Flowbaba Privacy Policy

Last updated: July 13, 2026

This Privacy Policy explains what personal data Flowbaba collects, why, how long we keep it, and the choices and rights you have. It applies to the Flowbaba mobile app and the flowbaba.co website (together, the “Service”), operated by Point7 Systems Private Limited (“Flowbaba”, “we”, “us”).

Questions or to exercise your rights: privacy@flowbaba.co.

Contents
  1. Summary
  2. Who we are
  3. What we collect and why
  4. How your information is shared
  5. International transfers
  6. How long we keep data
  7. Deleting your account (and what we keep, and why)
  8. Your rights
  9. Contact
  10. Children
  11. Security
  12. Changes

1. Summary

2. Who we are (data controller)

The data controller is Point7 Systems Private Limited, 821, 3rd Cross Street, Radhakrishnan Nagar, Vellore 632206, India. Contact: privacy@flowbaba.co.

3. What we collect and why

3.1 Account and identity

DataWhyLegal basis (GDPR)
Phone numberCreate your account and sign you in via one-time SMS code. Also used, in hashed form, for fraud/abuse prevention after deletion (§7).Contract (Art. 6(1)(b)); legitimate interests for the retained hash (Art. 6(1)(f))
Display nameShown on your profile and content.Contract (Art. 6(1)(b))
@handleYour unique public username and profile URL.Contract (Art. 6(1)(b))
Session tokenKeeps you signed in securely on your device.Contract (Art. 6(1)(b))

We authenticate with one-time SMS codes only. We do not collect or store passwords.

3.2 Content you create

Legal basis: performance of our contract with you (Art. 6(1)(b)).

Location. Flowbaba’s data model reserves fields for a moment’s coordinates, but the app does not currently collect or attach your location. [If location capture ships, update this section and the store data-safety disclosures, and request permission at that time.]

3.3 Media handling

Your photos and videos are uploaded to and delivered from Cloudflare (Images for photos, Stream for video, R2 for other media) using signed, expiring links.

3.4 Technical, usage, and diagnostic data

DataWhyLegal basis
Product analytics keyed to your user ID (analytics distinct_id), via PostHogUnderstand usage and improve the appLegitimate interests (Art. 6(1)(f)); consent where required
Crash/error reports (device model, OS, app version, stack traces) via SentryDetect and fix crashes and bugsLegitimate interests (Art. 6(1)(f))
Device/app metadataOperate, secure, debug the ServiceLegitimate interests (Art. 6(1)(f))
Push token (Apple/Google)Deliver notifications you enabledContract / consent

Sentry is configured not to send personally identifying request data by default. [Confirm PostHog Session Replay status before launch — currently disabled/inert; if enabled it records screen interactions and must be disclosed and masked.]

3.5 We do not collect

4. How your information is shared

We share personal data only as described here. We do not sell your personal data, and we do not “share” it for cross-context behavioral advertising as defined under California law.

4.1 With other users

Your profile (@handle, display name, profile media), your public moments, and content you direct to others (tags, messages, connections) are visible to the people you’d expect — the public for public moments; specific people for private moments, tags, and direct messages.

4.2 Service providers (processors / sub-processors)

ProviderWhat it does for usData involved
SupabaseAuthentication (GoTrue), primary database (Postgres), real-time message delivery (Realtime)Phone number (via auth), account data, app content, messages
TwilioSends one-time SMS login codes (Twilio Verify)Phone number, verification code
CloudflareMedia storage/delivery (Images, Stream, R2) via signed links; website/edge (Pages)Your photos, videos, other media
PostHogProduct analyticsUsage events keyed to your user ID
SentryCrash and error reportingDiagnostic/error data, device metadata
ApplePush notifications (APNs) on iOS; app distributionPush token, device data
GooglePush notifications (Expo/FCM) on Android; app distributionPush token, device data

[Maintain this as the authoritative sub-processor list; add each provider’s privacy/DPA reference and hosting region for legal review.]

4.3 Legal and safety

We may disclose data if required by law, to enforce our Terms, or to protect the rights, safety, and security of users, the public, or Flowbaba (including fraud/abuse prevention — §7).

4.4 Business transfers

If Flowbaba is involved in a merger, acquisition, or asset sale, personal data may transfer as part of that transaction; we will require the recipient to honor this Policy.

5. International data transfers

We and our providers may process your data in countries other than where you live, including the United States. Where required, we rely on appropriate safeguards (for example, EU Standard Contractual Clauses). [Legal to confirm the transfer mechanism per provider and per the company’s establishing jurisdiction.]

6. How long we keep data

7. Deleting your account (and what we keep, and why)

You can delete your Flowbaba account in the app (Settings → Delete account) or on the web at https://flowbaba.co/delete-account.

When you delete your account:

  1. Your account and content are removed from the Service. We soft-delete your account, moments, media, and profile; every read path filters deleted records out, so your content is no longer shown to anyone. Media bytes and records are then purged as part of account erasure. [Confirm the hard-erasure job is shipped (product #42) before this Policy relies on it.]
  2. Your @handle is reserved for six (6) months, then released — to prevent impersonation and confusion — after which it becomes available again. [This time-boxed per-user reservation is a stated policy; today the code reserves only system/brand handles. Implement before this claim is truthful.]
3. We retain a one-way, irreversible keyed hash of your phone number, plus minimal abuse flags — and nothing else that identifies you.

We do not keep your phone number after deletion. We keep a keyed cryptographic hash of it (which cannot be reversed back into your number and cannot be used to contact you) together with minimal flags recording whether the account was banned or tied to fraud or abuse. This stops a banned or abusive user from deleting and recreating an account to evade a ban or farm rewards.

Why we’re allowed to keep this: our legitimate interests in preventing fraud, abuse, and ban-evasion and in protecting our community (GDPR Art. 6(1)(f); Recital 47 recognizes fraud prevention as a legitimate interest). The retained data is minimal, irreversible, and cannot identify or contact you — which is why this narrow retention can survive an erasure request under Art. 17 (erasure does not apply where processing is necessary for overriding legitimate grounds).

What it is not: not your phone number, not reversible, not used for marketing, not shared for advertising.

[Document the legitimate-interest assessment (LIA) and the abuse-flag retention period. This retention must be actually implemented (a one-way keyed hash — e.g. HMAC with a secret — of the phone at deletion) to match this disclosure. Not yet found in code as of 2026-07-13.]

If you object to this retention, contact us (§9) and we will consider your objection under Art. 21; we may keep the hash where our overriding fraud-prevention grounds apply.

8. Your rights

Everyone: access, correct, and delete your data (§7), through the app or by contacting us.

EEA / UK (GDPR): also the right to restrict or object to processing, data portability, to withdraw consent where relied on, and to lodge a complaint with your data protection authority.

California (CCPA/CPRA): the right to know/access, delete, and correct your personal information, and to opt out of sale/sharing — we do not sell or share personal information as defined by the CPRA. We will not discriminate against you for exercising your rights.

To exercise any right, use the in-app tools or email privacy@flowbaba.co. We may need to verify your request (e.g. that you control the account’s phone number).

9. Contact

Questions, requests, or complaints: privacy@flowbaba.co. [Must be a real, monitored inbox before publication.]

Point7 Systems Private Limited, 821, 3rd Cross Street, Radhakrishnan Nagar, Vellore 632206, India

10. Children

Flowbaba is not intended for children under 13, and you must be at least 13 to use it. We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, contact us and we will delete it.

[Confirm the minimum age against the final Apple age rating (13+/16+/18+) and the Google IARC rating. If you set 16+ for the EU or a higher minimum, state and enforce it; if under-16 EU users are possible, add parental-consent handling.]

11. Security

We protect your data with transport encryption (HTTPS/TLS everywhere), one-time-code authentication (no stored passwords), signed and expiring media links, database row-level security so users can only reach their own data, and least-privilege access. No method is perfectly secure, but we work to protect your information and respond to incidents.

12. Changes to this Policy

We may update this Policy. For material changes we will update the “Last updated” date and, where appropriate, notify you in the app. Continued use means you accept the revised Policy.