Last updated: July 13, 2026
This Privacy Policy explains what personal data Flowbaba collects, why, how long we keep it, and the choices and rights you have. It applies to the Flowbaba mobile app and the flowbaba.co website (together, the “Service”), operated by Point7 Systems Private Limited (“Flowbaba”, “we”, “us”).
Questions or to exercise your rights: privacy@flowbaba.co.
The data controller is Point7 Systems Private Limited, 821, 3rd Cross Street, Radhakrishnan Nagar, Vellore 632206, India. Contact: privacy@flowbaba.co.
| Data | Why | Legal basis (GDPR) |
|---|---|---|
| Phone number | Create your account and sign you in via one-time SMS code. Also used, in hashed form, for fraud/abuse prevention after deletion (§7). | Contract (Art. 6(1)(b)); legitimate interests for the retained hash (Art. 6(1)(f)) |
| Display name | Shown on your profile and content. | Contract (Art. 6(1)(b)) |
| @handle | Your unique public username and profile URL. | Contract (Art. 6(1)(b)) |
| Session token | Keeps you signed in securely on your device. | Contract (Art. 6(1)(b)) |
We authenticate with one-time SMS codes only. We do not collect or store passwords.
Legal basis: performance of our contract with you (Art. 6(1)(b)).
Location. Flowbaba’s data model reserves fields for a moment’s coordinates, but the app does not currently collect or attach your location. [If location capture ships, update this section and the store data-safety disclosures, and request permission at that time.]
Your photos and videos are uploaded to and delivered from Cloudflare (Images for photos, Stream for video, R2 for other media) using signed, expiring links.
| Data | Why | Legal basis |
|---|---|---|
Product analytics keyed to your user ID (analytics distinct_id), via PostHog | Understand usage and improve the app | Legitimate interests (Art. 6(1)(f)); consent where required |
| Crash/error reports (device model, OS, app version, stack traces) via Sentry | Detect and fix crashes and bugs | Legitimate interests (Art. 6(1)(f)) |
| Device/app metadata | Operate, secure, debug the Service | Legitimate interests (Art. 6(1)(f)) |
| Push token (Apple/Google) | Deliver notifications you enabled | Contract / consent |
Sentry is configured not to send personally identifying request data by default. [Confirm PostHog Session Replay status before launch — currently disabled/inert; if enabled it records screen interactions and must be disclosed and masked.]
We share personal data only as described here. We do not sell your personal data, and we do not “share” it for cross-context behavioral advertising as defined under California law.
Your profile (@handle, display name, profile media), your public moments, and content you direct to others (tags, messages, connections) are visible to the people you’d expect — the public for public moments; specific people for private moments, tags, and direct messages.
| Provider | What it does for us | Data involved |
|---|---|---|
| Supabase | Authentication (GoTrue), primary database (Postgres), real-time message delivery (Realtime) | Phone number (via auth), account data, app content, messages |
| Twilio | Sends one-time SMS login codes (Twilio Verify) | Phone number, verification code |
| Cloudflare | Media storage/delivery (Images, Stream, R2) via signed links; website/edge (Pages) | Your photos, videos, other media |
| PostHog | Product analytics | Usage events keyed to your user ID |
| Sentry | Crash and error reporting | Diagnostic/error data, device metadata |
| Apple | Push notifications (APNs) on iOS; app distribution | Push token, device data |
| Push notifications (Expo/FCM) on Android; app distribution | Push token, device data |
[Maintain this as the authoritative sub-processor list; add each provider’s privacy/DPA reference and hosting region for legal review.]
We may disclose data if required by law, to enforce our Terms, or to protect the rights, safety, and security of users, the public, or Flowbaba (including fraud/abuse prevention — §7).
If Flowbaba is involved in a merger, acquisition, or asset sale, personal data may transfer as part of that transaction; we will require the recipient to honor this Policy.
We and our providers may process your data in countries other than where you live, including the United States. Where required, we rely on appropriate safeguards (for example, EU Standard Contractual Clauses). [Legal to confirm the transfer mechanism per provider and per the company’s establishing jurisdiction.]
You can delete your Flowbaba account in the app (Settings → Delete account) or on the web at https://flowbaba.co/delete-account.
When you delete your account:
We do not keep your phone number after deletion. We keep a keyed cryptographic hash of it (which cannot be reversed back into your number and cannot be used to contact you) together with minimal flags recording whether the account was banned or tied to fraud or abuse. This stops a banned or abusive user from deleting and recreating an account to evade a ban or farm rewards.
Why we’re allowed to keep this: our legitimate interests in preventing fraud, abuse, and ban-evasion and in protecting our community (GDPR Art. 6(1)(f); Recital 47 recognizes fraud prevention as a legitimate interest). The retained data is minimal, irreversible, and cannot identify or contact you — which is why this narrow retention can survive an erasure request under Art. 17 (erasure does not apply where processing is necessary for overriding legitimate grounds).
What it is not: not your phone number, not reversible, not used for marketing, not shared for advertising.
[Document the legitimate-interest assessment (LIA) and the abuse-flag retention period. This retention must be actually implemented (a one-way keyed hash — e.g. HMAC with a secret — of the phone at deletion) to match this disclosure. Not yet found in code as of 2026-07-13.]
If you object to this retention, contact us (§9) and we will consider your objection under Art. 21; we may keep the hash where our overriding fraud-prevention grounds apply.
Everyone: access, correct, and delete your data (§7), through the app or by contacting us.
EEA / UK (GDPR): also the right to restrict or object to processing, data portability, to withdraw consent where relied on, and to lodge a complaint with your data protection authority.
California (CCPA/CPRA): the right to know/access, delete, and correct your personal information, and to opt out of sale/sharing — we do not sell or share personal information as defined by the CPRA. We will not discriminate against you for exercising your rights.
To exercise any right, use the in-app tools or email privacy@flowbaba.co. We may need to verify your request (e.g. that you control the account’s phone number).
Questions, requests, or complaints: privacy@flowbaba.co. [Must be a real, monitored inbox before publication.]
Point7 Systems Private Limited, 821, 3rd Cross Street, Radhakrishnan Nagar, Vellore 632206, India
Flowbaba is not intended for children under 13, and you must be at least 13 to use it. We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, contact us and we will delete it.
[Confirm the minimum age against the final Apple age rating (13+/16+/18+) and the Google IARC rating. If you set 16+ for the EU or a higher minimum, state and enforce it; if under-16 EU users are possible, add parental-consent handling.]
We protect your data with transport encryption (HTTPS/TLS everywhere), one-time-code authentication (no stored passwords), signed and expiring media links, database row-level security so users can only reach their own data, and least-privilege access. No method is perfectly secure, but we work to protect your information and respond to incidents.
We may update this Policy. For material changes we will update the “Last updated” date and, where appropriate, notify you in the app. Continued use means you accept the revised Policy.