Floway Studio

Privacy Policy

Privacy Policy

Floway Studio ("we", "us") is committed to protecting the privacy of users of the Floway and VAM services. This policy describes the categories of personal data we collect, the reasons for collecting it, how we use it, retention periods, third parties who may access it, and your rights under the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Vietnam Decree 13/2023/ND-CP on the Protection of Personal Data (PDPD).

Last updated: 2026-05-18

1. Data Controller

The entity that collects and processes your personal data (the Data Controller under GDPR) is Floway Studio. Contact information:

1.1 Scope

This policy applies to all users accessing flowaystudio.com, using the Floway and VAM desktop software, or interacting with us via customer support channels. The policy does not apply to third-party websites or services linked from our products — please refer to their respective policies.

2. Personal data we collect

We collect only the minimum data necessary to provide the service (data minimization — GDPR Art. 5(1)(c)):

2.1 When you register an account

  • Email address (required) — account identifier and service communication
  • Password (required, stored as PBKDF2-SHA256 hash + salt, never plaintext)
  • Display name (required) — shown in the product interface
  • Phone number (optional, E.164 international format) — for Zalo/SMS support if you opt in
  • Preferred language (auto-detected via Accept-Language header, editable)
  • Country code (auto-detected via Cloudflare CF-IPCountry, ISO 3166-1 alpha-2)
  • Marketing email opt-in (defaults to OFF, opt-in only)

2.2 When you sign in with Google

If you choose to sign in via Google, we receive the following fields via the standard OAuth 2.0 + OpenID Connect protocol:

  • Google User ID (unique identifier, not the email)
  • Verified email address
  • Display name
  • Public avatar URL (if set on your Google account)
  • Language and country preferences

2.3 When you buy credits

We use payOS (bank transfer / QR code, VND) for credit purchases. We NEVER store your bank account or card number directly — payOS and your bank handle that.

  • payOS order code (transaction identifier, not an account/card number)
  • Amount, currency, credit pack purchased, transaction date
  • For manual bank transfer: your uploaded receipt screenshot (stored as base64 in the database, max ~750KB)
  • Transaction note and bank reference (if applicable)

2.4 When you use the service

To operate the service, ensure security, and enforce our terms of use, we automatically collect:

  • Your IP address (auto-anonymized 30 days after your most recent activity — IPv4 last octet or IPv6 last 80 bits set to zero)
  • Browser or device User-Agent string
  • Hardware fingerprint (for desktop software): SHA-256 hashes of CPU ID, motherboard UUID, disk drives — used to manage signed-in devices and prevent unauthorized account sharing
  • Login, logout, password-change history (retained up to 90 days)
  • Failed login counter, account lockout state (auto-cleared on lockout expiry)

2.5 Data we do NOT collect

We deliberately avoid collecting the following categories to minimize privacy risk:

  • Video / image content you process in VAM — the entire AI pipeline runs 100% on your machine (local-first); nothing is uploaded to our servers
  • Script, prompt, project content in Floway — also runs locally, never sent to our servers
  • Bank account / card numbers — payOS and your bank process them directly, we receive only the order code and status
  • Precise geographic location (GPS) — only country-level estimation via IP
  • Sensitive data per GDPR Art. 9 (health, biometrics, sexual orientation, religion, political views) — we neither request nor process these

3. Purposes of processing

Each data category is collected with a specific purpose and not used for other purposes (purpose limitation — GDPR Art. 5(1)(b)):

  • Service provision: account authentication, credit balance / usage entitlement management, settings sync across devices
  • Security: detect and prevent unauthorized access (rate-limit, lockout, login IP tracking)
  • Billing: process transactions, send receipts, support payment disputes
  • Transactional communication: signup confirmation, password reset, credit purchase receipts, important account notices
  • Product improvement: crash reports, feature usage telemetry — STRICTLY excluding your work content
  • Marketing (ONLY if you opt in): product news and promotions via email — unsubscribe any time
  • Legal compliance: respond to lawful requests from competent authorities

5. Sharing with third parties

We do NOT sell, rent, or trade your personal data with anyone. We only share with technical service providers (sub-processors) essential to operating the service. The full list and their Data Processing Agreements (DPAs) are on the /legal/dpa page.

Each sub-processor has signed a DPA committing to GDPR-equivalent protection. We review this list regularly and notify you of material changes via email.

  • Cloudflare, Inc. — infrastructure (D1 database, Pages hosting, Workers, R2 storage)
  • payOS — domestic VND payment processing (bank transfer / QR code)
  • Resend, Inc. — transactional email delivery (password reset, receipts)
  • Google LLC — OAuth authentication if you choose to sign in with Google
  • Sentry, Inc. — technical error tracking (stack traces only, no personal data payload)

6. Retention periods

We retain data only as long as necessary to fulfill the purposes for which it was collected (storage limitation — GDPR Art. 5(1)(e)):

  • Account profile: lifetime of active account + 30 days after you request deletion (recovery window)
  • Full IP address: max 30 days, then auto-anonymized (last octet zeroed)
  • Session log (sessions table): max 90 days, then auto-deleted
  • Password-reset tokens: expire after 60 minutes; hard-deleted 7 days after use or expiry
  • Payment + invoice history: minimum 10 years per Vietnam Accounting Law 2015 Article 41 (linked PII is anonymized if you delete your account — only amount, transaction date, and transaction ID are retained for reconciliation)
  • Error reports (Sentry): max 90 days per Sentry default retention

7. International data transfers

Our infrastructure runs on Cloudflare's global network. Your data may be processed at Cloudflare data centers in the US, Europe, Asia, and other regions depending on your geographic proximity. Cloudflare has been recognized by the European Commission as providing equivalent protection via Standard Contractual Clauses (SCC).

Payment data processed by payOS stays within Vietnam (not transferred abroad). Resend and Sentry are headquartered in the United States — these partners have signed SCCs with us and comply with the EU-US Data Privacy Framework where applicable.

For users in Vietnam: your personal data may be processed outside Vietnam in accordance with Decree 13/2023/ND-CP on cross-border transfers. We ensure protections abroad equivalent to Vietnamese law.

8. Your rights

Under GDPR (EU), CCPA (California), and PDPD (Vietnam), you have the following rights regarding your personal data. To exercise any right, go to /account/profile or email hello@flowaystudio.com. We respond within 30 days (extendable to 60 days for complex cases, with prior notice).

8.1 Right of access (GDPR Art. 15, CCPA §1798.110)

You may request a copy of all personal data we hold about you. Go to /account/privacy and click "Download JSON file" to receive it immediately.

8.2 Right to rectification (GDPR Art. 16)

You can update your account information (display name, phone, language, marketing preferences) at any time at /account/profile.

8.3 Right to erasure — "right to be forgotten" (GDPR Art. 17)

You can request account deletion at /account/privacy. Upon request: account access is immediately locked; you have a 30-day window to change your mind and restore. After this window we auto-anonymize personal data (name, email, phone, avatar, IP) — only payment records are retained under legal obligation.

8.4 Right to restrict processing (GDPR Art. 18)

You may request that we pause processing of your data while disputing its accuracy or lawfulness. Email hello@flowaystudio.com.

8.5 Right to data portability (GDPR Art. 20)

You may export your data in machine-readable format (JSON) and transfer it to another service. Same path as access right at /account/privacy.

8.6 Right to object (GDPR Art. 21)

You may object to our processing based on legitimate interests or for direct marketing. For email marketing, use the "Unsubscribe" link in any email or toggle at /account/profile.

8.7 CCPA — right to opt out of sale

California users: we do NOT sell personal data to third parties for commercial purposes. If this policy ever changes, we will provide a "Do Not Sell My Personal Information" option with prior notice.

8.8 Right to lodge a complaint

If you believe our processing violates the law, you have the right to complain to the supervisory authority: (a) in the EU — your country's data protection authority (see edpb.europa.eu), (b) in California — the California Attorney General's office, (c) in Vietnam — the Ministry of Information and Communications or the Ministry of Public Security per Decree 13/2023.

9. Security measures

We apply appropriate technical and organizational measures to protect your data per GDPR Art. 32:

  • Encryption in transit: HTTPS/TLS 1.3 on all connections
  • Encryption at rest: AES-256 at the database layer (Cloudflare D1)
  • Passwords: PBKDF2-SHA256 hash + UUID salt, never plaintext
  • Authentication tokens: RS256-signed JWTs, rotated on password change or admin revoke
  • Password-reset tokens: SHA-256 hashed, single-use, 60-minute expiry
  • Access control: only authorized personnel access production data with mandatory 2FA
  • Audit logging: all admin actions logged, 90-day retention for incident investigation
  • Brute-force defense: IP + email rate-limit, 15-minute account lockout after 5 failed login attempts

10. Cookies and similar technologies

We use cookies to (a) maintain login sessions (mmo_jwt), (b) remember light/dark theme (theme-resolved), (c) store your language choice. These essential cookies do not require consent under the ePrivacy Directive.

For analytics and marketing cookies (only activated after your opt-in via the cookie banner), see the /legal/cookies page.

11. Children's privacy

Our service is not directed to children under 16 (EU/UK) or under 13 (US, per COPPA). We do not knowingly collect data from children. If you are a parent who discovers your child has registered, please contact us to delete the account.

12. Data breach notification

In case of a data breach affecting your personal data, we will notify the competent authority within 72 hours and notify you directly within 5 business days where the breach poses a high risk to your rights and freedoms (GDPR Art. 33-34, PDPD Art. 22).

13. Changes to this policy

We may update this policy periodically to reflect changes in the service or legal requirements. The most recent revision date is shown at the top. For material changes (broader data collection, new sub-processor, change of legal basis), we will notify you via email at least 14 days before they take effect.

14. Contact us

For any questions or requests related to this policy:

For any questions about this policy, please contact us at the email above. We respond within 30 days.

Back to home