Privacy Policy

Effective April 23, 2026 · Last updated April 23, 2026

This Privacy Policy explains how Olive Green Holdings Limited(“we”, “us”, or “FlowState”) collects, uses, and protects the personal information of people who use the FlowState app and website at flowstateapp.app(together, the “Service”).

We built FlowState for people with ADHD, and we take your data seriously. We collect only what we need to run the Service, we never sell your personal information, and we give you tools to access and delete your data at any time.

1. Information we collect

1.1 Information you provide

  • Account information: your email address, and optionally a display name. If you sign in with Google, Microsoft, or Apple, we receive a unique identifier plus your verified email from that provider.
  • Content you create: tasks, subtasks, brain dump notes, focus sessions, energy check-ins, and reflections you record in the app.
  • Settings: your theme, sound preferences, focus duration, notification preferences, and accessibility choices (for example, low stimulation mode).
  • Payment information:if you subscribe to FlowState Pro, Stripe processes your card and stores your payment details on our behalf. We receive only your Stripe customer ID, subscription status, and billing period — never your full card number.

1.2 Information collected automatically

  • Authentication cookies: a session cookie set by NextAuth to keep you signed in.
  • Technical logs: IP address, browser/device type, and timestamps of requests, retained for security and troubleshooting for up to 30 days.
  • We do not use third-party advertising, fingerprinting, or behavioural analytics trackers.

1.3 Calendar integration (optional)

If you connect a calendar (Google, Microsoft 365, or Apple iCloud/CalDAV), we request read-only access to your calendar events so we can show them on your dashboard. Access tokens are encrypted at rest using AES-256-GCM. Event data is cached for up to 15 minutes and is not shared with any third party. You can disconnect a calendar at any time from Settings, which immediately revokes our access and deletes the cached events.

1.4 AI features (optional)

If you use AI-powered features (task breakdown, Brain Dump parsing, AI priority sort, Smart Daily Planner), the relevant input (task title, notes, or energy level) is sent to OpenAI for processing. We do not send your email address, account ID, or any other identifier to OpenAI. OpenAI does not use this data to train their models when accessed through our API. If you prefer not to use AI, every AI feature has a local fallback or can be skipped.

2. How we use your information

  • To provide, maintain, and improve the Service.
  • To authenticate you and keep your account secure.
  • To process subscription payments and send receipts (via Stripe).
  • To send transactional emails such as sign-in magic links and critical account or billing notices (via Resend).
  • To respond to your support requests and feedback.
  • To detect, investigate, and prevent fraud or abuse of the Service.
  • To comply with legal obligations.

We do not use your content (tasks, notes, reflections) to train AI models or for any purpose other than running the Service for you.

3. Legal bases for processing (GDPR)

If you are in the European Economic Area or United Kingdom, we rely on the following legal bases:

  • Contract: to provide the Service you signed up for.
  • Legitimate interests: to keep the Service secure, respond to support requests, and improve the product.
  • Consent:for optional integrations such as calendar sync and AI features — you can withdraw consent at any time.
  • Legal obligation: to comply with tax, fraud prevention, and other applicable laws.

4. Who we share information with

We share personal information only with the service providers that help us run FlowState, under contracts that require them to protect your data:

  • Vercel Inc.— hosting and edge delivery (United States / EU).
  • Turso (ChiselStrike, Inc.)— encrypted database hosting (AWS Asia Pacific).
  • Resend— transactional email delivery (United States / EU).
  • Stripe, Inc.— subscription billing and payment processing (United States; PCI-DSS Level 1).
  • OpenAI, L.L.C.— AI inference for opt-in AI features (United States).
  • Google LLC, Microsoft Corporation, Apple Inc. — only if you choose to sign in or connect a calendar with these providers.

We do not sell your personal information to any third party, and we do not share it for cross-context behavioural advertising. If we are ever required to disclose data to comply with a lawful legal request, we will notify affected users unless legally prohibited.

5. International data transfers

Your data may be processed in countries other than your own, including the United States, the European Union, Japan, and New Zealand. Where required, we rely on Standard Contractual Clauses and equivalent safeguards to protect international transfers.

6. Data retention

  • Account and content: retained while your account is active. If you delete your account, all content is deleted within 30 days.
  • Calendar cache: deleted within 15 minutes of disconnecting, or immediately on request.
  • Billing records: retained for up to 7 years where required by tax and accounting law.
  • Technical logs: up to 30 days.
  • Backups: rolling encrypted backups are purged within 35 days.

7. Your rights

You have the right to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate or incomplete.
  • Delete your account and associated data (Settings → Delete account, or by emailing privacy@flowstateapp.app).
  • Export your tasks, wins, and settings in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent for optional integrations (calendar, AI) at any time.
  • Lodge a complaint with your local data protection authority. In the EU/UK, you can contact your national supervisory authority. In New Zealand, the Office of the Privacy Commissioner at privacy.org.nz.

8. California residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to limit the use of sensitive personal information. We do not sell or share personal information within the meaning of California law. To exercise these rights, email privacy@flowstateapp.app. We will not discriminate against you for exercising any of these rights.

9. Security

We protect your data with industry-standard safeguards: TLS 1.2+ in transit, encryption at rest for databases and calendar tokens, per-user access isolation enforced server-side, and short-lived session cookies. No system is perfectly secure, so if we ever discover a breach affecting your data, we will notify you without undue delay as required by law.

10. Children's privacy

FlowState is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact privacy@flowstateapp.app and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or in the app. Continued use of FlowState after the effective date of an update means you accept the revised policy.

12. Contact us

Olive Green Holdings Limited
Care of Leon Green
1095 Taumata Road
Omanawa 3173, Bay of Plenty
New Zealand
Email: privacy@flowstateapp.app