How FlowPilot Studio collects, uses, and protects your information.
Version 2.2 — Last updated: February 24, 2026
Prior versions of this document are available upon request at support@flowpilot.studio.
Welcome to FlowPilot Studio ("FlowPilot" or the "Service"), operated by Zen Coders, S.C. ("we," "us," or "our"), a company registered in Mexico (RFC: ZCO180607U55). This Privacy Policy explains how we collect, use, disclose, and protect your information when you access or use our website at flowpilot.studio (the "Website"), our software-as-a-service (SaaS) application, and any related services (collectively, the "Service").
We are committed to protecting your privacy and handling your data responsibly. By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.
This Privacy Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.
We collect information to provide, improve, and secure the Service. The types of information we collect include:
The Service integrates with your Flow Production Tracking (FPT, formerly ShotGrid) instance via a REST API wrapper. When you connect your FPT account and submit natural language queries, we temporarily access and process data from your FPT database ("User Data") to generate visualizations, charts, and tables.
We do not store your User Data. All User Data is pulled directly from your FPT instance in real-time, processed transiently in memory to fulfill your queries, and discarded immediately after the visualization is generated. No copies, backups, or derivatives of User Data are retained by us.
To improve performance and enable AI-powered features, we access your FPT schema metadata — entity types, field definitions, and field types. This metadata describes the structure of your data (e.g., "Shots have a Status field"), not the data itself (e.g., not the actual status values of your shots). Schema metadata is cached temporarily in your browser's IndexedDB storage with a 10-minute time-to-live, and is provided to the AI to interpret your natural language queries.
We use the following cookies and browser storage mechanisms:
sb-access-token / sb-refresh-token — Authentication session cookies (HTTP-only, SameSite, Secure).selected_org_id — Stores your current organization context.We do not use third-party tracking cookies or advertising trackers.
We use the information we collect for the following purposes:
We do not use your User Data to train AI models. Since we do not store User Data, it cannot be used for training, analytics, or any purpose beyond the immediate query you requested.
FlowPilot uses large language models (LLMs), provided by Anthropic, to interpret your natural language queries and generate instructions for API calls to your FPT instance. Importantly:
This ensures complete segregation between your data and LLM interactions.
We do not sell your personal information. We may share information as follows:
| Provider | Purpose | Data Received |
|---|---|---|
| Supabase | Database, authentication, RLS | Account data, org config, encrypted credentials |
| Vercel | Application hosting, serverless | Request processing (no persistent user data) |
| Anthropic | Large language model (AI) | Schema metadata and natural language queries only — never User Data |
| Stripe | Payment processing | Billing and payment information |
| Amazon Web Services (AWS) | Webhook worker infrastructure | FPT webhook events for automation execution |
We ensure that any shared information is limited to what is necessary and protected by appropriate safeguards.
We implement technical and organizational security measures to protect your information, including:
Since we do not store User Data, the risk of data breaches involving your production data is minimized.
However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your FPT credentials and using appropriately scoped script API keys.
| Data Type | Retention |
|---|---|
| User Data (FPT production data) | Not stored — processed transiently, discarded immediately |
| Account and personal information | Retained while Account is active (including after Subscription cancellation); permanently deleted upon account deletion request (cascade delete, immediate) |
| Live Data export access logs | 7 days detailed logs; indefinite summary statistics |
| AI interaction logs | 90 days. Logs contain your natural language queries, AI responses, and tool execution metadata (schema lookups, generated configurations). These logs contain schema metadata and query text, not your FPT production data. Logs are protected by Row-Level Security and visible only to you and service administrators. |
| Usage and analytics data | Retained in anonymized form indefinitely for Service improvement |
Canceling your Subscription does not delete your Account or its data. To request account deletion, contact support@flowpilot.studio.
Depending on your location (e.g., under GDPR, CCPA, or similar laws), you may have rights such as:
To exercise these rights, contact us at support@flowpilot.studio. We may verify your identity before responding. Responses are provided within applicable legal timelines (e.g., 30 days under GDPR).
You can also:
We operate infrastructure in the United States (Supabase and Vercel hosted in AWS us-east-1, webhook workers on AWS EC2 us-east-1). If you are in the EU/EEA or another region with data protection laws, we rely on the infrastructure providers' compliance mechanisms (including Standard Contractual Clauses where applicable) to ensure adequate protection for international transfers.
The Service is not intended for children under 13 (or 16 in some jurisdictions). We do not knowingly collect information from children. If we learn we have collected such data, we will delete it promptly. Contact us at support@flowpilot.studio if you believe we have data from a child.
The Service integrates with FPT and may link to third-party sites. We are not responsible for their privacy practices. Review their policies separately.
We may update this Privacy Policy from time to time. Changes will be posted here with an updated "Last Updated" date. We will notify you of material changes via email or in-Service notice at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.
For questions, requests, or concerns about this Privacy Policy or our data practices, contact us at:
Email: support@flowpilot.studio Website: flowpilot.studio