Privacy Policy

Claude Flow Cloud is operated by our applicable group entity. For EU/EEA and German users, the primary establishment is in the EU; for US users, the primary establishment is in the United States. You can reach us at privacy@claude-flow.cloud for any privacy questions or to exercise rights.

• Account and identity data: email, name, authentication identifiers, and security events handled via Clerk.
• Workspace and organization data: organization names, roles, permissions, and collaboration settings.
• Customer Content: documents, requirements, and data you upload or generate when using the Service (stored in managed PostgreSQL via Supabase; processed in Google Cloud EU regions). We do not store customer prompts and we only store our own system prompts for service improvement.
• Usage and event data: product interaction events, performance metrics, and diagnostics collected via PostHog (EU hosting), Sentry, Langfuse (for system prompt observability), and our application telemetry in Grafana Cloud, are always stored in the region where the service is provided and hosted.
• Device and network data: IP address, browser/OS information, timestamps, and security logs to maintain service integrity.
• Support communications: content of support requests and related metadata.
• Billing data: subscription status and payment metadata handled through Stripe (we do not store full payment card numbers).

We process personal data for the following purposes and legal bases:

• Provide and operate the Service (contract necessity).
• Authenticate users and secure accounts (contract necessity; legitimate interest in security).
• Maintain and improve performance, reliability, and safety (legitimate interests in service quality and security).
• Provide support and communicate about the Service (contract necessity).
• Analyze product usage for improvement (legitimate interests; where required, consent for cookies/analytics).
• Comply with legal obligations, including audit and recordkeeping (legal obligation).
• Marketing communications where permitted (consent where required; opt-out available at any time).

We do not sell personal data. We share it only as needed to operate the Service:

• Supabase for managed PostgreSQL database services and API infrastructure.
• Google Cloud (EU regions) for application hosting and compute.
• Clerk for authentication, user management, and security events.
• PostHog (EU hosting) for product analytics and event tracking.
• Langfuse (EU hosting) for system prompt observability.
• Sentry for error monitoring and performance diagnostics.
• Stripe for payment processing and billing management.
• Cookiebot for cookie consent management.
• Grafana Cloud for application telemetry.
• Professional advisors, auditors, and legal authorities where required by law or to protect rights and safety.

Subprocessors are bound by data protection and confidentiality terms. We will provide notice of material changes where legally required.

Data may be processed in the United States and the EU. For EU/EEA/German users, transfers outside the EU/EEA rely on appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and supplementary measures. PostHog and Google Cloud are hosted in EU regions; Supabase and Neo4j operate in cloud regions with appropriate controls. We monitor subprocessor locations and update safeguards as needed.

We retain personal data for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. We apply retention periods to logs and analytics consistent with these purposes. You may request deletion of Customer Content and account data; some records may be retained as required by law or for security.

• Encryption in transit, access controls, and least-privilege permissions.
• Segregated multi-tenant data model with monitoring and logging.
• Regular backups for critical data stores, subject to retention windows.
• Vendor due diligence for subprocessors (Supabase, Google Cloud EU, Clerk, PostHog EU, Langfuse EU, Sentry, Stripe, Cookiebot, Grafana Cloud).

Please notify us promptly of any suspected account compromise or security incident.

If you are in the EU/EEA (including Germany), you have the right to access, rectify, erase, restrict or object to processing, and data portability, as well as the right to withdraw consent at any time (without affecting processing prior to withdrawal). You also have the right to lodge a complaint with your local data protection authority. We respond to rights requests without undue delay.

If you are a California resident, you have rights to know/access certain information, delete data, correct inaccuracies, opt out of "sale" or "sharing" for cross-context behavioral advertising, and limit use of sensitive personal information, subject to exceptions. We do not sell personal data. We do not use or disclose sensitive personal information for purposes that require a right to limit. We will not discriminate against you for exercising your rights.

We use cookies and similar technologies to provide core functionality (authentication via Clerk) and to measure product usage (PostHog). Cookie consent is managed through Cookiebot. Where required, we obtain consent for non-essential cookies. You can manage cookies through your browser settings; disabling some cookies may affect functionality. We use Langfuse for system prompt observability and performance monitoring; this data collection is limited to system-level metrics and does not include customer prompts at all. We use Grafana Cloud for application telemetry; this data collection is limited to application-level metrics and does not include customer data.

The Service is not directed to children under 16, and we do not knowingly collect data from them.

We may update this Privacy Policy to reflect changes to the Service, legal requirements, or our processing. Material changes will be communicated (e.g., via in-product notice or email). Continued use after an update indicates your acceptance.

For questions or requests, contact privacy@claude-flow.cloud. We respond in accordance with applicable law and will guide you through identity verification where needed.