Privacy Policy

Last updated: March 2026

The Short Version

H Russo LLC, an Illinois limited liability company, operates Flowstate (useflowstate.app). In this policy, "Flowstate," "we," "us," and "our" refer to H Russo LLC. We collect the minimum data needed to run Flowstate. We don't sell your data. We use trusted third-party services to process payments, send messages, and power AI features. Your customers' data stays yours.

What We Collect

Account Information

When you sign up, we collect your email address and business information you provide (business name, phone, address, industry, etc.). This is used to operate your account and customize your Flowstate experience.

Lead and Customer Data

When your customers submit inquiries through your Flowstate widget, booking page, or other channels, we store their contact information, messages, and interaction history. This data belongs to you — we're storing and processing it on your behalf as a data processor.

Business Operations Data

We store data related to your business operations, including jobs and service records, invoices and payment records, appointment bookings and calendar data, and team member information and roles.

Website Content

If you use our website builder, we store all content you create or that our AI generates for your website, including text, images, theme settings, and configuration.

AI Interaction Data

We store AI-generated responses, coaching interactions, and business intelligence insights created by the platform. We also maintain AI memory and learning data (text embeddings) to improve the quality of AI responses for your specific business over time.

Communications

We store SMS and email messages sent and received through the platform on your behalf, including message content, delivery status, and timestamps.

Usage and Analytics Data

We collect basic analytics about how you use Flowstate to improve the product, including pages viewed, features used, and performance metrics. We also capture marketing attribution data (UTM parameters) when you first visit our site to understand how you found us.

Payment Information

Payment processing is handled entirely by Stripe. We never see or store your full credit card number. We only receive confirmation of payment status and basic transaction details.

How We Use Your Data

  • Operating and improving Flowstate
  • Sending leads, alerts, and communications on your behalf
  • Generating AI responses, website content, and business insights
  • Training AI memory to improve response quality for your business
  • Processing payments and invoices
  • Synchronizing calendar and booking data
  • Sending service-related emails (not marketing spam)
  • Providing customer support
  • Analyzing usage to improve the product

Third-Party Services

We use trusted services to power different parts of Flowstate. These services constitute our sub-processors. We only share the minimum data required for them to function:

  • Supabase — Database and authentication
  • Stripe — Payment processing
  • Anthropic (Claude) — AI-powered responses and business intelligence
  • OpenAI — Text embeddings for search and AI memory
  • Resend — Email delivery
  • Twilio — SMS delivery
  • Google — Calendar integration (when connected by you)
  • Microsoft — Outlook calendar integration (when connected by you)
  • Vercel — Hosting and website delivery
  • Upstash — Rate limiting and task scheduling
  • Pixabay — Stock photos for the website builder
  • Serper — Web search for competitor analysis
  • Sentry — Error tracking (anonymized, emails stripped)

Each service has their own privacy policy. A Data Processing Agreement (DPA) is available upon request by contacting legal@useflowstate.app.

AI and Your Data

Flowstate uses two AI providers to power its features:

  • Anthropic (Claude) — generates AI responses, website content, business coaching, and intelligence. We send relevant context (your business info, lead messages) to Anthropic's API. Anthropic does not train their models on API data.
  • OpenAI — creates text embeddings used for search and AI memory. Business data is embedded via OpenAI's API to improve response relevance. OpenAI does not train their models on API data by default.

AI responses are generated in real-time. Neither provider retains your data beyond their standard API logging practices.

Cookies

We use cookies for authentication, preferences, and analytics. For full details on what cookies we use and how to manage them, see our Cookie Policy.

Data Retention

We keep your core business data (leads, invoices, jobs, website content) as long as your account is active. After cancellation, your data is retained in case you resubscribe. You can permanently delete your business and all associated data at any time from Settings.

Some data is automatically cleaned up on shorter schedules:

  • Page view analytics — 90 days
  • Webhook processing logs — 30 days
  • Business activity logs — 180 days
  • AI coaching queries — 90 days
  • Expired booking tokens — 7 days after expiry

Deletion is permanent and includes all leads, conversations, website content, invoices, bookings, team data, and AI analysis. Your subscription will be cancelled immediately.

Your Rights

You can:

  • Access your data anytime through your dashboard
  • Export your business data in JSON format from your account settings
  • Delete your account and all data from your account settings
  • Update your information at any time

For California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know — You can request details about the personal information we collect, use, and disclose.
  • Right to delete — You can request deletion of your personal information (available self-service from your account settings).
  • Right to opt out of sale — We do not sell your personal information. We have never sold personal information and have no plans to do so.
  • Non-discrimination — We will not discriminate against you for exercising your CCPA rights.

For European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

Legal basis for processing: We process your data based on contractual necessity (to provide the service you signed up for), legitimate interest (to improve and secure Flowstate), and consent (for optional features like analytics and calendar integrations).

Your additional rights include:

  • Right to data portability (export in machine-readable format)
  • Right to restrict processing
  • Right to object to processing
  • Right to lodge a complaint with your local data protection authority

International data transfers: Your data is processed in the United States. Our sub-processors (listed above) are primarily US-based. By using Flowstate, you consent to the transfer of your data to the United States.

Security

We use industry-standard security measures including encryption in transit (HTTPS), encrypted database connections, row-level security policies, CSP headers with nonce-based script protection, and secure authentication. Access to production systems is restricted and logged.

Changes to This Policy

We'll notify you of significant changes via email. Minor clarifications may be made without notice. The "last updated" date at the top will always reflect the current version.

Contact

Flowstate is a product of H Russo LLC, an Illinois limited liability company. Questions about privacy? Email us at legal@useflowstate.app