Privacy Policy

Introduction

At Usable (operated by Flowcore), we are committed to protecting your privacy and being transparent about how we collect, use, and protect your personal data. This Privacy Policy explains our data practices in accordance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Who We Are

Data Controller:
Flowcore
Vestara Bryggja 15
Tórshavn 100, Faroe Islands
Email: privacy@usable.dev

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Identity Data: Name, username, email address
• Authentication Data: Password (encrypted), authentication tokens
• Profile Data: Optional profile picture, bio, preferences
• Organization Data: Company name, team size (if provided)

1.2 Content You Create

When you use the Service, we store:

• Memory Fragments: Knowledge, recipes, solutions, templates, and other content you create
• Metadata: Titles, tags, timestamps, fragment types
• Workspace Data: Workspace names, descriptions, member lists
• Collaboration Data: Comments, edits, version history

1.3 Usage Data

We automatically collect:

• Log Data: IP address, browser type, device information, operating system
• Usage Analytics: Pages visited, features used, time spent, search queries
• Performance Data: Error logs, load times, API response times
• Session Data: Login times, session duration, authentication events

1.4 AI Processing Data

To provide AI-powered features, we generate:

• Semantic Embeddings: Vector representations of your content for search
• Relationship Graphs: Connections between fragments based on similarity and tags
• Search Analytics: Query patterns to improve search relevance

1.5 Cookies and Tracking

We use:

• Essential Cookies: Session management, authentication (necessary for service operation)
• Analytics Cookies: Usage tracking to improve the Service (with consent)
• Preference Cookies: Remember your settings and preferences

You can manage cookie preferences in your browser settings.

1.6 Information from Third Parties

We may receive data from:

• Authentication Providers: Keycloak (email, name, authentication status)
• Payment Processors: Stripe (payment status, subscription tier)
• Integration Partners: Data you authorize us to access (e.g., GitHub repositories)

2. How We Use Your Information

2.1 Service Provision

We use your data to:

• Provide and maintain the Usable platform
• Process your authentication and access control
• Store and organize your memory fragments
• Enable semantic search and knowledge graphs
• Facilitate workspace collaboration
• Provide customer support

Legal Basis (GDPR): Contract performance (Art. 6(1)(b))

2.2 Service Improvement

We use aggregated and anonymized data to:

• Analyze usage patterns and feature adoption
• Improve search algorithms and AI models
• Identify and fix bugs and performance issues
• Develop new features based on user needs

Legal Basis (GDPR): Legitimate interests (Art. 6(1)(f))

2.3 Communication

We may contact you for:

• Service announcements and updates
• Security alerts and policy changes
• Subscription and billing notifications
• Customer support responses
• Marketing (with your consent)

Legal Basis (GDPR): Contract performance (transactional), Consent (marketing)

2.4 Security and Fraud Prevention

We process data to:

• Detect and prevent unauthorized access
• Identify suspicious activity and abuse
• Enforce our Terms of Service
• Comply with legal obligations

Legal Basis (GDPR): Legitimate interests, Legal obligation (Art. 6(1)(c))

2.5 Legal Compliance

We may process data to:

• Respond to legal requests (subpoenas, court orders)
• Comply with data protection regulations
• Protect our legal rights and property
• Prevent illegal activities

Legal Basis (GDPR): Legal obligation, Legitimate interests

3. Data Storage and Security

3.1 Where We Store Data

Your data is stored:

• Primary Servers: [Cloud Provider - e.g., AWS, Google Cloud] in [Region - e.g., EU]
• Event Storage: Flowcore event sourcing system (immutable audit trail)
• Backups: Encrypted backups in multiple geographic locations

International Transfers: If data is transferred outside the EU/EEA, we use:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Other approved transfer mechanisms

3.2 Security Measures

We implement:

• Encryption in Transit: TLS 1.3 for all data transmission
• Encryption at Rest: AES-256 encryption for stored data
• Access Controls: Role-based access control (RBAC), least privilege principle
• Authentication: Multi-factor authentication (MFA) support
• Monitoring: 24/7 security monitoring and intrusion detection
• Auditing: Comprehensive audit logs for all data access

3.3 Data Retention

We retain your data:

• Active Accounts: As long as your account is active
• Deleted Content: 30 days in backups after deletion (for recovery)
• Closed Accounts: 30 days after account closure
• Legal Obligations: Longer if required by law (e.g., financial records)

After retention periods, data is permanently deleted using secure erasure methods.

3.4 Event Sourcing Architecture

Usable uses event sourcing, meaning:

• All changes are recorded as immutable events
• Events contain metadata (who, what, when) for audit trails
• Events are stored in Flowcore (separate from the main database)
• Read models (database) can be rebuilt from events

Implication: Some audit data may be retained longer for compliance and system integrity.

4. Data Sharing and Disclosure

4.1 Within Workspaces

Your content is shared with:

• Workspace Members: Users you invite to your workspaces
• Workspace Owners: Users who create and manage workspaces you join

You control sharing by managing workspace membership and permissions.

4.2 Service Providers

We share data with third-party processors who help us operate the Service:

• Hosting Providers: [AWS, Google Cloud] - infrastructure
• Authentication: Keycloak - identity management
• Payment Processing: Stripe - subscription billing
• Email Services: [Provider] - transactional emails
• Analytics: [Provider] - usage analytics (anonymized)

All processors are bound by data processing agreements (DPAs) and GDPR requirements.

4.3 Legal Requirements

We may disclose data when required by:

• Court orders, subpoenas, or legal processes
• Law enforcement requests (with proper legal basis)
• National security requirements
• Protection of our rights or safety of others

We will notify you of such requests unless prohibited by law.

4.4 Business Transfers

If Flowcore is involved in a merger, acquisition, or sale of assets:

• Your data may be transferred to the acquiring entity
• We will notify you before your data is subject to a different Privacy Policy
• You may delete your account before the transfer

4.5 What We Don't Share

We never sell your personal data to third parties for marketing purposes.

We never use your content to train AI models for other users or external purposes.

5. Your Privacy Rights (GDPR)

If you are in the EU/EEA, you have the following rights:

5.1 Right of Access (Art. 15)

You can request a copy of all personal data we hold about you.

5.2 Right to Rectification (Art. 16)

You can correct inaccurate or incomplete personal data.

5.3 Right to Erasure (Art. 17)

You can request deletion of your personal data ("right to be forgotten") unless:

• We need it to comply with legal obligations
• It's necessary for establishing or defending legal claims

5.4 Right to Restriction (Art. 18)

You can request we limit processing of your data in certain circumstances.

5.5 Right to Data Portability (Art. 20)

You can receive your data in a structured, machine-readable format and transfer it to another service.

Export Formats: JSON, CSV, Markdown

5.6 Right to Object (Art. 21)

You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

5.7 Right to Withdraw Consent (Art. 7(3))

You can withdraw consent for marketing communications or optional data processing at any time.

5.8 Right to Lodge a Complaint

You can file a complaint with your national data protection authority:

• Faroe Islands: Dátueftirlitið (www.dat.fo)
• Denmark: Datatilsynet (www.datatilsynet.dk)

How to Exercise Your Rights

Email: privacy@usable.dev
Subject: "GDPR Request - [Your Name]"

We will respond within 30 days.

6. Children's Privacy

Usable is not intended for children under 16. We do not knowingly collect data from children. If we learn we have collected data from a child under 16, we will delete it immediately.

Parents: If you believe your child has provided data to us, contact privacy@usable.dev.

7. Marketing Communications

7.1 Transactional Emails

We send essential emails (account verification, password resets, billing) as part of the Service. You cannot opt out of these.

7.2 Marketing Emails

We may send promotional emails with your explicit consent:

• Product updates and new features
• Tips and best practices
• Community events and webinars

Opt-Out: Click "Unsubscribe" in any marketing email or manage preferences in your account settings.

8. Third-Party Links and Integrations

8.1 External Links

The Service may contain links to third-party websites. We are not responsible for their privacy practices. Review their privacy policies before providing data.

8.2 Integrations

When you connect third-party services (GitHub, Slack):

• You authorize us to access data as specified in the integration
• We only access data necessary to provide the integration
• You can disconnect integrations at any time

9. Cookies Policy

9.1 Essential Cookies

Required for the Service to function:

• session_token - Authentication (expires: session)
• csrf_token - Security (expires: session)

Legal Basis: Legitimate interests (necessary for service operation)

9.2 Analytics Cookies (Optional)

Help us understand usage patterns:

• _ga, _gid - Google Analytics (expires: 2 years)
• usage_tracking - Internal analytics (expires: 1 year)

Legal Basis: Consent

9.3 Preference Cookies (Optional)

Remember your settings:

• theme - UI theme preference (expires: 1 year)
• language - Language preference (expires: 1 year)

Legal Basis: Consent

9.4 Managing Cookies

You can:

• Manage preferences in your account settings
• Block cookies in your browser (may affect functionality)
• Use browser extensions to control tracking

10. Data Breach Notification

In the event of a data breach affecting your personal data:

• We will notify you within 72 hours (as required by GDPR Art. 33-34)
• Notification includes: nature of breach, data affected, mitigation steps
• We will notify relevant data protection authorities
• We maintain an incident response plan to minimize impact

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

AI features (semantic search, recommendations) are advisory only and do not make decisions about you.

12. International Users

12.1 EU/EEA Users

This Privacy Policy complies with GDPR. Your data is processed in accordance with EU data protection standards.

12.2 UK Users

We comply with the UK GDPR and Data Protection Act 2018.

12.3 US Users

We do not participate in the EU-US Data Privacy Framework (if applicable) but use SCCs for transfers.

12.4 Other Countries

We comply with local data protection laws where applicable. If your country has stricter requirements, those apply.

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

• Changes in data practices
• New legal requirements
• Service improvements

Notification:

• Email notification for material changes
• In-app notification when you next log in
• Effective date displayed at the top of the policy

Your Options:

• Continue using the Service (acceptance of updated policy)
• Delete your account if you disagree with changes

14. Contact Us

For privacy-related questions or requests:

Email: privacy@usable.dev
Mailing Address:
Flowcore
Vestara Bryggja 15
Tórshavn 100, Faroe Islands

Response Time: We aim to respond within 3 business days.

15. Definitions

• Personal Data: Any information relating to an identified or identifiable person
• Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
• Data Controller: Flowcore (determines purposes and means of processing)
• Data Processor: Third parties processing data on our behalf
• Data Subject: You (the individual whose data is processed)

Acknowledgment

By clicking "Accept" or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the data practices described herein.

Compliance Framework: GDPR, ePrivacy Directive, Data Protection Act

Usable, operated by Flowcore Sp/f ("we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website usable.dev and use our services.

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide when you:

• Create an account or register for our services
• Subscribe to our newsletter or marketing communications
• Contact us with inquiries or feedback
• Participate in surveys, promotions, or events

This information may include your name, email address, company name, and any other information you choose to provide.

1.2 Information Collected Automatically

When you visit our website, we automatically collect certain information, including:

• Device information (browser type, operating system, device type)
• IP address and approximate location
• Pages visited and time spent on our website
• Referring website or source

2. Cookies and Tracking Technologies

2.1 Types of Cookies We Use

• Essential Cookies: Required for the website to function properly
• Analytics Cookies: Help us understand how visitors interact with our website (we use Plausible Analytics, a privacy-friendly alternative)
• Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness

2.2 Third-Party Tracking

We work with third-party service providers who may use cookies and similar tracking technologies to collect information about your online activities across different websites and services. This information may be used to provide you with interest-based advertising and to analyze the effectiveness of our marketing campaigns.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send promotional communications (with your consent)
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent transactions and other illegal activities
• Personalize and improve your experience

4. How We Share Your Information

We may share your information in the following circumstances:

• Service Providers: With third-party vendors who perform services on our behalf
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• Legal Requirements: When required by law or to protect our rights
• With Your Consent: When you have given us permission to share your information

5. Your Privacy Rights

5.1 General Rights

Depending on your location, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Object to or restrict certain processing activities
• Data portability
• Withdraw consent at any time

5.2 Opt-Out Options

You have several options to control your privacy:

• Marketing Communications: Unsubscribe using the link in any marketing email
• Interest-Based Advertising: Opt out at https://app.retention.com/optout
• Cookies: Adjust your browser settings to refuse or delete cookies

6. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR). We process your personal data based on legitimate interests, contractual necessity, legal obligations, or your consent.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. When we no longer need your information, we will securely delete or anonymize it.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country. We take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy.

10. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

11. Third-Party Links

Our website may contain links to third-party websites and services. We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date.