Privacy Policy

How FlowPilot Studio collects, uses, and protects your information.

Version 2.2 — Last updated: February 24, 2026

Prior versions of this document are available upon request at support@flowpilot.studio.

Welcome to FlowPilot Studio ("FlowPilot" or the "Service"), operated by Zen Coders, S.C. ("we," "us," or "our"), a company registered in Mexico (RFC: ZCO180607U55). This Privacy Policy explains how we collect, use, disclose, and protect your information when you access or use our website at flowpilot.studio (the "Website"), our software-as-a-service (SaaS) application, and any related services (collectively, the "Service").

We are committed to protecting your privacy and handling your data responsibly. By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

1. Information We Collect

We collect information to provide, improve, and secure the Service. The types of information we collect include:

1.1 Personal Information

  • Account Information: When you create an Account, we collect details such as your name, email address, and organization name. Payment information is collected and processed by our third-party payment processor (Stripe) and is not stored on our servers.
  • Contact Information: If you contact us for support or inquiries, we may collect your name, email, and any details you provide.
  • Usage Information: We automatically collect data about your interactions with the Service, such as IP address, browser type, device information, pages visited, and timestamps.

1.2 User Data from Integrations

The Service integrates with your Flow Production Tracking (FPT, formerly ShotGrid) instance via a REST API wrapper. When you connect your FPT account and submit natural language queries, we temporarily access and process data from your FPT database ("User Data") to generate visualizations, charts, and tables.

We do not store your User Data. All User Data is pulled directly from your FPT instance in real-time, processed transiently in memory to fulfill your queries, and discarded immediately after the visualization is generated. No copies, backups, or derivatives of User Data are retained by us.

1.3 Schema Metadata

To improve performance and enable AI-powered features, we access your FPT schema metadata — entity types, field definitions, and field types. This metadata describes the structure of your data (e.g., "Shots have a Status field"), not the data itself (e.g., not the actual status values of your shots). Schema metadata is cached temporarily in your browser's IndexedDB storage with a 10-minute time-to-live, and is provided to the AI to interpret your natural language queries.

1.4 Stored Credentials

  • Session Tokens: When you authenticate via the FPT App Session Launcher, we store an encrypted session token to access your FPT instance on your behalf. Session tokens are encrypted at rest using AES-256-GCM.
  • Script Credentials: If you configure automations, you may provide FPT script credentials (script name and API key). These are encrypted at rest using AES-256-GCM, with encryption keys stored separately from the database in the hosting provider's encrypted environment configuration.

1.5 Cookies and Local Storage

We use the following cookies and browser storage mechanisms:

  • sb-access-token / sb-refresh-token — Authentication session cookies (HTTP-only, SameSite, Secure).
  • selected_org_id — Stores your current organization context.
  • IndexedDB — Schema metadata cache (10-minute TTL).
  • localStorage — User preferences and UI state.

We do not use third-party tracking cookies or advertising trackers.

1.6 Other Information

  • Feedback and Communications: Any feedback, suggestions, or other information you voluntarily provide.
  • We do not collect sensitive personal information (e.g., racial or ethnic origin, political opinions) unless you provide it voluntarily, and we advise against doing so.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To Provide the Service: To authenticate your Account, process payments, connect to your FPT instance, interpret natural language queries, and generate AI-powered visualizations and automations.
  • To Improve the Service: To analyze usage patterns, troubleshoot issues, and enhance features using anonymized and aggregated data (e.g., query patterns, feature usage — never User Data content).
  • To Communicate with You: To send service-related emails (e.g., updates, billing notifications) and respond to your inquiries.
  • For Security and Compliance: To detect and prevent fraud, abuse, or security threats, and to comply with legal obligations.

We do not use your User Data to train AI models. Since we do not store User Data, it cannot be used for training, analytics, or any purpose beyond the immediate query you requested.

2.1 AI and LLM Usage

FlowPilot uses large language models (LLMs), provided by Anthropic, to interpret your natural language queries and generate instructions for API calls to your FPT instance. Importantly:

  • The LLM receives only schema metadata (entity types, field names, field types), API capabilities, and your natural language query. It never receives or processes your actual User Data or production data.
  • For tasks like creating charts, tables, automations, or other features, the LLM translates queries into API instructions, which are executed directly against your FPT instance without exposing any data to the LLM.
  • You can review the exact inputs and outputs of all LLM interactions directly within the FlowPilot interface via the transparency feature.

This ensures complete segregation between your data and LLM interactions.

3. Sharing Your Information

We do not sell your personal information. We may share information as follows:

  • Sub-processors: The Service relies on the following third-party providers, each contractually obligated to protect your data:
Provider Purpose Data Received
Supabase Database, authentication, RLS Account data, org config, encrypted credentials
Vercel Application hosting, serverless Request processing (no persistent user data)
Anthropic Large language model (AI) Schema metadata and natural language queries only — never User Data
Stripe Payment processing Billing and payment information
Amazon Web Services (AWS) Webhook worker infrastructure FPT webhook events for automation execution
  • FPT Integration: When you authorize the connection, we access your FPT data solely through the API to provide the Service. No data is shared back to FPT or any third party without your consent.
  • Legal Requirements: If required by law, subpoena, or government request, or to protect our rights, safety, or property.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.
  • With Your Consent: For any other purpose with your explicit permission.

We ensure that any shared information is limited to what is necessary and protected by appropriate safeguards.

4. Data Security

We implement technical and organizational security measures to protect your information, including:

  • Encryption at rest: All stored credentials (session tokens, script API keys) encrypted with AES-256-GCM, 256-bit keys, random 16-byte IV per encryption operation. Encryption keys are stored separately from the database in the hosting provider's encrypted environment configuration.
  • Encryption in transit: All data transmitted via HTTPS/TLS.
  • Database isolation: Row-Level Security (RLS) enforcing strict organization isolation at the database level.
  • Session security: HTTP-only, SameSite, Secure cookies.
  • Rate limiting: Application-level rate limiting on sensitive endpoints (AI and authentication), with per-user and per-IP sliding window limits.
  • Access controls: Multi-factor authentication on all infrastructure provider accounts.
  • Infrastructure compliance: All infrastructure providers (Supabase, Vercel) are independently SOC 2 Type II audited.
  • FPT permissions: Your FPT instance's own permission model is fully respected — FlowPilot can only access data the authenticated user has permission to see in FPT.

Since we do not store User Data, the risk of data breaches involving your production data is minimized.

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your FPT credentials and using appropriately scoped script API keys.

5. Data Retention

Data Type Retention
User Data (FPT production data) Not stored — processed transiently, discarded immediately
Account and personal information Retained while Account is active (including after Subscription cancellation); permanently deleted upon account deletion request (cascade delete, immediate)
Live Data export access logs 7 days detailed logs; indefinite summary statistics
AI interaction logs 90 days. Logs contain your natural language queries, AI responses, and tool execution metadata (schema lookups, generated configurations). These logs contain schema metadata and query text, not your FPT production data. Logs are protected by Row-Level Security and visible only to you and service administrators.
Usage and analytics data Retained in anonymized form indefinitely for Service improvement

Canceling your Subscription does not delete your Account or its data. To request account deletion, contact support@flowpilot.studio.

6. Your Rights and Choices

Depending on your location (e.g., under GDPR, CCPA, or similar laws), you may have rights such as:

  • Access: Request a copy of your personal information.
  • Correction: Update inaccurate data.
  • Deletion: Request deletion of your data (subject to legal exceptions).
  • Opt-Out: Opt out of certain data processing.
  • Portability: Receive your data in a transferable format.
  • Do Not Sell: We do not sell data, but CCPA users can confirm this at any time.

To exercise these rights, contact us at support@flowpilot.studio. We may verify your identity before responding. Responses are provided within applicable legal timelines (e.g., 30 days under GDPR).

You can also:

  • Revoke FPT integration access at any time through your Account settings.
  • Revoke script credentials at any time through your Account settings.
  • Clear local browser storage (IndexedDB, localStorage) at any time through your browser settings.

7. International Data Transfers

We operate infrastructure in the United States (Supabase and Vercel hosted in AWS us-east-1, webhook workers on AWS EC2 us-east-1). If you are in the EU/EEA or another region with data protection laws, we rely on the infrastructure providers' compliance mechanisms (including Standard Contractual Clauses where applicable) to ensure adequate protection for international transfers.

8. Children's Privacy

The Service is not intended for children under 13 (or 16 in some jurisdictions). We do not knowingly collect information from children. If we learn we have collected such data, we will delete it promptly. Contact us at support@flowpilot.studio if you believe we have data from a child.

9. Third-Party Links and Services

The Service integrates with FPT and may link to third-party sites. We are not responsible for their privacy practices. Review their policies separately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted here with an updated "Last Updated" date. We will notify you of material changes via email or in-Service notice at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

11. Contact Us

For questions, requests, or concerns about this Privacy Policy or our data practices, contact us at:

Email: support@flowpilot.studio Website: flowpilot.studio