1. Data controller
The controller responsible for FlowBar AI is ZHANG CHUNYU (张春玉), an individual operator in the People’s Republic of China. Privacy and data-rights requests: support@flowbarai.com. No data protection officer has been appointed because the current processing activities do not require one.
2. Information we collect
2.1 Information you provide
- Account information, including username, email address, encrypted or hashed credentials, verification data, and referral code.
- Payment information we receive, including order ID, amount, currency, status, payment method, and account reference. We do not receive or store full card numbers.
- Prompts, text, files, images, video inputs, API requests, and other content you choose to submit for model processing.
- Support messages, refund requests, feedback, and related communications.
2.2 Information collected automatically
- IP address, browser and device type, operating system, language, time zone, and session information.
- API and product usage metadata, including request time, route, model, token or generation usage, duration, status code, latency, and billing amount.
- Security, authentication, fraud-prevention, error, and performance logs.
We do not intentionally collect precise location data. If you sign in through a third-party provider, we receive only the profile information that provider discloses with your authorization.
3. How and why we use information
| Purpose | Legal basis |
|---|---|
| Provide accounts, API access, AI processing, metering, credits, and billing | Performance of our contract |
| Customer support, refunds, and service notices | Contract and legitimate interests |
| Security, abuse prevention, fraud detection, and platform integrity | Legitimate interests and legal obligations |
| Reliability, analytics, debugging, and product improvement | Legitimate interests |
| Tax, accounting, payment, sanctions, and regulatory compliance | Legal obligations |
We may aggregate or de-identify information for statistics and service improvement. De-identified information is not used to identify you.
4. Cookies and similar technologies
| Type | Purpose | Optional |
|---|---|---|
| Strictly necessary | Authentication, security, session continuity, and core functions | No |
| Functional | Language, theme, and interface preferences | Yes |
| Analytics | Aggregated service performance and usage measurement | Yes |
We do not currently use advertising cookies or sell data for targeted advertising. You can restrict optional cookies through browser settings; disabling necessary cookies may prevent login or core functions.
5. Sharing and service providers
We do not sell personal information, including a “sale” as defined by the CCPA. We share only what is necessary with:
- Waffo Pancake, our merchant of record and PCI-DSS payment processor. Card data is handled exclusively by Waffo Pancake and does not pass through or remain on our servers.
- Cloud hosting, security, email, monitoring, and customer-support providers acting under appropriate confidentiality and data-processing terms.
- Third-party AI model providers needed to process the prompts, files, and parameters you submit. Depending on the selected model, these may include OpenAI, Anthropic, Google, xAI, DeepSeek, Alibaba Cloud, ByteDance, MiniMax, and providers shown on the model or pricing pages.
- Professional advisers, courts, regulators, or authorities when legally required.
- A successor in a merger, acquisition, or asset transfer, subject to continued protection and notice where required.
6. AI inputs and API content
Inputs and outputs are transmitted to the selected upstream model provider to fulfill your request. We process them only for service delivery, security, troubleshooting, and legal compliance. We do not use private API inputs to train our own general-purpose AI models without explicit consent. Upstream providers may process data under their own terms and privacy policies; avoid sending sensitive personal data unless necessary and legally permitted.
7. Security
- TLS/HTTPS encryption in transit.
- Hashed or encrypted credentials and access controls based on least privilege.
- Authentication, security logging, abuse controls, and credential rotation capabilities.
- Backups, monitoring, and vulnerability remediation appropriate to the Service.
If a security incident materially affects your rights, we will notify affected users and relevant regulators within the period required by applicable law and, where GDPR applies, without undue delay and where feasible within 72 hours after becoming aware.
8. Retention
| Data | Retention | End-of-period action |
|---|---|---|
| Account and profile data | While active; up to 90 days after an approved deletion request | Delete or anonymize, subject to legal exceptions |
| Transactions and accounting records | Up to 7 years where needed for tax, accounting, disputes, or payment compliance | Secure deletion or legally required archive |
| Support and refund records | 2 years after closure of the request | Secure deletion |
| API usage and security logs | Normally 12 months; longer only for an active security, fraud, or legal investigation | Delete or anonymize |
| Request or response content retained for troubleshooting | Only as long as necessary for the specific incident, normally no more than 30 days | Secure deletion |
9. Your privacy rights
Depending on your location, you may request access, correction, deletion, restriction, portability, objection, or withdrawal of consent. Email support@flowbarai.com. We may verify your identity and will respond within 30 calendar days, or within another legally required period. Some records may be retained where necessary for legal compliance, security, fraud prevention, or disputes. You may complain to your local data-protection authority.
10. Service and marketing communications
We may send necessary account, billing, security, outage, and policy notices. If optional marketing is introduced, it will be sent only where permitted and will include an unsubscribe method. Opting out of marketing does not stop necessary service notices.
11. International transfers
Our servers, infrastructure, payment processor, and AI providers may process data in the United States, Singapore, the European Economic Area, China, and other locations where the selected providers operate. Where required, transfers use contractual safeguards such as the EU Standard Contractual Clauses, adequacy decisions, or equivalent protections. We limit transfers to data needed for the relevant service.
12. Children
The Service is intended only for people aged 18 or older. We do not knowingly collect information from children. If you believe a child has provided information, contact us and we will investigate and delete it where required.
13. Third-party services
The Service may link to or integrate third-party services. This Policy applies only to information we directly control. Review the privacy policies of third-party model, payment, authentication, and linked services before using them.
14. Changes and contact
For material changes, we will provide at least 15 days’ notice through email or an in-service announcement unless earlier action is required by law or security. The latest date appears at the top of this page.
- Controller: ZHANG CHUNYU (张春玉), individual operator, People’s Republic of China
- Privacy and support email: support@flowbarai.com
- Website: https://flowbarai.com
- Service hours: Monday–Friday, 09:00–18:00 China Standard Time (UTC+8), excluding public holidays.