Flowticks

Privacy Policy

Last updated: 5 May 2026 · Effective: 5 May 2026

The short version: Flowticks is a workplace analytics tool. We track only domain names and time spent on websites — never page content, messages, passwords, or anything sensitive. Data is encrypted and stored in the EU. You can pause tracking, view your data, or delete everything at any time.

Contents

Who we are
What data we collect
What we never collect
Legal basis
Employee consent
How we use data
Storage and security
Data sharing
International transfers
Your GDPR rights
Retention
Cookies
Children's privacy
Data breach procedure
Changes
Contact and complaints

1. Who We Are

Flowticks is a workplace analytics service operated by Filip Szlaga, a sole trader registered in Poland ("we", "us", "Flowticks"). We provide automatic website-based time tracking for agencies and small businesses.

For all data protection matters, we act as the data controller for personal data of our direct customers (account holders) and as a data processor for the personal data of their employees who use our extension.

Contact: filip.szlaga@flowticks.io · flowticks.io

2. What Data We Collect

We collect only the minimum data necessary to provide the service:

From the browser extension:

Domain names visited (e.g. "gmail.com") — never full URLs
Page paths (e.g. "/inbox") — never query parameters or fragments
Page titles — sanitised, max 100 characters
Time spent on each domain in seconds
Category (Deep Work, Communication, Meetings, Admin, Distraction)
Browser type (e.g. "chrome")
Timestamps when activity started and ended

From account creation:

Full name
Email address
Password (hashed using bcrypt — we never store plain text passwords)
Organisation name (if creating a new organisation)
Role (owner, manager, or employee)

Automatically collected:

IP address (only at signup, for fraud prevention)
Account creation timestamp
Last login timestamp

3. What We Never Collect

We have built Flowticks specifically to not collect the following:

Page content (HTML, text, images, videos)
Email content, messages, or chat logs
Documents you view or edit online
Passwords, authentication tokens, or session cookies
Full URLs (we strip query strings and fragments)
Screenshots or screen recordings of any kind
Keystrokes, mouse movements, or scroll positions
Webcam, microphone, or any audio/video
Files on your computer
Other browser tabs or extensions
Browsing history outside active tab tracking
Activity in Incognito/Private browsing mode
Activity from sensitive domains (banking, healthcare, government, NHS sites)
Biometric data of any kind
Location data (we do not use GPS or geolocation APIs)

4. Legal Basis for Processing

Under Article 6 of the GDPR, we process personal data based on:

Data	Legal basis
Account information	Contract performance (Art. 6(1)(b))
Time tracking data	Consent (Art. 6(1)(a)) + Legitimate interest (Art. 6(1)(f))
IP address at signup	Legitimate interest — fraud prevention
Communications with us	Legitimate interest — customer support

Flowticks operates on a consent-first model. We require:

Employees must actively install the browser extension themselves — installation is never silent or forced
Employees see a clear notice that tracking is happening every time they open the extension popup
Employees can pause tracking instantly using the Pause button — no time is recorded while paused
Employees can uninstall the extension at any time without notice
Employers must inform employees about Flowticks before requiring its use, in writing, in compliance with local labour law

Important: If you are an employer deploying Flowticks to your team, you are responsible for obtaining valid employee consent under applicable employment and data protection law in your jurisdiction. Flowticks provides the technical means to track time, but the legal responsibility for employee consent and labour law compliance rests with the employer.

6. How We Use Your Data

Display productivity analytics in manager and employee dashboards
Generate weekly summary reports
Improve website categorisation accuracy
Provide customer support when requested
Detect and prevent fraud or abuse
Comply with legal obligations

We never: sell personal data, share data with advertisers, use data for advertising profiling, or train AI models on user data.

7. Storage and Security

Storage location: European Union (Supabase EU-West, London)
Encryption in transit: TLS 1.3
Encryption at rest: AES-256
Authentication: Industry-standard JWT with refresh tokens
Passwords: Hashed using bcrypt (never stored in plain text)
Access control: PostgreSQL Row-Level Security ensures users can only access data from their own organisation
Backups: Daily encrypted backups retained for 7 days
Multi-factor authentication: Available for all account types

We share data only with the following sub-processors who have signed Data Processing Agreements:

Provider	Purpose	Location
Supabase Inc.	Database, authentication	EU (Ireland/UK)
Vercel Inc.	Web hosting, CDN	EU + Global edge
Cloudflare Inc.	DNS, security	Global edge
Google LLC	Email (Workspace)	EU + US

We do not sell, rent, or share personal data with any other third parties.

We may disclose data only when legally required (court order, lawful authority request) and only the minimum necessary. We will notify you of any such request unless legally prohibited.

9. International Data Transfers

Some of our sub-processors may transfer data outside the EEA (e.g. to the United States). All such transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission
EU-US Data Privacy Framework certification (where applicable)
Additional encryption and access controls

10. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of access (Art. 15) — request a copy of all data we hold about you
Right to rectification (Art. 16) — correct inaccurate or incomplete data
Right to erasure (Art. 17) — request deletion of all your data ("right to be forgotten")
Right to restrict processing (Art. 18) — limit how we use your data
Right to data portability (Art. 20) — receive your data in a machine-readable format (JSON)
Right to object (Art. 21) — object to processing based on legitimate interests
Right to withdraw consent (Art. 7) — at any time, with no detrimental effect
Right not to be subject to automated decision-making (Art. 22) — Flowticks does not make automated decisions about individuals

To exercise any of these rights, email filip.szlaga@flowticks.io. We will respond within 30 days (extendable by 60 days for complex requests).

11. Data Retention

Data type	Retention period
Time tracking entries	12 months, then auto-deleted
Account data	Active account + 30 days after deletion
Consent records	3 years (legal obligation)
Billing records	5 years (Polish tax law)
Support communications	2 years

You can request immediate deletion at any time by emailing us.

12. Cookies

The Flowticks dashboard uses only essential cookies required for authentication. We do not use:

Advertising cookies
Tracking pixels
Third-party analytics cookies
Social media cookies

13. Children's Privacy

Flowticks is intended for workplace use by individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us immediately and we will delete the data within 24 hours.

14. Data Breach Procedure

In the event of a personal data breach that risks the rights and freedoms of data subjects, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware
Notify affected individuals without undue delay if there is a high risk
Document the breach internally for accountability
Take immediate technical measures to contain and remediate

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to all users via email at least 14 days before they take effect. The "Last updated" date at the top of this policy reflects the most recent change.

Continued use of Flowticks after changes take effect constitutes acceptance of the updated policy.

16. Contact and Complaints

For privacy-related questions or to exercise your rights:

Email: filip.szlaga@flowticks.io
Subject line: "GDPR request" for fastest processing

If you are unsatisfied with our response, you have the right to lodge a complaint with your national supervisory authority:

Poland: Urząd Ochrony Danych Osobowych (UODO) — uodo.gov.pl
UK: Information Commissioner's Office (ICO) — ico.org.uk
Other EU: edpb.europa.eu