Privacy Policy

1. Data Controller

Flowent is the data controller for personal data processed through our platform. For privacy inquiries, contact us at contact@getflowent.com.

2. Data We Collect

• Account information: Email address, display name, and language preferences when you create an account.
• Learning data: Practice session results, task completion, vocabulary usage, grammar patterns, session duration, and AI-generated feedback. This data powers your progress tracking and instructor dashboards.
• Voice data: When you use live speaking practice, your audio is streamed in real time to our AI service for conversation. Audio is processed transiently and is not stored after the session ends. Only text transcripts are retained.
• Usage data: Pages visited, features used, and session frequency to improve the platform.

3. How We Use Third-Party AI Services

Flowent uses three third-party AI providers to power your learning experience. Here is exactly what data is sent to each and why:

3a. Anthropic (Claude) — AI Chat & Feedback

Your text conversation messages and learning content are sent to Anthropic to power AI chat practice, scenario feedback, and lesson generation. Anthropic processes this data solely to return AI responses and does not use it to train its models under its standard API terms.

3b. Google (Gemini via Vertex AI) — Voice Practice

Live speaking sessions stream your voice audio in real time to Google Vertex AI (Gemini) for AI-powered conversation. We have chosen Vertex AI specifically for its privacy guarantees:

• EU data residency: All AI processing occurs in the EU (europe-west4, Netherlands). Your data does not leave the European Economic Area.
• No training on your data: Google does not use Vertex AI customer data to train or improve its foundation models.
• Transient processing: Audio is streamed, processed, and discarded in real time. It is not stored by Google or by Flowent.
• Enterprise-grade security: Data is encrypted in transit (TLS 1.3) and Vertex AI is covered by Google's Data Processing Addendum (DPA).

3c. Deepgram — Text-to-Speech

AI-generated text responses are sent to Deepgram to produce spoken audio for playback during practice sessions. Deepgram processes text transiently to generate audio and does not retain your data after the response is delivered.

4. Legal Basis for Processing

We process your data under the following legal bases (GDPR Art. 6):

• Contract performance (Art. 6(1)(b)): To provide the language learning service you signed up for, including practice sessions, progress tracking, and feedback.
• Legitimate interest (Art. 6(1)(f)): To improve the platform, prevent abuse, and ensure service security.
• Consent (Art. 6(1)(a)): For optional analytics and marketing communications, which you can withdraw at any time.

5. Data Sharing

• Instructors: If you are enrolled in a course, your instructor can view your practice session summaries (tasks completed, areas of difficulty, AI feedback). Instructors cannot access raw audio or full transcripts.
• AI service providers: We share data with the following third-party AI providers to power core features:
  • Anthropic — receives your text conversation messages for AI chat and feedback
  • Google (Vertex AI / Gemini) — receives your voice audio during live speaking sessions
  • Deepgram — receives AI-generated text to produce spoken audio responses
  All three providers process data solely to deliver the requested service and do not use your data to train AI models.
• Infrastructure providers: We use Supabase (database, authentication) and Vercel (web hosting). All providers are GDPR-compliant with appropriate data processing agreements in place.
• No selling: We never sell your personal data to third parties.

6. Data Retention

• Account data: Retained while your account is active, deleted within 30 days of account deletion.
• Practice session data: Retained for the duration of your enrollment or account activity. Session analytics (tasks, feedback, scores) are kept for progress tracking. Full transcripts are retained for up to 12 months, then automatically deleted.
• Audio data: Not stored. Processed transiently during live sessions only.

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data ("right to be forgotten", Art. 17)
• Restrict processing (Art. 18)
• Data portability — receive your data in a structured format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time (Art. 7(3))

To exercise any of these rights, contact contact@getflowent.com. We will respond within 30 days.

8. Security Measures

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication via secure JWT tokens (Supabase Auth)
• Row-level security on all database tables
• AI services deployed in EU region with no cross-border data transfer
• Regular security reviews and dependency updates

9. Children's Privacy

Flowent is designed for users aged 16 and older. If you are under 16, you may only use Flowent with the consent of a parent or guardian. We do not knowingly collect data from children under 16 without parental consent.

10. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or in-app notification. Your continued use of Flowent after changes constitutes acceptance.

11. Contact & Complaints

For privacy questions, data requests, or complaints: contact@getflowent.com

You also have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe your data is being processed unlawfully.