FlowForce
Log inGet Started

Privacy Policy

Last updated: February 11, 2026

1. Introduction

FlowForce ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the FlowForce AI search optimization platform ("the Service").

This policy is prepared in compliance with the Personal Data Protection Act B.E. 2562 (2019) of the Kingdom of Thailand ("PDPA") and applies to all users of the Service regardless of location. Where you are located in a jurisdiction with additional data protection requirements (such as the EU/EEA under GDPR, or California under CCPA), the applicable provisions of those frameworks are addressed in the relevant sections below.

2. Data Controller

For the purposes of the PDPA and applicable data protection laws, FlowForce acts as the data controller of your personal data. You may contact us at:

3. Information We Collect

3.1 Information You Provide

  • Account information: Your name, email address, and password when you create an account (or your Google profile information if you sign up via Google OAuth).
  • Website and audit preferences: Website URLs you add for scanning, target categories, competitor domains to track, and scan frequency preferences.
  • Recommendation feedback: Ratings (helpful / not helpful) and notes you provide on optimization recommendations.
  • Digest preferences: Your preferred timezone and delivery time for audit digest emails.

3.2 Information Collected Automatically

  • Authentication cookies: Essential cookies used for session management and authentication via Supabase.
  • Device and browser information: Browser type, operating system, and IP address collected during your interactions with the Service.
  • Usage data: Pages visited, features used, and interactions with audit data and recommendations within the Service.

3.3 Payment Information

All payment processing is handled securely by Stripe. FlowForce does not store your credit card numbers or full payment card details. We store only:

  • Your Stripe customer ID and subscription ID for billing management.
  • A card fingerprint (a non-reversible identifier) previously used to enforce our trial policy (free trials are no longer offered to new users).

3.4 AI Search and Audit Data

We collect and process data related to AI search visibility analysis for the purpose of providing optimization recommendations. This includes:

  • Website audit data: page structure, content analysis, and technical SEO signals.
  • AI search query results: how your website appears in AI-powered search responses.
  • Visibility scores: metrics measuring your presence across AI search platforms.
  • Competitor visibility data: comparative analysis of competitor websites in AI search.
  • Category and query performance: which search categories and queries your site ranks for.

This data is generated through our analysis engine and AI search APIs. We use this data to analyze your AI search visibility and generate optimization recommendations to improve your presence in AI-powered search results.

4. Legal Basis for Processing

Under PDPA Section 24, we process your personal data based on the following legal grounds:

  • Contract performance (Section 24(3)): Processing necessary to provide the Service you subscribed to, including account management, audit delivery, and email digests.
  • Legitimate interest (Section 24(5)): Improving the Service through aggregate usage analytics, preventing fraud and abuse (e.g., fraud prevention), and ensuring the security of the platform.
  • Consent (Section 19): Where required, such as for optional marketing communications or features that process data beyond what is necessary for the core Service.
  • Legal obligation (Section 24(6)): Processing required to comply with applicable laws, such as maintaining financial records or responding to lawful requests from authorities.

5. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Service, including analyzing your AI search visibility and delivering website audits with optimization recommendations.
  • Process payments and manage your subscription through Stripe.
  • Send email digests containing your audit results and visibility updates via Resend.
  • Generate AI-powered optimization recommendations using OpenAI, personalized based on your website audit data and visibility scores. Only anonymized website and signal data is sent to OpenAI — no personal user data is included.
  • Personalize your experience based on your audit preferences and feedback.
  • Communicate with you about your account, service updates, and support requests.
  • Improve the Service through aggregate, anonymized usage analytics.
  • Prevent fraud and enforce our Terms of Service.

6. Third-Party Service Providers

We share your data with the following third-party service providers, each of which processes data solely for the purposes described:

  • Supabase: Authentication, database hosting, and row level security. Stores your account data, audit configurations, and visibility data. Servers located outside Thailand.
  • Stripe: Payment processing and subscription management. Receives your payment information directly. Stripe is PCI DSS compliant.
  • Resend: Email delivery service used to send audit digest emails and transactional emails. Receives your email address and name.
  • OpenAI: AI model provider used to generate optimization recommendations. Receives only anonymized website and audit data — no personal user information is shared.
  • Vercel: Hosting provider for the FlowForce web application. Servers located outside Thailand.
  • Render: Hosting provider for the FlowForce analysis engine. Servers located outside Thailand.

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

7. International Data Transfers

Your personal data is processed and stored on servers located outside the Kingdom of Thailand, including servers operated by Supabase, Vercel, and Render. In accordance with PDPA Section 28, we ensure that:

  • The destination countries or organizations maintain adequate data protection standards.
  • Appropriate safeguards are in place through service provider agreements that require our providers to protect your data to standards no less protective than those required by the PDPA.
  • Transfers are necessary for the performance of the contract between you and FlowForce (PDPA Section 28(2)).

8. Data Retention

  • Account data: Retained for as long as your account is active. If you cancel your subscription or your account is terminated, your personal data is retained for 90 days to allow for potential re-activation, after which it is permanently deleted.
  • Audit data: Website audit data and visibility scores are retained for as long as your account is active. Upon account termination, this data is deleted within 90 days.
  • Payment records: Transaction records are retained as required by applicable Thai tax and accounting laws.
  • System logs: Server and application logs are retained for up to 90 days for security and debugging purposes.

9. Your Rights Under the PDPA

Under the Personal Data Protection Act B.E. 2562 (2019), you have the following rights regarding your personal data:

  • Right of access (Section 30): Request a copy of the personal data we hold about you and information about how it is processed.
  • Right to data portability (Section 31): Request your personal data in a commonly used, machine-readable format.
  • Right to object (Section 32): Object to the processing of your personal data in certain circumstances.
  • Right to erasure (Section 33): Request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
  • Right to restriction (Section 34): Request that we restrict the processing of your personal data in certain circumstances.
  • Right to rectification (Section 35): Request correction of inaccurate or incomplete personal data.
  • Right to withdraw consent (Section 19): Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Right to lodge a complaint: You have the right to file a complaint with the Personal Data Protection Committee (PDPC) of Thailand if you believe your personal data has been processed in violation of the PDPA.

To exercise any of these rights, please contact us at support@flowforce.agency. We will respond to your request within 30 days. We may request verification of your identity before processing your request.

10. Rights for EEA/UK Users (GDPR)

If you are located in the European Economic Area or the United Kingdom, you also have rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, restriction, portability, and the right to object. Our legal bases for processing under GDPR mirror those described in Section 4 above.

To exercise your GDPR rights, contact us at support@flowforce.agency.

11. Cookies

We use essential cookies only for authentication and session management through Supabase. These cookies are strictly necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, tracking cookies, analytics cookies, or any third-party cookies for marketing purposes.

You can configure your browser to refuse all cookies, but doing so may prevent you from logging in and using the Service.

12. Security Measures

We implement industry-standard technical and organizational security measures to protect your personal data, including:

  • Encrypted data transmission using TLS/SSL for all communications between your browser and our servers.
  • Secure authentication managed by Supabase with JWT (JSON Web Token) session handling.
  • Row Level Security (RLS) enforced at the database level to ensure users can only access their own data.
  • Secure credential storage — passwords are hashed and never stored in plaintext.
  • Stripe PCI DSS compliance for all payment data handling.

While we take reasonable precautions to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

13. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@flowforce.agency.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or through a prominent notice within the Service at least 30 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was last revised. Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.

15. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights under the PDPA or other applicable data protection laws, please contact us at: