment, run, connector, and maker data |
| Microsoft Azure | Hosting, functions, storage, monitoring | Service data, operational logs, stored metadata |
| Stripe | Subscription billing | Billing email, customer/subscription IDs, payment status |
| Google Analytics 4 | Public site analytics | Page views and basic site events |
| HubSpot or email platform, if used | Product/support communications | Name and email for opted-in communications |
5. Cookies and browser storage
Flow Studio products may use cookies and browser storage for authentication, app preferences, and analytics.
| Storage | Purpose | Notes |
|---|---|---|
| Authentication cookies | Keep users signed in where Azure Static Web Apps auth is used | Session/auth lifecycle controlled by platform settings |
| MSAL browser cache | Microsoft Entra sign-in state for Flow Studio App | Stored in the browser for the app domain |
| Local storage / IndexedDB / OPFS | App preferences, cache, recent selections, local filtering | Used for performance and user experience |
| Google Analytics cookies | Public site analytics | Non-essential analytics cookies can be blocked in browser settings |
6. Data retention
| Data | Retention position |
|---|---|
| Account data | Retained while the account/workspace is active |
| Subscription records | Retained as needed for billing, audit, and legal obligations |
| Usage logs | Retained while the account is active and deleted on request where applicable |
| Cached Teams / Governance data | Retained while the workspace is active or until deletion is requested |
| Browser cache | Controlled by the user’s browser and app cache settings |
To request deletion of account data, email support@flowstudio.app.
7. Your rights
Depending on your jurisdiction, you may have the right to:
- Request access to your personal data
- Correct inaccurate data
- Request deletion of data
- Receive data in a structured format
- Revoke Microsoft consent
- Object to or restrict certain processing
To exercise these rights, contact support@flowstudio.app. We aim to respond within 30 days.
8. Lawful basis for processing
Where applicable, we process personal data on these bases:
- Contract: processing needed to provide the service
- Legitimate interest: operational monitoring, security, support, product improvement, and fraud prevention
- Consent: optional analytics or marketing communications where consent is required
9. Complaints
If you believe your personal information has been mishandled, contact support@flowstudio.app.
You may also lodge a complaint with the Office of the Australian Information Commissioner. If you are in the UK or EU, you may contact your local data protection authority.
10. Changes to this policy
We may update this privacy policy from time to time. The “Last updated” date reflects the most recent revision.