Privacy Policy

FlowHunt's Privacy Policy outlines data processing for users, managed by QualityUnit. It covers purposes, legal bases, user rights, data transfers, and security. Consent is required for service use, with data stored on Stripe and shared with OpenAI and Google.

1. General

This Privacy Policy describes how FlowHunt processes the Users personal information to perform the Services offered in the Website, under the domain flowhunt.io (“Services”).

Users must read and expressly consent to the data treatment referred by this Privacy Policy, before using the Services.

2. Data Controller

The Controller of the data collected through this Website is QualityUnit, sro.

Flowhunt will process the personal data of the User of this Website for the following purposes:

  • Enable the maintenance, development and management of the Services, business relationship formalized by contracting products and/or services through this Website, which includes carrying out operations that relate to the management of customers concerning the contracts, orders, deliveries and invoices, and manage the unpaid invoices and possible disputes about the use of our products and services. The data processed for this purpose will be kept as long as said business relationship is maintained and, once it ends, during the periods of conservation and prescription of responsibilities legally established. The legal basis of the treatment is the execution of a contract in which the User is a party.
  • Respond to requests for information and/or queries made by the User. The data processed for this purpose will be kept until the request for information and/or consultation has been answered and, after that, during the legally established periods of conservation and limitation of responsibilities. The legal basis of the processing is the legitimate interest of FlowHunt in responding to the User.
  • Keep the User informed, including by electronic means, about FlowHunt products, services and news. The data processed for this purpose will be kept until the moment the User withdraws his consent given to receive said communications and, after that, during the legally established periods of conservation and limitation of responsibilities. The legal basis of the processing is the consent of the User.
  • If the User does not consent to the processing of your data for this purpose, please inform FlowHunt with email to support@flowhunt.io.

Failure to accept this Privacy Policy will imply that all the Services rendered and Website content offered by FlowHunt shall not be made available, and that the system subscription process shall be interrupted or terminated.

4. Categories of data

‍The data relating to bank cards and all personal data are stored in Stripe, under the rules and policies of Stripe. https://stripe.com/en-sk/privacy.

5. Automated Decision-Making

FlowHunt informs the Users that by using the Services they will be subject to automated decision-making, including profiling.

6. Recipients and Personal Data Transfers

The data may be communicated to the following third party recipients: OpenAI, Google.

7. Rights of the Users

Users are, at any time, entitled to exercise their rights of access, rectification, erasure, restriction of processing, data portability, not to be object to a decision based solely on automated processing, including profiling, and object, by contacting FlowHunt and sending a written notification to support@flowhunt.io, attaching a copy of their National Identity Document or another equivalent identity document identifying them as a User.

Users have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. The Users also have the right to lodge a complaint with a supervisory authority.

8. FlowHunt as data processor

In the event that the User purchases a license to use the Services, FlowHunt will need to process certain personal data on behalf of the licensee (whether the licensee is the User itself or a legal entity represented by the User). For these purposes, the User shall be considered the Data Controller and FlowHunt shall be considered the Data Processor.

The following clauses constitute the regulation of the relationship between the Controller and the Processor for the purposes of complying with the provisions of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, “GDPR2) and Article 33 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (hereinafter, “LOPDGDD”).

8.1. Processing of data to be carried out by the Data Processor

The Data Processor shall process the personal data necessary to carry out the Services on behalf of the Controller. The aforementioned processing shall have a duration equal to that of the provision of the Services, in such a way that once the provision of the Services has been completed, the processing shall be deemed to have been completed.

8.2. Obligations of the Processor

The Data Processor undertakes to:

a. Use the personal data undergoing processing, or that it collects for the purpose of their inclusion, only for the strict provision of the Services. Under no circumstances may it use the data for its own purposes.

b. Process the data in accordance with the instructions of the Controller. If the Processor considers that any instructions are in breach of the GDPR or any other Union or Member State data protection provisions, the Processor shall immediately inform the Controller thereof.

c. Where applicable, keep a written record of all categories of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR.

d. Not to communicate the data to third parties, except with the express authorisation of the Data Controller, in the legally admissible cases.

e. Not to subcontract any of the services that form part of the Services and involve the processing of personal data.If it is necessary to subcontract any processing, the Controller must be given prior written notice of this fact, at least 20 calendar days in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. Subcontracting may be carried out if the Controller does not express its opposition, in writing, within the established period. The subcontractor, who shall also have the status of data processor, is also obliged to comply with the obligations established herein for the Data Processor and the instructions issued by the Data Controller. It is the responsibility of the initial processor to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as the initial processor, with regard to the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the subcontractor, the initial Processor shall remain fully liable to the Controller for compliance with the obligations.The Controller authorizes the Processor to carry out the following subcontracting necessary to provide the Services: see list of suprocessors.

f. Maintain the duty of secrecy with respect to the personal data to which it has access by virtue of the provision of the Services, even after the provision of the Services has ended.

g. To ensure that persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.

h. Keep at the disposal of the Data Controller the documentation accrediting compliance with the obligation established in the previous section.

i. Guarantee the necessary training in the protection of personal data for the persons authorized to process personal data.

j. Assist the Controller in responding to the exercise of the rights of:

  • Access, rectification, erasure and object;
  • Limitation of processing;
  • Data portability;
  • Not to be subject to automated individualized decisions (including profiling).

When the data subjects exercise their rights of access, rectification, erasure and object, restriction of processing, data portability and the right not to be subject to automated individualized decisions before the Data Controller, the latter must communicate this by e-mail to the Data Controller. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant for resolving the request.

k. Notify the Controller without undue delay and, in any event, no later than 48 hours by e-mail of any breach of security of the personal data under their responsibility of which they become aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.

If available, at least the following information shall be provided:

  • A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned.
  • The name and contact details of the data protection officer or other point of contact from whom further information may be obtained.
  • A description of the possible consequences of the personal data breach.
  • Description of the measures taken or proposed to be taken to remedy the personal data breach including, where appropriate, measures taken to mitigate the possible negative effects.

If it is not possible to provide the information simultaneously, to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a gradual manner without undue delay.

l. Support the Controller in carrying out data protection impact assessments, where appropriate.

m. Support the Controller in carrying out prior consultations with the supervisory authority, where appropriate.

n. Make available to the Controller all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the Controller or any other auditor authorized by it.

o. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons. In any case, it shall put in place mechanisms to:

Ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.

  • Restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Regularly verify, evaluate and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
  • Pseudonymized and encrypt personal data, where appropriate.

p. Appoint a Data Protection Officer and communicate his or her identity and contact details to the Controller, where appropriate.

q. Comply with the other obligations that the GDPR, the LOPDGDD and its implementing regulations establish for the Data Processor.

8.4. Obligations of the Data Controller

The Data Controller has the following obligations:

a. To provide or allow access to the data specified above by the Data Controller.

b. Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Data Controller, where applicable.

c. Conduct prior consultation as appropriate.

d. Ensure, prior to and throughout the processing, compliance with the GDPR, the LOPDGDD and its implementing regulations by the Data Processor.

e. Supervise the processing, including carrying out inspections and audits.

f. Facilitate the right to information at the time of data collection.

g. Comply with the rest of the obligations that the RGPD, the LOPDGDD and its implementing regulations establish for the Data Controller.

9. Data Sharing Disclosures

FlowHunt shares data only with third-party services explicitly chosen by users for integrations or operations. No data is shared without user consent, and all third-party services adhere to strict data protection standards. Users retain full control over where they connect their flows and whether they choose to integrate their data with external services through the platform’s existing integrations.

Integrations accessible to FlowHunt users:

LiveChat and Helpdesk platforms

  • LiveAgent – multichannel help desk software
  • HubSpot
  • LiveChat
  • Smartsupp
  • Freshchat
  • tawk.to
  • Slack

Google services integration (in development)

When integrating with Google services, FlowHunt may collect user data strictly to provide the requested services. This data is never shared with any unauthorized parties and is handled with the utmost care and security.

  • Authentication: FlowHunt collects the authenticated user’s name and email address.
  • Google Ads: FlowHunt accesses campaign keywords and automates the management of negative keywords to optimize ad performance.
  • Google Docs: FlowHunt reads and writes data only within approved documents. No document data is stored by FlowHunt.
  • Google Calendar: FlowHunt reads and writes events solely within approved calendars. No calendar data is stored by FlowHunt.
  • Google Sheets: FlowHunt reads and writes data only within approved sheets. No sheet data is stored by FlowHunt.
  • Google Drive: FlowHunt reads and writes data exclusively within approved files. No drive data is stored by FlowHunt.
  • Google Tasks: FlowHunt reads and writes task data only within approved tasks. No task data is stored by FlowHunt.
  • Google Meet: FlowHunt reads transcripts or videos from approved meetings, but no data from these meetings is stored by FlowHunt.

Other integrations

  • Shopify

If users opt to use AI agents, AI crews and flow components powered by large language models (LLMs) such as OpenAI, Grok, or Amazon BedRock, data will be processed by these third-party services as part of their operation. Users have the flexibility to decide whether to use custom-trained models or generally available models.

FlowHunt ensures that we never opt-in to use LLM models or services where user data sent to these services is stored for additional training or processing. This guarantees that your data remains secure and is used solely for the intended purpose of providing the requested services.

All data within the FlowHunt platform is securely stored using a hybrid cloud topology. This infrastructure leverages Amazon AWS Cloud services and Linode (Akamai) to ensure data security, scalability, and reliability. We are committed to maintaining the highest standards of data protection and operational excellence.

10. Data Retention and Deletion Policies

We are committed to ensuring that your data is managed responsibly and transparently. Below are the details of our data retention and deletion policies:

  • Generated Content History: We retain user-generated content history for a maximum of 1 year to provide a seamless user experience and access to previous records.
  • Cached Data: Cached data is stored for a maximum duration of 14 days to optimize performance and improve service delivery. Example of cached data is URL retrieved from internet and used as a context for LLM to generate new content or answer a question.
  • User-Initiated Data Deletion: Users have full control over their data and can choose to delete all stored data at any time during the lifetime of their account. Once deleted, the data cannot be recovered.
  • Backups: Backups of our data are performed daily and securely stored in Amazon AWS S3. These backups are retained for a period of 30 days to ensure data recovery in case of unforeseen circumstances.

11. Explicit Use of User Data

FlowHunt is committed to protecting your privacy and ensuring the responsible use of your data. User data is solely used for the purpose of providing or improving FlowHunt services (e.g. debugging error reported by customer). It is not utilized for any other purposes, such as targeted advertising or being sold to third parties.

Additionally, FlowHunt does not use user data for training AI models or reusing it between other users. All user data is securely encapsulated within individual workspaces, ensuring complete isolation. This means that sharing or accessing data between separate user workspaces is not permitted or possible. Even if a single user creates multiple workspaces, data sharing between those workspaces is strictly prohibited and technically infeasible.

12. Data Access and Control

FlowHunt is dedicated to empowering users with full control over their personal data and workspace access. Users have the right to access, update, or delete their personal information at any time.

  • Workspace Access Control: Users can manage access to their workspaces and the data within them by assigning roles to other users. The available roles include:
    • Administrator: Full access to manage the workspace and its data, including user roles and permissions.
    • Editor: Ability to modify AI flows, data and content within the workspace.
    • Member: Access to view and interact with data but without editing privileges.
    • Guest: Limited access to read some data.
  • API Key-Based Access: In addition to user role-based access, each workspace allows access control via API keys. Users can generate API keys with defined validity periods to enable programmatic access. It is the responsibility of the user to rotate API keys periodically to maintain security and prevent unauthorized access.

To exercise control over access, permissions, and data, or to update or delete personal information, users can submit a request through our support portal. FlowHunt is committed to processing such requests promptly and ensuring user satisfaction while adhering to privacy guidelines.

Support portal: https://support.qualityunit.com
Email: support@flowhunt.io

13. Security and Protection of Data

FlowHunt has adopted the Data protection security legally required, and strives to adapt additional technical measures and means within its scope to avoid the loss, misuse, alteration, unauthorized access to and theft of the personal details provided. FlowHunt agrees to use all of the details sent by registered Users with the utmost confidentiality and resilience.

To ensure the confidentiality and security of user data, FlowHunt employs encryption, access controls, and regular security assessments to safeguard information against unauthorized access and breaches.

14. Changes to this Privacy Policy

FlowHunt reserves the right to amend this policy in order to adapt it to new regulations, case laws and industrial and/or commercial practice.

‍If FlowHunt decides to change its Privacy Policy, it will post those changes on this page. This Privacy Policy was last modified on 02/13/2025.

Ready to build your own AI?

Smart Chatbots and AI tools under one roof. Connect intuitive blocks to turn your ideas into automated Flows.

Try it out Book a demo

Build AI the easy way

Connect intuitive blocks to turn your ideas and needs into automated Flows

Our website uses cookies. By continuing we assume your permission to deploy cookies as detailed in our privacy and cookies policy.

Decline Accept