FlowRead

Privacy Policy

Last updated: 17 January 2026

Overview

FlowRead ("FlowRead", "we", "us", "our") provides tools to turn text into high‑quality audio with synchronized highlighting and learning features. We are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what we collect, how we use it, who we share it with, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).

Data Controller: FlowRead

Address: FlowRead, 124 City Road, London, EC1V 2NX, United Kingdom

Contact: support@flowread.io

What data we collect

We may collect the following categories of personal data:

  • Account & authentication data: Email address, account identifiers, and authentication tokens. If you contact us, we retain communications.
  • Payment information: If you subscribe to premium features, payment card details (last 4 digits), billing address, and transaction history are processed by Stripe. We do not store full payment card numbers.
  • Waitlist data: Email addresses submitted via LaunchList for priority access or product updates.
  • Usage & analytics data: Product analytics including but not limited to page views, button clicks, navigation patterns, feature usage, device information (browser type, OS, screen size), and session recordings. Analytics are collected via PostHog (EU region) and Bento.
  • TTS processing data: Text you submit for conversion to speech, voice selection preferences, playback speed settings, and related metadata. Generated audio may be cached or stored to improve performance and enable playback across devices.
  • User-generated content: Sources you save, notes, highlights, and other content you create within the application.
  • Technical & diagnostic data: IP addresses, timestamps, error logs, browser console data, and crash reports for troubleshooting and security purposes.

The specific data collected may vary depending on which FlowRead services you use (browser extension vs web application) and your settings.

How we use your data (lawful bases)

  • Provide and improve the service (UK GDPR Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests): render TTS audio, highlight synchronization, measure performance, fix issues.
  • Analytics and product insights (Art. 6(1)(f) legitimate interests): understand feature usage to improve FlowRead. We avoid collecting unnecessary personal identifiers and honor do‑not‑track where supported.
  • Marketing communications / waitlist (Art. 6(1)(a) consent): send updates where you opted in (e.g., LaunchList). You may opt out at any time.
  • Security and fraud prevention (Art. 6(1)(f) legitimate interests; Art. 6(1)(c) legal obligation): protect our users and service.

Third-party processors

We engage third-party service providers to process data on our behalf. These processors may change from time to time. Current key providers include:

  • Clerk (authentication): manages user accounts, login sessions, and authentication. Located in the United States with appropriate transfer safeguards.
  • Stripe (payment processing): processes subscription payments, stores payment methods, and manages billing. Stripe maintains PCI DSS compliance. Located in the United States.
  • Supabase (database & storage): hosts user data, content, and generated audio files. EU region available.
  • DeepInfra (TTS synthesis): processes text you submit to generate audio output. Data is processed transiently.
  • PostHog (product analytics; EU region): captures usage analytics which may include page views, button clicks, navigation patterns, session recordings, and device information. Data is pseudonymized where possible.
  • Bento (product events): captures high-level product events and user engagement metrics.
  • LaunchList (waitlist management): stores waitlist email addresses and sends confirmation communications.
  • OpenRouter (AI features): processes prompts and content when AI-powered features are invoked, if applicable.

We require data processing agreements with our processors and conduct reasonable diligence on their security practices. However, we cannot guarantee the security practices of third parties. We may add, remove, or replace processors as our business needs evolve.

International transfers

Your data may be processed outside the UK/EEA by our processors. Where transfers occur, we rely on appropriate safeguards such as the UK International Data Transfer Addendum (IDTA) and/or Standard Contractual Clauses (SCCs), plus additional technical and organizational measures (encryption in transit, access controls).

Data retention

We retain data for different periods depending on the type and purpose:

  • Account data: Retained while your account is active and for up to 90 days after account deletion for backup and recovery purposes.
  • Payment data: Stripe retains payment information according to their retention policies and legal requirements (typically 7 years for tax purposes).
  • TTS text content: Text submitted via the Chrome extension may be cached briefly for performance. Text submitted via the web application is processed for audio generation.
  • Generated audio: Audio files generated from your content are stored in our database to enable instant playback and cross-device access. Audio is retained until you delete the associated source or your account.
  • Analytics data: PostHog and Bento data is typically retained for 12-18 months, after which it may be aggregated or deleted per provider defaults.
  • Waitlist emails: Retained until you unsubscribe or we close the waitlist program.
  • Support communications: Retained for up to 2 years for reference and compliance purposes.

We reserve the right to retain data for longer periods where required by law, to resolve disputes, enforce agreements, or for legitimate business purposes. You may request early deletion by contacting us.

Cookies and similar technologies

We and our third-party service providers use cookies, local storage, and similar tracking technologies. Types of cookies may include:

  • Essential cookies: Required for authentication (Clerk) and core functionality. These cannot be disabled without preventing service access.
  • Analytics cookies: Used by PostHog (EU region) and Bento to collect usage data, which may include page views, clicks, navigation patterns, session recordings (screen activity, mouse movements, scrolling), and device information. This helps us improve the product and fix bugs.
  • Performance cookies: May be used to cache data and improve load times.
  • Payment cookies: Stripe may set cookies for payment processing and fraud prevention.

You can control some cookies through your browser settings or opt out of analytics by contacting support@flowread.io. Disabling essential cookies will prevent you from using core features. The specific cookies used may change as we update our services.

Your rights (UK GDPR)

Under UK GDPR and applicable data protection law, you may have the following rights (subject to legal limitations and exceptions):

  • Right of access: Request a copy of your personal data we hold
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure: Request deletion of your data in certain circumstances
  • Right to restrict processing: Limit how we use your data in certain situations
  • Right to data portability: Receive your data in a machine-readable format
  • Right to object: Object to processing based on legitimate interests, including analytics
  • Right to withdraw consent: Withdraw consent for marketing or optional processing
  • Right to complain: Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk

To exercise your rights, contact support@flowread.io with your request. We will verify your identity and respond within legally required timeframes (typically 30 days). We reserve the right to decline requests where permitted by law or where they would adversely affect the rights and freedoms of others.

Children’s privacy

FlowRead is not directed to children under 13. If you believe a child provided us personal data without appropriate consent, contact us and we will remove it.

Security measures

We implement reasonable administrative, technical, and physical security measures to protect your data, including encryption in transit, access controls, and monitoring. However, no method of transmission or storage is completely secure. We cannot guarantee absolute security and are not liable for unauthorized access resulting from circumstances beyond our reasonable control. For more information about our security practices, see our Security page.

Changes to this policy

We reserve the right to modify this Privacy Policy at any time. When we make changes, we will update the "Last updated" date. Material changes may be communicated via email to your registered address or through prominent notice on our website. Your continued use of FlowRead after changes take effect constitutes acceptance of the updated policy.

Limitation of liability

To the fullest extent permitted by law, FlowRead shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses resulting from: (i) your use of or inability to use the service; (ii) any unauthorized access to or use of our servers and/or any personal information stored therein; (iii) any third-party conduct or content on the service; or (iv) any other matter relating to privacy or data protection.

Disclaimer

This Privacy Policy describes our general data practices as of the date stated above. We make reasonable efforts to maintain accuracy but cannot guarantee completeness. Our actual practices are governed by applicable law. In the event of any conflict, applicable law prevails. This policy does not create any contractual rights or legal obligations beyond those required by law. We are not liable for errors, omissions, or reliance on this policy.

Governing law and disputes

This Privacy Policy and any disputes arising from it shall be governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales, except where you have mandatory consumer protection rights in your jurisdiction.

Contact

For privacy questions, data requests, or to exercise your GDPR rights:
Email: support@flowread.io
Post: FlowRead, 124 City Road, London, EC1V 2NX, United Kingdom