Privacy Policy

1. Who we are

Flowchester provides a contact-hygiene app for HubSpot Marketing Hub. Our contact address for privacy questions is support@flowchester.com. We do not currently appoint a Data Protection Officer because our processing does not meet the GDPR Article 37 threshold; you can still contact us about any data-protection matter at that address.

2. What data we collect, and why

2.1 Website visitors

• Analytics data — IP address (truncated by Google before storage), user agent, referring URL, pages viewed, session events. Collected via Google Analytics 4 only if you accept analytics cookies. Legal basis: consent (GDPR Art. 6(1)(a)).
• Functional signals — localStorage entries that remember your cookie choice. No tracking ID. Legal basis: legitimate interest in honouring your preference (Art. 6(1)(f)), and this type of storage is explicitly permitted by ePrivacy rules without consent.
• Email enquiries — if you email us, we see your address and whatever you write. Legal basis: legitimate interest in replying (Art. 6(1)(f)).

2.2 Flowchester account holders

• Account identifiers — HubSpot portal ID, HubSpot user email (via OAuth), and the subscription tier you chose. Legal basis: performance of the contract with you (Art. 6(1)(b)).
• Billing data — Stripe customer ID, subscription ID, invoice history. Card details are never seen by Flowchester: payment pages are hosted by Stripe directly. Legal basis: performance of the contract, and a legal obligation to retain invoicing records.
• Security logs — request logs, OAuth authorisation events, webhook delivery logs. Kept to detect abuse and help you troubleshoot. Legal basis: legitimate interest in service security (Art. 6(1)(f)).

2.3 HubSpot contacts processed by the App

When HubSpot creates a contact in a portal where Flowchester is installed, HubSpot sends us a webhook containing the contact's email address, name, source (form, chat, import, etc.), and HubSpot ID. We check that contact against the rules you've configured. If a block rule matches, we delete the contact from HubSpot and log the decision.

For this processing we act as your data processor. You are the controller of the contact data and your agreement with HubSpot remains the primary legal framework for the underlying processing. Legal basis is your instruction to us under the Flowchester Terms of Service and the Data Processing Agreement.

3. Cookies and similar technologies

The website uses the cookies and browser-storage entries listed below. You can change your analytics decision at any time using the Manage cookies link below or in the footer.

We do not run advertising cookies, cross-site tracking pixels, social-media share widgets, or third-party chat widgets. Google Analytics is configured with IP anonymisation and Google Consent Mode v2, so until you accept the analytics category, Google receives only anonymous, cookieless pings.

4. Who we share data with

We rely on the following sub-processors. Each has been selected for their documented security posture and we have a Data Processing Addendum with each.

• Amazon Web Services (AWS) — infrastructure hosting (ECS Fargate, RDS, ElastiCache, S3, CloudFront). Processing region is the European Union.
• HubSpot, Inc. — source of the contact records we process. We access HubSpot only via the OAuth scopes you grant.
• Stripe, Inc. — payment processing and subscription management. Card data is collected on Stripe-hosted pages; we never handle it directly.
• Google Ireland Limited — Google Analytics 4, only when you accept analytics cookies.

Where a sub-processor handles data outside the European Economic Area, the transfer is covered by the European Commission's Standard Contractual Clauses and any supplementary measures the processor publishes.

5. How long we keep data

• Decision log (block outcomes, matched rule, contact email and source) — 30 days, then permanently deleted.
• Analytics data — 14 months in Google Analytics (property retention setting), then deleted by Google.
• Account data — for the lifetime of your subscription, plus 30 days after cancellation so you can reinstall without losing configuration.
• Billing and invoice data — 10 years where required by French commercial law, otherwise 7 years.
• Security and request logs — 90 days.

6. Your rights

Under the GDPR and equivalent laws you can ask us to (i) confirm whether we hold data about you, (ii) provide a copy, (iii) correct inaccurate data, (iv) erase data we no longer need to keep, (v) restrict processing, (vi) receive your data in a portable format, and (vii) object to processing based on legitimate interest. You can also withdraw consent to analytics at any time using the cookie banner.

To exercise any right, email support@flowchester.com. We respond within 30 days. If you believe we're mishandling your data, you can also lodge a complaint with your national data-protection authority — in France that is the CNIL (cnil.fr).

7. Security

All traffic uses TLS 1.2+; data at rest is encrypted on AWS-managed keys. Secrets live in AWS Secrets Manager with least-privilege IAM. Access to production systems is restricted to named individuals and logged. We follow the OWASP Top 10 and run automated dependency scanning in our CI pipeline. No system is perfectly secure, however, and we notify affected customers within 72 hours of confirming a personal-data breach as required by GDPR Article 33.

8. Children

Flowchester is a B2B product and is not directed at children under 16. We do not knowingly collect data from children.

9. Changes to this policy

We will update this page when we change how we process data. Material changes will be signalled on the website for at least 30 days before they take effect; we'll email account holders directly for changes that affect their subscription.

10. Contact

Questions, rights requests, or breach reports — support@flowchester.com. See our Terms of Service for the contractual framework around the App.