Privacy Policy
Last updated: June 2026
1. Who we are (Data Controller)
Just Flow It ("we", "our") operates the AI-assisted process-diagram platform at justflow.it and is the data controller responsible for your personal data.
For any privacy question or data-protection request, contact us at contato@justflow.it.
2. Information we collect
- Account data: name and email address you provide at sign-up.
- Profile data: optional job title, area, and onboarding answers.
- Content you create: process diagrams, folders, AI chat messages and (if used) meeting transcriptions — which may contain whatever information you choose to include.
- Usage & technical data: how you interact with the product, device/browser type, and log data including IP address (some of it pseudonymised by hashing).
- Payment data: processed by Stripe; we store only a customer/subscription reference, never full card numbers.
- Cookies & similar technologies: see our Cookie Policy. Analytics and marketing technologies load only with your consent.
3. How we use your data and our legal bases
Under the GDPR we must have a lawful basis for each purpose. The table below sets out the main purposes and the basis we rely on.
| Purpose | Legal basis (GDPR Art 6) |
|---|---|
| Provide the platform, your account and team features | Performance of a contract — Art 6(1)(b) |
| Process payments and manage subscriptions | Contract — Art 6(1)(b); legal obligation (tax) — Art 6(1)(c) |
| Improve and secure the service, prevent abuse | Legitimate interests — Art 6(1)(f) |
| Analytics and session measurement | Consent — Art 6(1)(a) |
| Marketing email and acquisition attribution | Consent — Art 6(1)(a) |
| Comply with legal obligations | Legal obligation — Art 6(1)(c) |
4. AI processing of your content
To generate and edit diagrams — and, if you use the feature, to transcribe audio — the text of your prompts, chat messages, related diagram context and uploaded audio are processed by our AI sub-processor, Google Cloud. Please do not enter personal data of third parties, or special-category data, that you do not need to.
Google Cloud processes this content as our processor under its Cloud Data Processing Addendum and does not use it to train or fine-tune models. Audio transcription is processed within the EU. Diagram generation and chat may be processed on infrastructure outside the EU, unless your organization enables EU data residency in its settings — in which case all AI processing stays within the EU. See the sub-processor list in section 6 and international transfers in section 7.
5. Cookies and tracking
Strictly necessary cookies (sign-in, security, your consent choice) are always active. Analytics (Microsoft Clarity, Vercel Analytics) and marketing technologies are loaded only after you give consent through our cookie banner, and you can withdraw consent at any time via “Manage cookie preferences”. Full details are in our Cookie Policy.
6. Who we share data with (recipients & sub-processors)
We do not sell your personal data. We share it with the service providers (processors) below, with members of your organization when you use team features, and with authorities where legally required. Each processor acts under a data processing agreement.
| Processor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure: database, authentication and file storage | EU |
| Vercel | Hosting and infrastructure | US (global edge) |
| Stripe | Payment processing | US / EU |
| Google Cloud | AI processing (diagram generation, chat, transcription) | EU / global (EU-only available) |
| Microsoft (Clarity) | Product analytics / session replay (consent only) | US |
7. International data transfers
Your account data and the content you create are stored in the European Union. Some sub-processors process personal data outside the EU/EEA and the UK (notably in the United States) — for example payments, consent-based analytics and, unless your organization enables EU data residency, AI processing. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and/or an adequacy decision (e.g. the EU–US Data Privacy Framework where the recipient is certified). You can request more information using the contact details below.
8. How long we keep your data (retention)
We keep personal data only as long as necessary for the purpose it was collected. Indicative periods:
| Data | Retention |
|---|---|
| Account, profile and content | For the life of your account; erased on deletion (30-day grace) |
| Anonymous guest-generation logs | 7 days |
| AI usage logs | ~13 months |
| Product analytics & behavioral usage events (collected with your consent) | 180 days |
| Payment/invoice records | As required by tax law (held by Stripe) |
| Consent and audit records | Up to 2 years |
9. Your rights
Subject to applicable law, you have the right to access, rectify, erase, restrict or object to processing, to data portability, and to withdraw consent at any time (without affecting prior processing).
You can exercise several of these directly in the app: edit your profile (rectification), export your data (access/portability) and delete your account (erasure) under Settings → Security. For any other request, contact us at the address below; we respond within one month.
You also have the right to lodge a complaint with a supervisory authority. In the EU/UK, this is the data protection authority of your country of residence. In Brazil, the ANPD.
10. Automated decision-making and profiling
Our AI generates diagrams from your input, and we analyse product usage and acquisition source to improve the service. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. AI output is a drafting aid that you review and control.
11. Security
- Encryption in transit (HTTPS/TLS) and access controls / row-level security on our database.
- Secrets and payment data isolated; pseudonymisation of certain identifiers.
- Continuous monitoring; despite our efforts no method of transmission is 100% secure.
12. Children
Our services are not directed to children under 16 (or the applicable age of digital consent). We do not knowingly collect their data.
13. Changes to this policy
We may update this policy and will notify you of material changes via the platform or email. The date above always reflects the latest version.
14. Contact
Questions or requests: contato@justflow.it. We respond to data-protection matters at this address.
This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and Brazil's LGPD (Lei nº 13.709/2018). Where these laws differ, the protection most favourable to you applies.