Zum Inhalt springen

Privacy Policy

This is the English-language version of our privacy notice. A German version is available at /datenschutz.

Flowent AI Studio is offered to businesses (B2B) only and is not directed at consumers. References to “you” in this policy mean the natural persons whose personal data we process, including our customers’ users and individuals who interact with our services (for example, callers who speak with an AI voice assistant).

1. At a glance

General information

This notice explains, in plain terms, what happens to your personal data when you use Flowent AI Studio or our website. “Personal data” means any information relating to an identified or identifiable natural person.

Who is responsible?

The controller responsible for processing personal data on this website and platform is identified in the “Controller” section below. For many processing activities carried out on behalf of our business customers, the customer acts as the controller and Flowent acts as a processor; in those cases our Data Processing Agreement (DPA) governs the relationship.

How do we collect your data?

Some data is collected because you provide it to us — for example, when you register, complete a form, connect an integration, or interact with an AI agent. Other data is collected automatically by our IT systems when you use the service, primarily technical data such as browser type, operating system, and the time of a request.

What do we use your data for?

We process data to provide the website reliably and securely, to deliver our AI-powered services (agent conversations, pipeline executions, AI telephony), and to maintain and improve service quality. We do not sell your personal information and do not use it for cross-context behavioral advertising.

What rights do you have?

Depending on where you are located, you have rights of access, rectification, erasure, restriction, data portability, and objection (under the GDPR / UK GDPR), and rights to know, delete, correct, and opt out (under US state privacy laws). See sections 10–13 for details and how to exercise them.

2. Controller & general information

Controller

The controller responsible for the processing of personal data on this website and platform is:

Luis Ens – Flowent
Am Neugraben 9
79112 Freiburg
Germany
Email: anfrage@flowent.de

Flowent is operated as a sole proprietorship (Einzelunternehmen) under German law; it is not a limited liability company (GmbH).

Data security

We take the protection of your personal data seriously and process it confidentially, in accordance with applicable data protection law and this notice. Please note that data transmission over the internet (for example, by email) can have security gaps; complete protection of data against access by third parties is not possible.

Withdrawal of consent

Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. The lawfulness of processing carried out before withdrawal remains unaffected.

Right to lodge a complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement. Our lead supervisory authority is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg). Residents of the United Kingdom may contact the Information Commissioner’s Office (ICO) — see section 13.

3. Data we process

Account data

When you register, we collect your name and email address, a securely hashed password (bcrypt hash with a dynamic cost factor), and the time of registration. You may optionally provide further profile details (display name, profile picture, biography, location, pronouns, job title); these are voluntary. If you enable two-factor authentication (2FA), we store an encrypted TOTP secret (RFC 6238) and one-time recovery codes used solely to secure your account. If you sign in via a third-party provider (Google, GitHub) or a passkey (WebAuthn / FIDO2), we receive only the identifiers needed for sign-in; with passkeys, your private key never leaves your device.

Device & security data

To protect your account, on each sign-in we record your IP address and user-agent, a pseudonymized device hash (derived from the user-agent and a partial IP), device information (browser, operating system, device type), and the time of last sign-in. When an unknown device is detected, you receive a security notification by email.

Voice & call data

Where our AI telephony features are used, we process the live audio stream, optional call recordings (MP3), transcripts, AI-generated summaries, detected topics, and call metadata (duration, time, phone number). See section 6 for full details, including information for third-party callers.

AI conversation data

When you use our AI agents, your messages and the agents’ responses are stored in our database so we can provide your conversation history. We also store token usage, the model used, and response times for quality assurance. This data is used solely to provide our service.

Integration data

If you choose to connect optional third-party services, we process the data you authorize us to import (for example, CRM contacts, documents, pages, records, messages). See section 7.

Cookies, local storage & server logs

We use strictly necessary cookies for authentication and security:

  • sintra.sid (httpOnly) – your encrypted session token (JWT). Lifetime: 7–14 days.
  • sintra.csrf – CSRF protection token for form submissions. Lifetime: 24 hours.
  • sintra_email_verified – indicates email verification status. Lifetime: 7 days.

We also store certain data in your browser’s local storage (session data such as your user ID, display name, email, and role; preferences such as theme and language). This data stays in your browser and is not transmitted to third parties. Our hosting provider automatically records server log files (browser type and version, operating system, referrer URL, requesting host, request time, and IP address); this data is not combined with other sources.

We use Vercel Analytics and Vercel Speed Insights for privacy-friendly, cookieless reach and performance measurement. Your IP address is processed only briefly and not stored permanently; individual visitors are not re-identified.

4. Purposes & legal bases (GDPR Art. 6 / 9)

We process personal data on the following legal bases under Article 6(1) GDPR:

  • Art. 6(1)(b) – performance of a contract: account creation and management, providing the platform, AI agent conversations, pipeline executions, AI telephony, and payment processing.
  • Art. 6(1)(f) – legitimate interests: securing the website and accounts (device recognition, security notifications, fraud prevention), strictly necessary cookies, error monitoring, and privacy-friendly reach measurement.
  • Art. 6(1)(a) – consent: optional third-party integrations that you connect via OAuth, and call recordings where consent is the chosen basis. You may withdraw consent at any time.
  • Art. 6(1)(c) – legal obligation: retention required by tax and commercial law.

Special categories of data (Art. 9 GDPR): we do not intentionally collect special-category data. However, calls in sensitive contexts (for example, medical practices) may incidentally include health data. Any such processing is carried out only on the basis of your explicit consent (Art. 9(2)(a) GDPR) or for the purposes of health care (Art. 9(2)(h) GDPR), and while observing applicable professional confidentiality obligations. Please do not enter sensitive personal data (health data, financial information, government identifiers) into agent conversations. AI-generated content does not constitute legal, financial, or medical advice.

Where we act on instructions from our business customers as a processor, the customer determines the purposes and means of processing as the controller, and our DPA governs that relationship.

5. AI & voice subprocessors

To provide our AI-powered services we engage specialized subprocessors under data processing agreements (Art. 28 GDPR). We distinguish between the voice path (AI telephony) and the text-chat path (text-based agents).

Voice LLM: Anthropic via AWS Bedrock (EU)

Language-model inference during an AI call is performed exclusively using models from Anthropic, operated in the EU region AWS eu-central-1 (Frankfurt) via Amazon Bedrock. We apply EU-only routing — no voice or conversation data from the voice path is sent to OpenAI.

Text-chat LLM: OpenAI API

For text-based AI agents (chat) we use the API of OpenAI, Inc. (San Francisco, CA, USA). OpenAI is used only in the text-chat path and not in the voice path. Your prompts and recent conversation context are transmitted to OpenAI. API data is processed under OpenAI’s API data usage policy and is not used to train their models. Transfers to the US rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs).

Overview of AI & voice subprocessors

The following providers process data on our behalf in the AI and voice context (provider / role / location / transfer basis):

  • Telnyx LLC (USA) – telephony / SIP trunking, raw audio transport, phone numbers; SCCs (Implementing Decision 2021/914) + DPA.
  • Deepgram, Inc. (EU endpoint enforced) – speech-to-text (raw audio stream); DPA; SCCs for remaining components.
  • Anthropic via AWS Bedrock (EU, AWS eu-central-1 Frankfurt) – voice LLM inference (primary & exclusive); AWS DPA, EU inference.
  • Fish Audio (Singapore) – text-to-speech (primary); SCCs + transfer impact assessment (no DPF / adequacy decision).
  • ElevenLabs, Inc. (USA) – text-to-speech (fallback); SCCs + DPA.
  • Cartesia, Inc. (USA) – text-to-speech (fallback); SCCs.
  • Cloudflare, Inc. (R2) (EU, Frankfurt) – audio & transcript storage; SCCs + DPA.
  • OpenAI, Inc. (USA) – LLM inference for text-chat agents only (not in the voice path); EU-US DPF + SCCs.

A current list of subprocessors is maintained alongside our DPA. The legal basis for using AI services is Art. 6(1)(b) GDPR (performance of a contract). Where data is transferred outside the EEA, the safeguards described in section 8 apply.

6. Voice & call data

Our platform enables operators (our customers) to run AI-assisted phone calls. The following information is addressed (under Art. 13 and 14 GDPR) to all callers — including third parties who are not contractual users themselves but merely speak with an AI phone assistant.

Who is affected?

All persons who take part in a call handled through our platform — in particular callers and called parties — regardless of whether they have entered into a contract with us.

What data is processed?

  • Audio stream (in real time, for speech processing)
  • Call recording (MP3, where enabled)
  • Transcript (written record of the conversation)
  • AI summary of the conversation
  • Detected topics
  • Metadata (duration, time, phone number)

Recording notice & AI disclosure

AI calls are conducted on the basis of Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in handling enquiries efficiently by phone). A recording is made only after a prior notice and an opportunity to object, based on legitimate interest (Art. 6(1)(f) GDPR) or your consent (Art. 6(1)(a) GDPR). At the start of each call you are informed that (a) you are speaking with an AI assistant and (b) the call may be recorded; this AI disclosure is provided in line with Art. 50 of the EU AI Act. You can object to a recording at any time — by saying “No” or by pressing key 9.

Recipients / subprocessors

To deliver the AI call, data is transmitted to: Telnyx (telephony), Deepgram (speech-to-text, EU), Anthropic via AWS Bedrock EU (LLM inference), Fish Audio and, as fallback, ElevenLabs and Cartesia (text-to-speech), and Cloudflare R2 (audio storage, EU). Details on location and transfer basis are in sections 5 and 8.

Your rights as a caller

You have the rights of access, erasure, and objection (Art. 15 to 21 GDPR). You can request the deletion of a recording from the relevant controller (the operator of the phone line). On request, we will forward your request to the responsible controller.

7. Third-party integrations

You can optionally connect external services to our platform to import data or interact with them. These integrations are entirely voluntary and are connected only by you via OAuth. You can disconnect at any time in your account settings; on disconnection, stored tokens are irreversibly deleted. The legal basis for processing under these integrations is Art. 6(1)(a) GDPR (consent). All OAuth tokens and API keys are stored encrypted in our database using AES-256-GCM, with the encryption key kept separately from the database.

The following providers may process data through the optional integrations you connect (provider / purpose / location / transfer basis):

  • HubSpot, Inc. (Cambridge, MA, USA) – CRM contact import (name, email, phone, company, role); USA; EU-US DPF + SCCs.
  • Notion Labs, Inc. (San Francisco, USA) – import of pages / database content; USA; SCCs + transfer impact assessment (no DPF).
  • Dropbox, Inc. (San Francisco, USA) – file / document import; USA; SCCs + TIA.
  • Formagrid, Inc. (Airtable) (San Francisco, USA) – import of tables / records; USA; SCCs + TIA.
  • Intercom, Inc. (San Francisco, USA) – import of Help Center articles; USA; EU-US DPF + SCCs.
  • Microsoft Ireland Operations Ltd. / Microsoft Corp. (Microsoft 365, OneDrive/SharePoint) – login, file import, profile (User.Read); EU/USA; EU Data Boundary + SCCs.
  • Google Ireland Ltd. (Google Workspace: Gmail, Calendar, Drive, Sheets, Tasks, Contacts) – OAuth read & write access (incl. gmail.send/modify, calendar.events); EU/USA; EU-US DPF + SCCs.
  • Slack (Salesforce, Inc.) (USA) – import of messages / channels; USA; EU-US DPF + SCCs.

Where US transfers occur for these integrations, the safeguards described in section 8 apply.

8. International data transfers

EU data residency

Our primary data and database are located in the European Union. The database (Supabase / PostgreSQL) is operated in the EU (Ireland, eu-west-1). Audio and transcript storage uses Cloudflare R2 in the EU (Frankfurt). Voice LLM inference (Anthropic via AWS Bedrock) takes place in the EU (AWS eu-central-1, Frankfurt), and speech-to-text (Deepgram) is processed via an EU endpoint. Data is transferred to services outside the EEA only for the purposes described in this notice.

Transfers to third countries

Some of our providers are located outside the EEA — in particular in the United States and Singapore. Transfers of personal data to those providers rely on the following safeguards:

  • EU-US Data Privacy Framework (DPF): OpenAI, Vercel, Stripe, Sentry, GitHub, Google, Slack (Salesforce), HubSpot, and Intercom are certified under the DPF, recognized by the European Commission as providing an adequate level of protection on 10 July 2023.
  • Standard Contractual Clauses (SCCs): where no DPF certification applies, we use the SCCs approved by the European Commission (Implementing Decision 2021/914) under Art. 46(2)(c) GDPR.
  • Transfer impact assessment (TIA): for transfers to Singapore (Fish Audio) and for optional integrations without DPF certification (Notion, Dropbox, Airtable), no adequacy decision exists; transfers rely on SCCs together with a documented transfer impact assessment.

Services involved

  • Telnyx LLC (USA) – telephony / SIP trunking, raw audio, phone numbers; SCCs + DPA.
  • Deepgram, Inc. (EU endpoint enforced) – speech-to-text; DPA; SCCs for remaining components.
  • Anthropic via AWS Bedrock (EU, AWS eu-central-1 Frankfurt) – voice LLM inference; AWS DPA, EU inference.
  • Fish Audio (Singapore) – text-to-speech (primary); SCCs + TIA (no DPF / adequacy decision).
  • ElevenLabs, Inc. (USA) – text-to-speech (fallback); SCCs + DPA.
  • Cartesia, Inc. (USA) – text-to-speech (fallback); SCCs.
  • Cloudflare, Inc. (R2) (EU, Frankfurt) – audio & transcript storage; SCCs + DPA.
  • OpenAI, Inc. (USA) – LLM inference for text-chat agents only (not in the voice path); EU-US DPF + SCCs.
  • Vercel, Inc. (USA) – hosting & analytics; EU-US DPF + SCCs.
  • Stripe, Inc. (USA) – payment processing; EU-US DPF + SCCs.
  • Sentry / Functional Software, Inc. (USA) – error monitoring (no PII); EU-US DPF.
  • Resend, Inc. (USA) – transactional email; SCCs.
  • GitHub, Inc. (USA) – OAuth sign-in; EU-US DPF.
  • Optional integrations (HubSpot, Notion, Dropbox, Airtable, Intercom, Microsoft 365, Google Workspace, Slack) – see section 7.

Payment processing is handled by Stripe; we do not store payment card data. Transactional email is sent via Resend. Error monitoring via Sentry is error-only (no session replay, no performance tracing), with IP masking and removal of cookies and sensitive headers before transmission.

9. Retention

Unless a more specific retention period is stated in this notice, we keep your personal data until the purpose of processing no longer applies. AI agent conversation data is stored for the duration of your usage contract.

  • Account & contract data: deleted no later than 30 days after the end of the contract.
  • Call recordings, transcripts & metadata: retained for the configured retention period (default 90 days, configurable per agent) and then irreversibly deleted; in any case no later than 30 days after the end of the contract.
  • In-call conversation context: held in Redis with an automatic time-to-live (TTL) and expires automatically.
  • Audit logs: retained for 12 months.

Statutory retention obligations (for example under German tax and commercial law, § 257 HGB, § 147 AO) remain unaffected.

10. Your rights under the GDPR

If the GDPR applies to the processing of your personal data, you have the following rights:

  • Access (Art. 15): obtain confirmation of, and a copy of, the personal data we process about you, including its origin, recipients, and purpose.
  • Rectification (Art. 16): have inaccurate data corrected and incomplete data completed.
  • Erasure (Art. 17): have your data deleted where one of the legal grounds applies.
  • Restriction (Art. 18): restrict processing, for example where you contest the accuracy of the data.
  • Data portability (Art. 20): receive data you provided, processed by automated means on the basis of consent or contract, in a structured, commonly used, machine-readable format.
  • Objection (Art. 21): object to processing based on legitimate interests.
  • Withdraw consent (Art. 7): withdraw consent at any time with effect for the future.
  • Complaint (Art. 77): lodge a complaint with a supervisory authority (see section 2).

To exercise any of these rights, contact us at anfrage@flowent.de. We respond without undue delay and, in any event, within the time limits required by law.

11. US privacy — California (CCPA/CPRA)

This section applies to California residents under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Flowent provides its services to businesses, not to consumers; this section is provided for transparency and to honor applicable rights.

Notice at Collection

We may collect the following categories of personal information (PI), for the purposes described below:

  • Identifiers (name, email, account/user ID, IP address) – to create and secure accounts and provide the service.
  • Customer records (login credentials in hashed form, profile details) – to operate your account.
  • Internet/network activity (device information, server logs, usage data) – for security and service delivery.
  • Audio/electronic information (call audio, recordings, transcripts where applicable) – to provide AI telephony.
  • Commercial information (subscription/plan, transaction data via Stripe) – for billing.
  • Content you provide (AI agent messages, imported integration data) – to deliver the requested features.

Sources of PI include you directly, your use of the service, your authenticated integrations, and your authentication providers. We disclose PI to service providers (subprocessors) listed in sections 5, 7, and 8 for the limited purposes of providing the service.

We do not sell or share your personal information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not run targeted advertising based on your activity across other businesses or services. We also do not knowingly sell or share the PI of consumers under 16.

Global Privacy Control (GPC)

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request. When a GPC signal is detected, a “Do Not Sell or Share” preference is recorded automatically for that browser.

Your consumer rights

  • Right to Know / Access: request the categories and specific pieces of PI we collected, the sources, purposes, and the categories of recipients.
  • Right to Delete: request deletion of PI we collected from you, subject to legal exceptions.
  • Right to Correct: request correction of inaccurate PI.
  • Right to Opt-out of Sale/Sharing: even though we do not sell or share PI, you may exercise this right at any time, including via GPC.
  • Right to Limit Use of Sensitive PI: direct us to limit the use of sensitive personal information to what is necessary to provide the service.
  • Non-discrimination: we will not discriminate against you for exercising any of your rights.

How to exercise your rights

You can record a “Do Not Sell or Share” preference and review your choices on our Your Privacy Choices page. For Right to Know, Delete, or Correct requests, contact us at anfrage@flowent.de. We will verify your request and respond within the timeframes required by law. You may use an authorized agent to submit a request on your behalf.

12. Other US state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) have analogous rights, which may include the rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of the sale of personal data and of targeted advertising. As noted above, we do not sell personal information and do not engage in cross-context behavioral / targeted advertising. Where required, we honor the GPC signal as an opt-out. To exercise these rights, use our Your Privacy Choices page or contact anfrage@flowent.de.

13. United Kingdom (UK GDPR)

For individuals in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply. Your rights under the UK GDPR mirror those described in section 10 (access, rectification, erasure, restriction, portability, objection, and withdrawal of consent).

The supervisory authority in the UK is the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. If you are in the UK, you have the right to lodge a complaint with the ICO. Transfers of personal data from the UK to third countries rely on the UK extension to the EU-US Data Privacy Framework, UK International Data Transfer Agreements, or the UK Addendum to the SCCs, as applicable.

14. Biometric data

We do not create voiceprints or other biometric identifiers. Voice audio is processed transiently to convert speech to text and to generate responses; we do not use voice data to uniquely identify an individual through biometric characteristics, and we do not build biometric templates. This is relevant to US state biometric privacy laws (for example, the Illinois Biometric Information Privacy Act, BIPA). For further detail, see our Biometric Data Policy.

15. Contact & related documents

For any privacy enquiry, or to exercise your rights, contact us at anfrage@flowent.de or by post at Luis Ens – Flowent, Am Neugraben 9, 79112 Freiburg, Germany.

Last updated: 2026-06-06