Skip to content
LucidFlow

Privacy Policy

Last updated: May 12, 2026

1. Identity & Contact

LucidFlow (lucidflow.ai) is an AI-powered business process transformation platform.

For any privacy-related inquiries, contact us at: privacy@lucidflow.ai

2. Data We Collect

Account Data

  • Email address and authentication credentials (managed by Supabase Auth)
  • Name, profile picture, and provider ID if you sign in with Google OAuth or LinkedIn (LinkedIn OIDC scope: openid, profile, email)

Process Data

  • Documents you upload (stored in Supabase Storage)
  • Extracted text from your documents (stored in our database for analysis)
  • Generated BPMN diagrams, optimization results, and conversation history

Payment Data

Payments are processed by Stripe. We store your Stripe customer ID and subscription status, but never your card details.

Technical Data

  • IP address (used for rate limiting and abuse prevention)
  • Standard HTTP headers (browser type, language preferences)

3. How We Use Your Data

  • To provide the BPMN mapping and optimization service
  • To process payments via Stripe
  • To enforce usage limits based on your subscription plan
  • To protect against abuse (CAPTCHA verification, rate limiting)
  • To analyze product usage and improve the service. Detailed client-side analytics (page views, autocaptured clicks, session recordings) only run with your cookie consent. Minimal server-side product event data (account, plan tier, feature usage) is processed under our legitimate interest (GDPR Art. 6(1)(f)) without IP, geolocation, or device fingerprinting. You may opt out of the server-side analytics at any time in Settings → Privacy & Analytics.

4. Third-Party Processors

  • Supabase: Database, authentication, and file storage (EU-available regions)
  • Stripe: Payment processing (PCI DSS compliant)
  • Google Gemini API: Document analysis via AI. Documents are sent for analysis and extracted text is retained in our database for session continuity. Raw uploaded files are stored in Supabase Storage and deleted when you delete a session.
  • Anthropic Claude API: AI fallback provider (Anthropic, United States). Used only when a Google Gemini request fails: the same document content is then sent to the Anthropic Claude API for that single request. Configured with zero data retention (ZDR): Anthropic does not store prompts or outputs and does not use them to train its models.
  • Render: Application hosting
  • Cloudflare Turnstile: CAPTCHA verification for abuse prevention
  • PostHog: Product analytics. Two channels: (1) detailed client-side analytics (page views, autocaptured clicks) only runs when you accept analytics cookies; (2) minimal server-side events (account, plan tier, feature usage) are sent without IP or device fingerprinting under legitimate interest, with explicit opt-out in Settings → Privacy & Analytics. Data hosted in the EU (eu.i.posthog.com). See PostHog's privacy policy: https://posthog.com/privacy
  • LinkedIn: Identity provider for LinkedIn sign-in (LinkedIn Ireland Unlimited Company / Microsoft). Used only when you choose to sign in with LinkedIn. See LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy

5. International Data Transfers

Some of our processors operate outside the European Union, the United Kingdom, Switzerland, and Canada (notably Google Gemini, Anthropic, Stripe, and LinkedIn in the United States). When we transfer your personal data outside these jurisdictions, we rely on appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, with the UK Addendum where applicable
  • EU-US Data Privacy Framework (DPF) and Swiss-US DPF certifications where the recipient is enrolled
  • Equivalent contractual safeguards for transfers governed by Quebec Law 25 (privacy impact assessment on file) and the Swiss nFADP

You can request a copy of the transfer mechanism for any specific processor at privacy@lucidflow.ai.

6. Automated Decision-Making & AI

LucidFlow uses AI (Google Gemini as the primary provider, with Anthropic Claude as a fallback when a Gemini request fails) to generate BPMN diagrams, optimization suggestions, AI transformation plans, and tool recommendations from the documents you provide.

These AI-generated outputs are suggestions intended to assist your decision-making. They do not produce legal effects or similarly significant effects on you within the meaning of GDPR Article 22, Quebec Law 25 section 12.1, or Swiss nFADP article 21. You retain full control: you can edit, accept, reject, or ignore any AI output before it is applied to your business.

If you have questions about how an AI suggestion was produced, or want a human to review a specific output, contact privacy@lucidflow.ai.

7. Data Retention

  • Your data is retained as long as your account is active.
  • When you delete a session, all associated documents, extracted text, BPMN results, and conversation history are permanently deleted.
  • You can delete your account at any time from the Settings page. All data is permanently removed.
  • After account deletion, your payment processor records (Stripe customer ID and billing history) are retained in accordance with financial record-keeping obligations and to prevent service abuse. No personal data beyond your email association in Stripe is retained.

8. Your Rights (GDPR / EU & UK)

  • Right to access: You can view all your data within the application.
  • Right to deletion: You can delete individual sessions and all associated data. You can also delete your entire account from the Settings page.
  • Right to data portability: Export the full set of personal data we hold about you (sessions, BPMN content, conversations, subscription details) free of charge in structured JSON from Settings → Export Your Data. Visual exports (PNG, SVG, PDF) are paid product features and are separate from this legal right.
  • Right to rectification: Contact us to correct any inaccurate personal data.
  • Right to object & restrict processing: You may object to processing based on legitimate interest (e.g., server-side analytics) at any time in Settings → Privacy & Analytics.
  • Right to lodge a complaint: You may lodge a complaint with your national supervisory authority (e.g., the CNIL in France, the AEPD in Spain, the ICO in the United Kingdom, or any other EU/EEA Data Protection Authority).

To exercise any of these rights, contact: privacy@lucidflow.ai

9. Quebec Residents (Law 25)

If you reside in Quebec, the Act respecting the protection of personal information in the private sector ("Law 25") provides you with the rights set out below in addition to the rights described above.

Person in charge of the protection of personal information

Our designated person in charge of personal information protection can be reached at privacy@lucidflow.ai. Written requests must include enough information for us to verify your identity.

Your Law 25 Rights

  • Right of access and information: You may request a copy of the personal information we hold about you and information about how it is used and to whom it is communicated. A complete machine-readable copy is available free of charge from Settings → Export Your Data.
  • Right of rectification: You may have any inaccurate, incomplete, or equivocal personal information corrected.
  • Right of de-indexation and cessation of dissemination: You may request that we cease disseminating personal information about you or that any hyperlink giving access to that information by a technological means be de-indexed, where the conditions of section 28.1 of Law 25 are met.
  • Right regarding automated decisions: Where a decision producing legal effects or significantly affecting you is based exclusively on automated processing, you may request the personal information used and obtain the reasons leading to that decision. As stated in section 6, LucidFlow's AI outputs are suggestions and do not constitute such decisions.

Personal information of Quebec residents may be transferred outside Quebec to the United States and the European Union for processing by our service providers. We have completed a privacy impact assessment for these transfers, which can be summarized on request.

You may lodge a complaint with the Commission d'accès à l'information du Québec (CAI): https://www.cai.gouv.qc.ca

10. Swiss Residents (nFADP)

If you reside in Switzerland, the revised Federal Act on Data Protection (nFADP, in force since 1 September 2023) applies to the processing of your personal data. The rights described in section 8 (access, rectification, deletion, portability, objection) apply to you on an equivalent basis.

Where personal data is transferred to the United States or other countries without an adequacy decision recognized by Switzerland, we rely on Standard Contractual Clauses or, where applicable, the Swiss-US Data Privacy Framework.

You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC / PFPDT): https://www.edoeb.admin.ch

11. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA / CPRA) provides you with the rights set out below.

Categories of Personal Information Collected

  • Identifiers: email address, account credentials, IP address, OAuth provider ID (Google, LinkedIn)
  • Commercial information: subscription status, billing history, usage records
  • Internet activity: browser type, language preferences, interaction with our service
  • Professional information: uploaded business process documents and generated BPMN diagrams

Sensitive Personal Information

We do not collect sensitive personal information as defined by CPRA (such as Social Security numbers, precise geolocation, biometric or health data, race, religion, sexual orientation, or contents of private communications).

Business Purposes for Collection

  • Providing and improving the BPMN mapping, optimization, and AI transformation service
  • Processing payments and managing subscriptions via Stripe
  • Protecting against abuse, enforcing rate limits, and ensuring service security

No Sale, Limited Sharing

LucidFlow does not sell personal information. The only "sharing" within the meaning of CCPA/CPRA is opt-in product analytics (PostHog) when you accept analytics cookies. You can opt out at any time in Settings → Privacy & Analytics or by declining the cookie banner.

Your CCPA / CPRA Rights

  • Right to know: You can request details about the categories and specific pieces of personal information we have collected about you. A complete machine-readable copy is available free of charge from Settings → Export Your Data.
  • Right to delete: You can request deletion of your personal information. Use the Settings page or contact us.
  • Right to correct: You can request correction of inaccurate personal information we maintain about you.
  • Right to opt-out of sale/sharing: As stated above, we do not sell personal information. To opt out of the analytics-based "sharing", decline analytics cookies or use Settings → Privacy & Analytics.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA / CPRA rights.
  • Authorized agent: California residents may designate an authorized agent to submit requests on their behalf, with verifiable proof of authorization.

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@lucidflow.ai or use the data export and deletion features in your account Settings.

We will respond to verifiable consumer requests within 45 calendar days. If we need more time (up to 90 days total), we will notify you of the reason and extension period.

12. Cookies

We use two categories of cookies:

Essential Cookies

Required for authentication session management (Supabase Auth). These cannot be disabled.

Analytics Cookies (Optional)

When you accept analytics cookies, we use PostHog to collect anonymized usage data such as page views, feature interactions, and navigation patterns. This helps us improve LucidFlow. Analytics data is hosted in the EU (eu.i.posthog.com). You can opt out at any time by declining analytics cookies or by contacting privacy@lucidflow.ai.

We do not use marketing or advertising cookies.

13. Security & Breach Notification

  • All data is transmitted over HTTPS with TLS encryption.
  • Database access is protected by Row Level Security (RLS) policies.
  • Authentication is handled by Supabase Auth with Google OAuth and LinkedIn OIDC support.
  • Payment data is processed exclusively by Stripe and never touches our servers.
  • In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay, in accordance with GDPR Art. 33-34, Quebec Law 25 section 3.5, and Swiss nFADP article 24.

14. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date.

← Back to home