This Privacy Policy explains how Strategic Minds Group Limited, trading as Flowback ("we", "us", "our"), collects, uses, and protects your information when you use the Flowback web application ("the App") and the website at https://www.flowback.co ("the Website"), together referred to as "the Service".

We are registered in England and Wales. Our registered office is at 57 Nine Elms Lane, London, SW11 7DF. For the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, we are the data controller for the personal data described in this policy, except where we act as a processor on behalf of a business customer (see section 3).

1. About Flowback

Flowback is a cloud-based software-as-a-service platform that helps product teams turn customer feedback — text notes, conversations, screenshots, PDFs, and other attachments — into structured product requirements and Linear issues using artificial intelligence. The Service is a cloud application delivered entirely over the web; all processing happens on our servers and those of our subprocessors.

2. Data Controller and Processor Roles

We act as the data controller for personal data relating to account holders, workspace members, and visitors to our Website — including name, email address, authentication identifiers, billing details, and website usage data.

Where a business customer uses Flowback to collect and manage feedback from their own end users (for example, people submitting feedback through a portal the customer has set up), we act as a data processor on that customer's behalf, and the business customer is the controller of their end users' personal data. A Data Processing Addendum (DPA) is available on request by emailing hello@flowback.co.

3. Information We Collect

3.1 Account and workspace data

When you create a Flowback account or join a workspace, we collect your name, email address, password (stored as a secure hash by our authentication provider), authentication identifiers from any OAuth providers you use to sign in, and your role within your workspace. We also store workspace-level configuration such as workspace name, prioritisation rules, and settings you choose.

3.2 Feedback submissions and attachments

The core function of Flowback is to process feedback content that you or your end users submit. This includes the text of feedback messages, reporter names and email addresses (where provided), and any files attached to a submission (including images, PDFs, and text files). Attachments are stored in our file storage bucket and referenced by the submission record.

3.3 Integration data

If you connect Linear, Slack, or GitHub to your workspace, we receive and store the OAuth access tokens necessary to make authorised calls to those services, together with the metadata returned by those services (for example, workspace or channel identifiers, team members, and synced issue state). We only request the OAuth scopes needed to provide the features you enable.

3.4 Billing data

Paid subscriptions are processed by Stripe. When you subscribe, Stripe collects and processes your billing details (including name, billing address, VAT number where applicable, and payment card details) as a joint controller for payment processing and tax compliance. We receive a limited set of information from Stripe — your Stripe customer ID, email address, subscription state, and invoice metadata — which we store to operate your subscription and provide support. We never see or store full payment card details.

3.5 Website and product usage data

When you visit our Website we use cookies and similar technologies to collect information about how the Website is used, including pages visited, session duration, approximate geographic location (city or region level), device and browser type, and referring website. See our Cookie Policy for full details of the categories of cookies we use and the choices available to you.

4. Legal Bases for Processing

Under the UK GDPR we rely on the following legal bases:

Contract — to create and operate your account, deliver the Service you have subscribed to, process payments, and provide customer support (Article 6(1)(b)).
Legitimate interests — to secure, operate, and improve the Service, to analyse Website usage, and to send occasional product-update or marketing emails to existing customers in accordance with the soft opt-in under the Privacy and Electronic Communications Regulations 2003, where our interests do not override your rights and freedoms (Article 6(1)(f)). You can opt out of marketing emails at any time.
Consent — for the placement of non-essential cookies (analytics and advertising) and for pre-customer marketing communications. You can withdraw consent at any time through our cookie banner, the "Manage cookies" link in our footer, or your browser settings (Article 6(1)(a)).
Legal obligation — to retain transaction and tax records as required by accounting and tax legislation (Article 6(1)(c)).

5. How We Use Your Information

To provide, maintain, and secure the Service.
To process feedback submissions and generate structured PRDs and Linear-ready issues using the AI processing described in section 7.
To push issues to Linear, send notifications to Slack, and surface relevant repository context from GitHub — only for integrations you have authorised.
To process subscriptions, invoices, and refunds via Stripe.
To respond to support enquiries and communicate important service messages.
To understand how our Website and product are used so we can improve them.
To send occasional product updates and marketing emails to existing customers, and to prospects who have opted in. Every marketing email includes an unsubscribe link.
To comply with legal, regulatory, and tax obligations.

6. AI Processing

Feedback content, attachments, and repository context from any GitHub repositories you connect are sent to Anthropic's Claude API (currently the claude-sonnet-4-6 model) via the Vercel AI SDK in order to generate structured PRDs and suggested Linear issues. Anthropic processes this content as our subprocessor and, under its commercial terms, does not retain API inputs or use them to train its models. If you do not wish for feedback to be processed by AI, do not submit it through Flowback; a partial opt-out is not currently available.

7. Subprocessors

We share personal data only with the subprocessors listed below, and only to the extent necessary to provide the Service. This list may change; we will update this page when it does.

Vercel Inc. (United States) — application hosting, edge network, and runtime logs.
Supabase Inc. (EU region) — PostgreSQL database, authentication, and file storage for feedback attachments.
Upstash, Inc. (United States) — rate limiting and ephemeral cache.
Anthropic PBC (United States) — Claude large language model inference for PRD generation.
Stripe Payments Europe, Ltd. / Stripe, Inc. — subscription billing and invoicing.
Resend (Plus Five Five, Inc.) (United States) — transactional and marketing email delivery.
Google LLC (United States) — Google Tag Manager, Google Analytics 4, and Google Ads conversion tracking on our Website.
LinkedIn Ireland Unlimited Company — LinkedIn Insight Tag for campaign measurement.
Meta Platforms Ireland Limited — Meta Pixel for campaign measurement.
Reddit, Inc. (United States) — Reddit Pixel for campaign measurement.
Linear Orbit, Inc., Slack Technologies, LLC, and GitHub, Inc. (United States) — customer- authorised integrations. Data is only shared with these services when you explicitly connect them to your workspace.

We may also disclose your information if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

8. International Data Transfers

Several of our subprocessors are based outside the United Kingdom, primarily in the United States and the European Economic Area. Where personal data is transferred outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Addendum or the European Commission's Standard Contractual Clauses, or we rely on an adequacy decision where one is in place. Supabase data is hosted in an EU region.

9. Data Retention

Account and workspace data: retained for as long as your workspace is active and deleted within 30 days of workspace closure, other than data we are required to retain for legal or tax reasons.
Feedback submissions and attachments: controlled by the business customer who owns the workspace. They are deleted on request from the workspace owner or within 30 days of workspace closure.
Billing and transaction records: retained for up to 7 years to comply with UK tax and accounting requirements.
Support correspondence: retained for up to 2 years after the last communication.
Google Analytics data: retained in accordance with our Google Analytics settings (currently 14 months), with IP addresses anonymised on collection.

10. Your Rights

Under the UK GDPR, you have the following rights in relation to the personal data we hold about you:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — ask us to correct inaccurate or incomplete data.
Right to erasure — ask us to delete your personal data, subject to our legal obligations.
Right to restrict processing — ask us to limit how we use your data.
Right to data portability — request your data in a structured, commonly used, machine-readable format.
Right to object — object to our processing where we rely on legitimate interests.
Right to withdraw consent — withdraw consent at any time where we process data based on your consent.

To exercise any of these rights, please contact us at hello@flowback.co. We will respond within one month of receiving your request. If we need more time (up to an additional two months for complex requests), we will let you know.

If your personal data is processed by Flowback as a processor on behalf of a business customer, please direct your request to that business customer in the first instance; we will support them in responding to your request.

11. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: https://ico.org.uk
Telephone: 0303 123 1113

12. Children's Privacy

Flowback is a business tool and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at hello@flowback.co and we will take steps to delete that information.

13. Security

We take appropriate technical and organisational measures to protect the personal data we process. These include encryption in transit (TLS) and at rest, principle-of-least-privilege access controls for staff, authentication and session management delegated to our authentication provider, and regular review of our subprocessors. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: hello@flowback.co
Post: Strategic Minds Group Limited, 57 Nine Elms Lane, London, SW11 7DF