Skip to content

Privacy, security & law

In NGOs, educational institutions, associations, and civil society especially, the question is a fair one: “Are we even allowed to use this — and what happens to our participants’ data?” flow present is built precisely for this kind of work. This page answers the most important legal questions in plain language, so you can make a decision with a clear conscience.

This is the central question — and the answer is clearly defined.

When you run a workshop with flow present and collect personal data from participants (such as poll responses or uploaded files), you are the controller within the meaning of the GDPR. flow present processes this data on your behalf — as a processor under Art. 28 GDPR. That’s exactly what the DPA is for (see below).

For the pure account data of using the service (sign-in email, profile, billing), flow present is itself the controller; the privacy policy applies to that.

Type of dataControllerBasis
Participant data in the workshop (polls, uploads, names)Your organizationData processing (DPA, Art. 28)
Your team’s workshop content (briefing, slides, plan)Your organizationData processing (DPA, Art. 28)
Account data (sign-in email, profile, billing)flow presentour own privacy policy

The DPA is the document your data protection officers want to see — and flow present makes it available for every plan, including the free one. You generate a PDF personalized to your organization yourself, in minutes; the details you enter are used solely in the PDF and stored nowhere.

The agreement (currently version 1, June 2026) covers everything Art. 28 GDPR requires:

  • Subject matter, nature, and purpose of the processing, plus data categories and the persons concerned (Annex 1).
  • Binding instructions — processing takes place only on your instruction; contractual use counts as a documented instruction.
  • Technical and organizational measures under Art. 32 GDPR (Annex 2) — encryption, access and separation controls, pseudonymization, and more.
  • Data breach notification, as a rule within 48 hours of becoming aware.
  • Sub-processors under general authorization with a 14-day right to object (Annex 3).
  • Deletion and return at the end of the contract, plus audit and verification rights.

For a step-by-step guide on how to get the PDF, see Download the DPA.

Where is the data stored? Hosting & sub-processors

Section titled “Where is the data stored? Hosting & sub-processors”

Processing generally takes place within the EU or the EEA. These are the core sub-processors that process data on our behalf:

ServiceFunctionLocationBasis
SupabaseDatabase, sign-in, file storage, real-timeEU – Frankfurt (AWS eu-central-1), ISO 27001DPA under Art. 28; SCCs / EU-US Data Privacy Framework for any US access
VercelApplication hosting; access logs (max. 30 days)EU-region routingDPA; SCCs / DPF
SentryError and stability monitoringEU region (Frankfurt/Germany)DPA; IP transmission disabled

All data is encrypted in transit via TLS and rests encrypted at the infrastructure level (AWS eu-central-1, Frankfurt). There is no physical server operation of our own.

For real-time collaboration (briefing, minutes, group pads), live translation, and AI import, we run our own services (Hocuspocus, LibreTranslate, Ollama) on a server in Germany. These process content only transiently; permanent storage is exclusively in Supabase.

Optional services that are triggered only by a deliberate action of yours — and therefore only see data then: Stripe (payment for paid plans), Unsplash (image search), and Open-Meteo (weather variable, no personal data). The current list is Annex 3 of the DPA.

flow present deliberately processes as little as possible (Art. 25 GDPR, data protection by design):

  • At registration, only the email address is stored. Login runs passwordless via magic linkno passwords are stored.
  • No usage profiles for advertising purposes, no passing data to advertisers, no third-party tracking pixels.
  • For product improvement, we use PostHog exclusively on EU servers, without cookies, without cross-device merging — the data never leaves the browser’s transient memory.

Participants open the link or scan the QR code — with no account and no app. Their responses to polls, scales, free text, and word clouds are stored via a random, device-bound key that is not linked to a user account. This makes the responses pseudonymous (several responses from the same device can be connected, but cannot be attributed to a person).

And: participants see exactly what you release — slides, file area, live translation, minutes, polls. You control the scope yourself.

Importing PPTX/PDF/DOC into a session plan uses a local AI model on our own server in Germany (Ollama) — not OpenAI, Google, or other US AI clouds. Your documents are therefore not sent to an external AI provider. The result is always only a suggestion for preview and correction, never an automatic direct import. For everyone who rightly takes a close look at “AI”: processing stays within your data sovereignty here.

Live translation uses the open-source LibreTranslate on our own EU server in Germany — not Google Translate, DeepL, or the like. The slide content never leaves our infrastructure. It’s a machine translation meant for general orientation, not for legally binding contexts.

flow present uses only strictly necessary elements: a session cookie (httpOnly, Secure) for sign-in and localStorage for settings (e.g., theme) as well as the pseudonymous participant key. Analytics (PostHog) too works without cookies and without storing anything on the device. Because only information strictly necessary for operation is stored on or retrieved from the device, no cookie banner is required (§ 25(2) TDDDG, formerly TTDSG).

  • Delete account: at any time yourself in the settings under “Profile” — deletion is immediate (personal organizations, including content and files, are removed; you leave shared organizations).
  • Export: you can export your data yourself at any time during the term of the contract.
  • Data subject rights of participants (access, rectification, deletion, restriction, portability, objection) are supported technically by flow present; requests that reach us directly we forward to you as the controller.
  • Statutory retention obligations (above all billing data) remain unaffected.

Privacy contact: datenschutz@flowpresent.org. We answer requests under Art. 12 GDPR within one month.

You can use these building blocks directly for your record of processing activities (Art. 30) and any data protection impact assessment:

  • the personalized DPA as a PDF, including data categories, TOMs, and sub-processors — generatable on the DPA page (guide),
  • the list of sub-processors (Annex 3) — in the DPA and in the privacy policy,
  • the technical and organizational measures (Annex 2) — in the DPA,
  • the public privacy policy and this page.
Do we really need a DPA — even on the free plan?

Yes, as soon as you process third parties’ personal data via flow present (e.g., participant responses), you need a DPA. That’s exactly why it’s available for every plan — free included. You download the personalized PDF yourself.

Is the data stored in the EU?

Yes. Database, sign-in, and files are stored at Supabase on EU servers in Frankfurt (AWS eu-central-1, ISO 27001). Real-time collaboration, translation, and AI import run on our own server in Germany. For any US access by the providers, EU Standard Contractual Clauses or the EU-US Data Privacy Framework apply.

Is workshop content used for AI training?

No. AI import runs on our own model in Germany and serves solely to turn an uploaded document into a draft plan. There is no passing of data to external AI providers and no training with your content.

Do participants have to reveal any of their data?

No. No account and no sign-up are required. Responses are stored pseudonymously via a device-bound random key — with no link to a person.

Do we need a cookie banner if we embed flow present?

Not for flow present itself — only strictly necessary cookies are set. Whatever else runs on your own website is for you to assess as usual.

How quickly is data deleted?

You delete your account and personal organizations yourself in the settings — immediately. Alternatively, by email to datenschutz@flowpresent.org. Statutory retention obligations for billing data remain unaffected.

Still have a question? Write to us — we’re happy to add it to the FAQ.

Frage nicht dabei?

Schreib uns kurz — wir melden uns per E-Mail.

Öffnet dein E-Mail-Programm mit vorausgefüllter Nachricht an support@flowpresent.org.