Privacy Policy
Last updated: May 19, 2026 — Effective: March 1, 2026
1. Data controller
The data controller responsible for your personal data is:
FlowView AB
Org. nr: [To be assigned]
Registered address: Sweden
Email: legal@flowview.io
Web: https://grid3d-qt-flowview-licensing.onrender.com
FlowView AB does not currently meet the threshold requiring appointment of a Data Protection Officer (DPO) under GDPR Article 37. For all privacy inquiries, contact legal@flowview.io.
2. Scope
This policy applies to all personal data processed by FlowView AB through:
- The FlowView 3D Grid Viewer desktop application ("the Application")
- The FlowView marketing website ("the Website") at our public site
- Related licensing, payment, and support services
3. What personal data we collect
3.1 Desktop Application
| Category | Data elements | Collected from |
|---|---|---|
| License validation | Machine fingerprint (hardware-derived identifier), license key | Your device, at activation |
| Usage metrics | Anonymised feature usage counts and tab switch events | Local application activity |
| Diagnostic logs | Timestamped application events, error traces | Local application activity |
Warehouse grid data (bin positions, cell definitions, operational data) is processed entirely on your local machine. We never collect, transmit, or store your warehouse data.
Offline mode: When using an offline .lic file, no personal data is transmitted to any external server.
Usage metrics and diagnostic logs are stored locally and are never transmitted without your explicit action (manual export).
3.2 Website & Web Services
| Category | Data elements | Collected from |
|---|---|---|
| Contact / account | Email address, name (if provided) | You, via purchase or demo form |
| Payment | Billing name, billing address, payment method details | You, via Stripe checkout (processed by Stripe; we do not store card details) |
| Licensing | License key, machine fingerprint, activation timestamps | Your device, via Keygen.sh API |
| Server logs | IP address, browser user-agent, pages visited, timestamps | Automatically by our hosting infrastructure |
4. Purposes and legal basis for processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| License activation, validation, and renewal | Performance of contract (Art. 6(1)(b)) |
| Processing payments and issuing invoices | Performance of contract (Art. 6(1)(b)) |
| Delivering license keys and transactional emails | Performance of contract (Art. 6(1)(b)) |
| Providing customer support | Performance of contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Product improvement (aggregated, anonymised analytics) | Legitimate interest (Art. 6(1)(f)) |
| Compliance with tax, accounting, and legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interests do not override your rights. You may object to processing based on legitimate interest at any time (see Section 7).
We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not engage in profiling or automated decision-making that produces legal or similarly significant effects.
5. Recipients and third-party processors
We share personal data only with the following categories of recipients, each bound by data processing agreements:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Email, billing details, payment method | USA (EU SCCs in place) |
| Keygen LLC | License management | License key, machine fingerprint, email | USA (EU SCCs in place) |
| Twilio / SendGrid | Transactional email delivery | Email address, email content | USA (EU SCCs in place) |
| Render Services, Inc. | Web hosting | Server logs (IP, user-agent) | USA (EU SCCs in place) |
| Calendly LLC | Demo scheduling | Name, email (entered by you into the Calendly widget) | USA (EU SCCs in place) |
6. International data transfers
Some of our processors are located in the United States, which the European Commission has not recognised as providing an adequate level of data protection for all transfers. To safeguard your data, we rely on:
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, incorporated into our data processing agreements with each US-based processor.
- EU-U.S. Data Privacy Framework certifications where applicable (Stripe is a participant).
You may request a copy of the applicable safeguards by contacting legal@flowview.io.
7. Your rights under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Right of access (Art. 15) -- Obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16) -- Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) -- Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
- Right to restriction (Art. 18) -- Request that we limit processing of your data under certain conditions.
- Right to data portability (Art. 20) -- Receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) -- Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3)) -- Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email legal@flowview.io. We will verify your identity and respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent authority for FlowView AB is:
Integritetsskyddsmyndigheten (IMY)
Swedish Authority for Privacy Protection
Box 8114, 104 20 Stockholm, Sweden
Phone: +46 (0)8 657 61 00
Email: imy@imy.se
Web: www.imy.se
8. Your rights under CCPA / CPRA (California residents)
If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides additional rights:
- Right to know -- Request the categories and specific pieces of personal information we have collected, the sources, the business purpose, and the categories of third parties with whom we share it.
- Right to delete -- Request deletion of personal information we have collected from you, subject to legal exceptions.
- Right to correct -- Request correction of inaccurate personal information.
- Right to opt out of sale/sharing -- We do not sell or share your personal information as defined by the CCPA/CPRA. No opt-out is necessary.
- Right to non-discrimination -- We will not discriminate against you for exercising your privacy rights.
- Right to limit use of sensitive personal information -- We do not use sensitive personal information beyond what is necessary to provide the services.
To exercise these rights, email legal@flowview.io. We will verify your identity and respond within 45 days.
CCPA categories of personal information collected
| CCPA category | Examples | Collected | Sold/Shared |
|---|---|---|---|
| Identifiers | Email, name, IP address, machine fingerprint | Yes | No |
| Commercial information | Purchase history, license keys | Yes | No |
| Internet activity | Pages visited, browser type | Yes | No |
| Geolocation data | Approximate location from IP address | Yes (server logs) | No |
| Financial information | Billing address (card data held by Stripe only) | Yes (via Stripe) | No |
9. Data retention
| Data category | Retention period | Basis |
|---|---|---|
| License data | Duration of subscription + 90 days | Contract performance; deletion upon request |
| Payment and invoice records | 7 years after the fiscal year of transaction | Swedish Bookkeeping Act (Bokföringslagen 7:2) |
| Email addresses | Until you request deletion or unsubscribe | Contract / consent |
| Server logs (IP, user-agent) | 30 days | Legitimate interest (security) |
| Local application data | Under your control on your machine | We have no access to or copies of this data |
10. Cookies and tracking technologies
Our website uses strictly necessary cookies only:
| Cookie | Purpose | Duration | Provider |
|---|---|---|---|
__stripe_mid, __stripe_sid | Stripe fraud prevention during checkout | Session / 1 year | Stripe, Inc. |
We do not use analytics cookies, tracking pixels, advertising cookies, or social media plugins. We do not honour Do Not Track (DNT) browser signals because we do not track users in the first place. We respect the Global Privacy Control (GPC) signal as an opt-out of sale/sharing, although we do not sell or share personal information.
11. Security measures
We implement appropriate technical and organisational measures pursuant to GDPR Article 32, including:
- TLS 1.2+ encryption for all web traffic and API communications
- Encrypted license key transmission between your device and Keygen.sh
- No storage of payment credentials on our infrastructure (PCI DSS compliance delegated to Stripe)
- Access controls: production systems are accessible only by authorised personnel
- Regular security reviews of our application codebase
- Data processing agreements with all third-party processors
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay (GDPR Art. 34) where required.
12. Children's privacy
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe we have inadvertently collected such data, please contact legal@flowview.io.
13. Automated decision-making
We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you (GDPR Art. 22).
14. Whether provision of data is required
Providing your email address and payment details is a contractual requirement to purchase a license. If you do not provide this data, we cannot process your order. Providing a machine fingerprint is a technical necessity for license activation.
All other data collection (server logs) occurs automatically and is necessary for the secure operation of our services.
15. Changes to this policy
We may update this privacy policy to reflect changes in our practices or applicable law. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify active subscribers by email at least 14 days before changes take effect.
- Where required by law, obtain your consent to material changes.
We encourage you to review this policy periodically. This policy will be reviewed at least once every 12 months.
16. Public website indexing and AI crawlers
Our public marketing pages (home, features, pricing, download, demo, changelog, privacy, terms, and system status) contain product and legal information intended for search-engine indexing and citation by general web crawlers. We publish an llms.txt summary at the site root to help AI agents discover accurate product facts.
We block AI training crawlers in our robots.txt file, including GPTBot, Google-Extended, anthropic-ai, Applebot-Extended, and Bytespider. These bots must not use our public HTML to train generative models.
Search-oriented bots (for example OAI-SearchBot and PerplexityBot) are not blocked unless we update this policy. They may index public pages for retrieval and citation in the same way as conventional search engines.
We do not intend /api/* routes to be crawled or indexed. Server logs may record crawler IP addresses and user-agent strings for security (see Section 9).
Public website content does not include your warehouse grid data, which remains on your local machine when using the desktop Application.
17. Contact us
For any questions, concerns, or requests related to this privacy policy or your personal data:
FlowView AB
Email: legal@flowview.io
Web: https://grid3d-qt-flowview-licensing.onrender.com
We aim to resolve all privacy-related inquiries within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (see Section 7).
This privacy policy is effective as of March 1, 2026. Document version: 1.0.