Privacy Policy
Last updated: 24 February 2026
1. Who We Are
FlowLance is operated by The Good Ship Ltd, a company registered in England & Wales. If you have any questions about this policy, contact us at hello@flowlance.io.
2. What You Store With Us
FlowLance only holds data that you actively provide or connect. We do not scrape, purchase, or infer personal data from third parties. Sensitive fields (bank tokens, payment credentials, invoice bank details) are encrypted at rest using AES-256-GCM — we cannot read them in plaintext.
- Account information — email address, name, and profile image you provide during sign-up.
- Business records — clients, invoices, proposals, projects, and contracts you create within the app. This is your data and remains under your control.
- Financial connections — if you choose to link your bank via TrueLayer, we receive read-only transaction data to power cashflow forecasting. Bank access tokens are encrypted and we never have access to your bank login credentials. Subscription payments are handled entirely by Stripe — we never see or store your card details.
- Time tracking data — time entries, day templates, and goals you record. Calendar data is only accessed if you explicitly connect Google Calendar.
- AI-processed content — text and documents you submit for AI analysis or proposal generation. This content is sent to AI providers for processing only and is not stored by them for training purposes.
- Opportunity data — job listings crawled from sources you subscribe to, fit scores, and your feedback.
3. How Your Data Is Used
Your data is used solely to provide the FlowLance service to you. We do not sell, share, or use your data for advertising, profiling, or any purpose beyond what is described below.
- Powering your tools — displaying your dashboard, generating invoices, calculating cashflow forecasts, and tracking your time. All processing happens on your behalf.
- AI features — when you use proposal generation, fit scoring, or document analysis, the relevant content is sent to AI providers for processing. It is not stored by them or used for model training.
- Billing — processing your subscription payment via Stripe. We only receive confirmation of payment status — Stripe handles all card details directly.
- Transactional emails — sending invoice emails to your clients and account notifications to you. We do not send marketing emails to third parties.
4. Third-Party Data Processors
We use the following services to operate FlowLance. Each processes only the data necessary for its purpose.
| Service | Purpose | Location | Data Sent |
|---|---|---|---|
| Neon Postgres | Database | UK (London) | All application data |
| Better Auth | Authentication | Self-hosted (UK) | Email, name, profile |
| Stripe | Payments | EU (Ireland) | Payment details |
| Resend | EU (Ireland) | Invoice emails | |
| TrueLayer | Open Banking | UK | Bank data (encrypted) |
| Vercel | Hosting & files | UK (London) | App requests, uploads |
| Anthropic / OpenAI / Google | AI features | US | Content for analysis (not stored) |
| Inngest | Background jobs | US | Job payloads |
| Firecrawl | Web crawling | US | URLs only |
| Slack API | Integration | US | Channel messages (user-connected) |
| Google Calendar | Integration | US | Calendar events (user-connected) |
5. Data Security
Your data security is our priority. We apply multiple layers of protection to ensure your information stays private.
- Encryption at rest — sensitive fields including bank access tokens, invoice payment details, and financial credentials are encrypted with AES-256-GCM. Even with database access, this data cannot be read in plaintext.
- Encryption in transit — all data between your browser and our servers is protected by TLS.
- No tracking — we do not use marketing trackers, third-party analytics scripts, or advertising cookies.
- Minimal access — access to production systems is restricted to authorised personnel only. We do not access your data except to provide the service or when required by law.
- No credential storage — we never store your bank login credentials or card details. Bank connections use TrueLayer's secure OAuth flow; payments use Stripe's PCI-compliant infrastructure.
6. Cookies
FlowLance uses a single session cookie for authentication. We do not use analytics cookies, marketing cookies, or any third-party tracking cookies.
7. Your Rights (GDPR)
Under the UK GDPR and the Data Protection Act 2018, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your personal data.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing of your data in certain circumstances.
To exercise any of these rights, contact us or email hello@flowlance.io.
8. Data Retention
Your data is retained for as long as your account is active. When you delete your account, all associated data is cascade-deleted from our database. Backups are purged within 30 days of account deletion.
9. Contact
For any privacy-related questions or requests, you can use our contact form or email us at hello@flowlance.io.
10. Governing Law
This privacy policy is governed by the laws of England & Wales.