1. Who We Are (Data Controller)

FlowSense LLC ("FlowSense", "we", "us", "our") is a limited liability company organized under the laws of the State of Wyoming, United States, and is the data controller responsible for the personal information processed through the FlowSense platform at flowsense.trading (the "Service"). For all privacy-related inquiries, please contact: [email protected] (subject line: "Privacy Inquiry").

This Privacy Policy describes how we collect, use, share, retain, and protect your personal information, and the rights you have over that information under applicable law including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

2. Information We Collect

We collect the following categories of personal information:

2.1 Information you provide directly:

• Account information: username, email address, hashed password, country of residence, age confirmation (you must be 18+ to register)
• Billing information: name on payment card, billing address, last 4 digits of card, payment-method token. Full payment card numbers are processed and stored exclusively by our payment processor (Stripe, Inc.) and are never stored on our servers
• Communications: feedback you submit, support ticket contents, newsletter subscription preferences
• Preferences: watchlists, custom dashboard configurations, default tickers, theme settings, alert thresholds

2.2 Information collected automatically through your use of the Service:

• Usage data: pages visited within the Service, features used, search queries, session duration, feature interaction patterns (used for product improvement and abuse prevention)
• Technical data: IP address (for security/geolocation), browser type and version, operating system, device type, screen resolution, language preference, timestamps of requests, referring URL
• Error and diagnostic data: unhandled JavaScript exceptions and server errors (anonymized; do not include identifiable user data unless you voluntarily include such data in a feedback submission)

2.3 What we do NOT collect:

• Brokerage account credentials, account numbers, holdings, or actual trading positions (the Service does not connect to brokerages for trade execution)
• Financial account information beyond what is strictly required for subscription billing
• Information from individuals under 18 years of age (see Section 12)
• Special categories of personal data under GDPR Article 9 (health, biometric, religious, political, etc.)
• Government-issued identifiers beyond what payment processors require for fraud prevention

3. How We Use Your Information (Purposes & Lawful Bases)

We process your personal information for the following purposes, relying on the following lawful bases under GDPR Article 6:

• To provide and maintain the Service (account creation, authentication, subscription management, feature delivery) — Lawful basis: performance of a contract (Art. 6(1)(b))
• To process payments and manage subscriptions (via Stripe) — Lawful basis: performance of a contract (Art. 6(1)(b))
• To send essential service communications (billing notices, security alerts, terms changes, trial reminders) — Lawful basis: performance of a contract and legitimate interest (Art. 6(1)(b) and (f))
• To send optional marketing communications (newsletter, feature announcements, signal alerts) — Lawful basis: your explicit consent (Art. 6(1)(a)); you may withdraw at any time
• To detect, prevent, and respond to fraud, abuse, security incidents, and Terms violations — Lawful basis: legitimate interest in protecting the Service and our users (Art. 6(1)(f))
• To improve the Service (analyze feature usage patterns, fix bugs, develop new features) — Lawful basis: legitimate interest (Art. 6(1)(f))
• To respond to your requests and inquiries — Lawful basis: performance of a contract or legitimate interest (Art. 6(1)(b) and (f))
• To comply with legal obligations (tax records, anti-money-laundering, valid legal process) — Lawful basis: legal obligation (Art. 6(1)(c))

We do not engage in automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Article 22. The prediction models and signals shown in FlowSense are informational tools; all trading decisions are made by you, not by automated processing.

4. How We Share Your Information (Sub-Processors & Recipients)

We share personal information only with the following categories of recipients:

4.1 Service providers (data processors) acting on our behalf:

• Stripe, Inc. (USA) — payment processing, subscription management, fraud prevention. Stripe's privacy policy: stripe.com/privacy
• Railway Corp. (USA) — application hosting, server infrastructure, database storage
• Email service providers — transactional email delivery (Stripe handles billing-related email; we use industry-standard providers for support and optional marketing communications)
• Cloudflare, Inc. (USA) — DNS, DDoS protection, content delivery (where applicable)
• UptimeRobot — service-uptime monitoring (no personal user data; monitors only public endpoints)
• Anthropic, PBC (USA) — AI processing for in-app support assistance (only the content you submit in support chats is processed; no account data)
• Market-data providers — these providers send market data TO us; we do NOT share your personal information WITH them

Each sub-processor is bound by contractual obligations limiting use of your data to the specific services we have engaged them to provide.

4.2 Legal authorities — we may disclose your information when required by valid legal process (subpoena, court order, search warrant) or where we believe disclosure is necessary to (i) comply with applicable law, (ii) protect our rights and the safety of our users, or (iii) investigate fraud, abuse, or security incidents.

4.3 Business transfers — in the event of a merger, acquisition, sale of substantially all assets, or similar corporate transaction, your information may be transferred to the successor entity. We will provide notice via email or in-app banner before any such transfer.

4.4 We do NOT sell your personal information within the meaning of CCPA, nor do we share it for cross-context behavioral advertising. We do not engage in any sale of personal information.

5. Cookies & Local Storage

FlowSense uses browser localStorage (not third-party tracking cookies) to store technically necessary settings, including:

• Authentication session token (required for you to remain signed in)
• Disclaimer acceptance state
• Your watchlist and dashboard preferences
• Theme and display settings
• Dismissed banner and notification states

These items fall under the "strictly necessary" exemption in the EU ePrivacy Directive and similar regimes and do not require consent. We do not use Google Analytics, Facebook Pixel, or any third-party advertising tracking technologies.

If we add optional analytics or non-essential tracking in the future, we will display a consent banner with explicit opt-in controls before any non-essential data is collected, in compliance with the ePrivacy Directive and GDPR.

You can clear localStorage at any time via your browser settings; doing so will sign you out and reset your preferences.

6. Data Retention

We retain personal information only as long as necessary to provide the Service or comply with legal obligations:

• Account data: retained for the duration of your active account, plus one (1) year after account deletion for chargeback/dispute window, after which data is anonymized or deleted
• Billing and tax records: retained for seven (7) years as required by US tax and financial-records law
• Feedback and support communications: retained for two (2) years for service improvement; anonymized thereafter
• Error and diagnostic logs: retained for ninety (90) days for debugging, then deleted
• Marketing consent records: retained for three (3) years from withdrawal as proof of compliance
• localStorage data on your device: persists until you clear browser data or sign out

7. Your Privacy Rights

Subject to applicable law, you have the following rights regarding your personal information:

7.1 Rights for all users:

• Right of access — receive confirmation of whether we process your data and a copy of that data
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements
• Right to restriction of processing — request that we limit how we use your data
• Right to data portability — receive your data in a structured, commonly-used, machine-readable format (CSV or JSON) and transfer it to another controller
• Right to object — object to processing based on legitimate interests, including profiling
• Right to withdraw consent — for any processing based on consent (e.g. marketing); withdrawal does not affect the lawfulness of processing before withdrawal

7.2 Additional rights for California residents (CCPA/CPRA):

• Right to know what categories of personal information we collect, the sources, purposes, and recipients
• Right to delete personal information we have collected from you, subject to certain exceptions
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so no opt-out is needed
• Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the Service
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights
• You may designate an authorized agent to submit requests on your behalf, subject to verification of agent authority

7.3 Right to complain — you have the right to lodge a complaint with a supervisory data protection authority, including:

• European Union: your national Data Protection Authority (e.g. CNIL in France, BfDI in Germany, AEPD in Spain)
• United Kingdom: Information Commissioner's Office (ICO), ico.org.uk
• California: California Privacy Protection Agency (CPPA), cppa.ca.gov

7.4 How to exercise your rights: email [email protected] with the subject line "Privacy Request — [right name]" (e.g. "Privacy Request — Access" or "Privacy Request — Deletion"). We will respond within 30 days (GDPR) or 45 days (CCPA) of receipt. We may need to verify your identity before fulfilling certain requests.

8. International Data Transfers

FlowSense LLC is a Wyoming, United States entity, and FlowSense services are hosted on servers operated by our cloud infrastructure providers (primarily in the United States). If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other jurisdictions where our service providers operate. The data protection laws of these jurisdictions may differ from those of your home country.

Where required by applicable law (including for users in the EU, UK, and Switzerland), we rely on appropriate legal safeguards for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Addendum, equivalent provisions in our service-provider contracts, and any further supplementary measures required by applicable regulatory guidance. By using FlowSense, you consent to the transfer of your personal information to the United States and other jurisdictions as described in this Privacy Policy.

You may request a copy of the safeguards in place for international transfers by contacting [email protected].

9. Security

We implement industry-standard administrative, technical, and physical safeguards designed to protect your personal information, including:

• TLS (Transport Layer Security) encryption for all data in transit between your browser and our servers
• Secure password hashing using industry-standard algorithms (PBKDF2 with high iteration count)
• Principle of least privilege for internal access to user data
• Regular security patching and dependency monitoring
• Daily database backups with restricted access
• Multi-factor authentication on administrative accounts

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential. Notify us immediately at [email protected] of any suspected unauthorized access to your account.

Data Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. We will also notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34 and applicable US state breach notification laws.

10. EU Representative

FlowSense LLC does not currently have an establishment in the European Union and is not currently required to designate an EU representative under GDPR Article 27, as our processing of EU residents' data is occasional and does not involve large-scale processing of special categories of data or data relating to criminal convictions. If our processing activities change such that an EU representative becomes required, we will appoint one and update this Privacy Policy with their contact details.

EU residents may direct all privacy inquiries to [email protected] and we will respond in accordance with GDPR timelines.

11. Marketing Communications

We send essential service communications (billing notices, security alerts, terms updates, trial reminders) to all subscribers as part of the Service. These are not subject to opt-out.

Optional marketing communications (newsletters, feature announcements, promotional offers) are sent only with your explicit opt-in consent. Every marketing email contains a one-click unsubscribe link, and you may also email [email protected] to withdraw consent. Withdrawal will take effect within 10 business days.

12. Children's Privacy

FlowSense is intended for use by individuals aged 18 years and older. The Service is not directed to, and we do not knowingly collect personal information from, children under 18 years of age. During account registration, users are required to confirm they are at least 18 years old.

If you are a parent or guardian and believe a child under 18 has provided us with personal information, please contact [email protected] immediately and we will take steps to delete that information from our records. In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13 under any circumstances.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements, or for other operational reasons. Material changes will be communicated via an in-app notification banner and/or email to your registered address at least 30 days before the changes take effect. The "Effective" date at the top of this Policy reflects the latest revision. Prior versions are available upon request.

Continued use of the Service after material changes take effect constitutes acceptance of the revised Policy. If you do not agree with the changes, you should discontinue use of the Service and may exercise your rights as described in Section 7.

14. Contact

For all privacy-related inquiries, requests to exercise your rights, complaints, or questions about this Privacy Policy, please contact:

FlowSense LLC
Wyoming, United States
Privacy Inquiries: [email protected]
Subject line: "Privacy Inquiry" or "Privacy Request — [right name]"
Response time: within 30 days (GDPR) or 45 days (CCPA)