1. Introduction
Flowstate Industrial LLC("Company," "we," "us") operates the Flowstate Industrial IIoT monitoring platform ("Service"). This Privacy Policy explains how we collect, use, store, and protect information when you use our Service.
We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) for EU/EEA users and relevant US state privacy laws.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Name and email address (via Clerk authentication)
- Organization name and details
- Billing information (processed by Stripe; we do not store card numbers)
2.2 Industrial Sensor Data
When you connect devices, the Service collects:
- Sensor readings (temperature, humidity, vibration, air quality, etc.)
- Device metadata (device IDs, firmware versions, battery levels)
- Network information (gateway IDs, signal strength)
- Timestamps and ISA-95 hierarchy context (enterprise, site, area, cell)
Sensor data does not include personally identifiable information (PII). It represents machine and environmental measurements from your manufacturing facility.
2.3 Usage Data
We automatically collect:
- Dashboard access logs
- Feature usage patterns
- Support chat interactions
- Browser type and IP address
2.4 Communication Data
If you contact us or use the Downtime Calculator, we collect the information you provide (name, email, company, project requirements).
2.5 Bring-Your-Own MQTT Broker (Connect Tier)
Customers on the Connect tier may host their own MQTT broker instead of using our managed HiveMQ Cloud broker. When you operate a BYO broker:
- Telemetry data from your devices transits your own infrastructure before reaching Flowstate.
- Flowstate receives only the data your bridge configuration forwards — you control what is transmitted.
- For data that stays within your infrastructure (pre-bridge), you are the data controller. For data forwarded to Flowstate, we are the processor under the agreement that governs your subscription.
- You are responsible for securing your broker (TLS, authentication, network isolation, access control). Flowstate is not liable for data exposure caused by misconfiguration of customer-hosted brokers.
- If you use BYO broker, the HiveMQ Cloud row in Section 5 does not apply — sensor-data-in-transit never passes through our managed broker.
3. How We Use Your Information
We use your information to:
- Provide the Service: Process sensor data, generate dashboards, trigger alerts, run analytics
- AI Features: Power support chat and recommendation engine using your operational data
- Billing: Process payments and manage subscriptions
- Communication: Send transactional emails (order confirmations, alerts, shipping notifications)
- Improvement: Analyze usage patterns to improve the Service
- Support: Respond to your inquiries and resolve issues
- Security: Detect and prevent unauthorized access or abuse
We do not sell your data. We do not use your sensor data for advertising. We do not share your data with third parties except as described in Section 5.
4. Legal Basis for Processing (GDPR)
For EU/EEA users, we process personal data under the following legal bases:
- Contract Performance: Processing necessary to provide the Service you subscribed to (account management, data processing, billing)
- Legitimate Interest: Usage analytics, security monitoring, and service improvement
- Consent: Marketing communications (you can opt out at any time)
- Legal Obligation: Compliance with applicable laws and regulations
5. Data Sharing and Third-Party Services
We share data with the following categories of service providers, solely to operate the Service:
| Provider | Purpose | Data Shared |
|---|
| Clerk | Authentication | Email, name |
| Stripe | Payments | Billing info, email |
| Convex | Backend/Database | All application data |
| HiveMQ Cloud | MQTT Broker | Sensor data in transit |
| InfluxDB Cloud | Time-series storage | Sensor data |
| Grafana Cloud | Visualization | Sensor data (read-only) |
| Resend | Transactional email | Email addresses, email content |
| Twilio | SMS notifications | Phone numbers, alert content |
| Anthropic | AI features (alerts, recommendations, support) | Operational context for real-time inference only. NOT used to train AI models. |
| Vercel | Hosting | IP addresses, request logs |
We do not share data with advertisers or data brokers. We may disclose information if required by law, court order, or to protect the rights and safety of our users.
6. Data Storage and Security
6.1 Storage Location
Data is stored in the United States via our cloud service providers. For EU/EEA users, data transfers are governed by Standard Contractual Clauses (SCCs) as required by GDPR.
6.2 Security Measures
- TLS 1.3 encryption for all data in transit (MQTT, HTTPS)
- Encryption at rest for stored data
- Authentication via Clerk with session management
- Tenant isolation (all queries filtered by organization ID)
- Rate limiting on API endpoints
- No plain-text storage of credentials
6.3 Data Retention
- Sensor data: Per plan (Pilot: 90 days, Production: 365 days, Enterprise: custom)
- Account data: Retained while your account is active, deleted 30 days after cancellation
- Support chat logs: Retained for 12 months
- Billing records: Retained as required by tax and financial regulations
6.4 Data Breach Notification
In the event of a data breach affecting your personal data or sensor data, Flowstate Industrial will:
- Notify affected customers within 72 hours of confirming the breach
- Notify relevant supervisory authorities within 72 hours where required by GDPR
- Provide a description of the breach, the types of data affected, and the measures taken to mitigate harm
- Designate a point of contact for questions related to the breach
Contact privacy@flowstateindustrial.com immediately if you believe your data has been compromised.
7. Your Rights
7.1 All Users
- Access: Request a copy of data we hold about you
- Correction: Update inaccurate information
- Deletion: Request deletion of your account and data
- Data Export: Request your data in a machine-readable format
- Opt-out: Unsubscribe from marketing emails at any time
7.2 EU/EEA Users (GDPR)
In addition to the above, you have the right to:
- Restrict Processing: Request we limit how we use your data
- Data Portability: Receive your data in a structured, commonly used format
- Object to Processing: Object to processing based on legitimate interest
- Withdraw Consent: Withdraw consent at any time where processing is based on consent
- Lodge a Complaint: File a complaint with your local data protection authority
To exercise any of these rights, contact us at privacy@flowstateindustrial.com. We will respond within 30 days (or 72 hours for GDPR access requests).
8. Cookies and Tracking
The Service uses essential cookies for authentication and session management (via Clerk). We do not use advertising cookies or third-party tracking pixels.
- Essential cookies: Required for login, session persistence, and security. Cannot be disabled.
- Analytics: We may use privacy-respecting analytics to understand usage patterns. No PII is collected via analytics.
9. Children's Privacy
The Service is designed for business use by manufacturing professionals. We do not knowingly collect information from children under 16. If we learn that we have collected information from a child, we will delete it promptly.
10. International Data Transfers
If you are located outside the United States, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses for EU/EEA data transfers and compliance with applicable data transfer frameworks.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The "Effective Date" at the top indicates the latest revision.