Privacy, security & law
In NGOs, educational institutions, associations, and civil society especially, the question is a fair one: “Are we even allowed to use this — and what happens to our participants’ data?” flow present is built precisely for this kind of work. This page answers the most important legal questions in plain language, so you can make a decision with a clear conscience.
Who is responsible for what?
Section titled “Who is responsible for what?”This is the central question — and the answer is clearly defined.
When you run a workshop with flow present and collect personal data from participants (such as poll responses or uploaded files), you are the controller within the meaning of the GDPR. flow present processes this data on your behalf — as a processor under Art. 28 GDPR. That’s exactly what the DPA is for (see below).
For the pure account data of using the service (sign-in email, profile, billing), flow present is itself the controller; the privacy policy applies to that.
| Type of data | Controller | Basis |
|---|---|---|
| Participant data in the workshop (polls, uploads, names) | Your organization | Data processing (DPA, Art. 28) |
| Your team’s workshop content (briefing, slides, plan) | Your organization | Data processing (DPA, Art. 28) |
| Account data (sign-in email, profile, billing) | flow present | our own privacy policy |
The Data Processing Agreement (DPA)
Section titled “The Data Processing Agreement (DPA)”The DPA is the document your data protection officers want to see — and flow present makes it available for every plan, including the free one. You generate a PDF personalized to your organization yourself, in minutes; the details you enter are used solely in the PDF and stored nowhere.
The agreement (currently version 1, June 2026) covers everything Art. 28 GDPR requires:
- Subject matter, nature, and purpose of the processing, plus data categories and the persons concerned (Annex 1).
- Binding instructions — processing takes place only on your instruction; contractual use counts as a documented instruction.
- Technical and organizational measures under Art. 32 GDPR (Annex 2) — encryption, access and separation controls, pseudonymization, and more.
- Data breach notification, as a rule within 48 hours of becoming aware.
- Sub-processors under general authorization with a 14-day right to object (Annex 3).
- Deletion and return at the end of the contract, plus audit and verification rights.
For a step-by-step guide on how to get the PDF, see Download the DPA.
Where is the data stored? Hosting & sub-processors
Section titled “Where is the data stored? Hosting & sub-processors”Processing generally takes place within the EU or the EEA. These are the core sub-processors that process data on our behalf:
| Service | Function | Location | Basis |
|---|---|---|---|
| Supabase | Database, sign-in, file storage, real-time | EU – Frankfurt (AWS eu-central-1), ISO 27001 | DPA under Art. 28; SCCs / EU-US Data Privacy Framework for any US access |
| Vercel | Application hosting; access logs (max. 30 days) | EU-region routing | DPA; SCCs / DPF |
| Sentry | Error and stability monitoring | EU region (Frankfurt/Germany) | DPA; IP transmission disabled |
All data is encrypted in transit via TLS and rests encrypted at the infrastructure level (AWS eu-central-1, Frankfurt). There is no physical server operation of our own.
For real-time collaboration (briefing, minutes, group pads), live translation, and AI import, we run our own services (Hocuspocus, LibreTranslate, Ollama) on a server in Germany. These process content only transiently; permanent storage is exclusively in Supabase.
Optional services that are triggered only by a deliberate action of yours — and therefore only see data then: Stripe (payment for paid plans), Unsplash (image search), and Open-Meteo (weather variable, no personal data). The current list is Annex 3 of the DPA.
Data minimization is built in
Section titled “Data minimization is built in”flow present deliberately processes as little as possible (Art. 25 GDPR, data protection by design):
- At registration, only the email address is stored. Login runs passwordless via magic link — no passwords are stored.
- No usage profiles for advertising purposes, no passing data to advertisers, no third-party tracking pixels.
- For product improvement, we use PostHog exclusively on EU servers, without cookies, without cross-device merging — the data never leaves the browser’s transient memory.
How your participants are protected
Section titled “How your participants are protected”Participants open the link or scan the QR code — with no account and no app. Their responses to polls, scales, free text, and word clouds are stored via a random, device-bound key that is not linked to a user account. This makes the responses pseudonymous (several responses from the same device can be connected, but cannot be attributed to a person).
And: participants see exactly what you release — slides, file area, live translation, minutes, polls. You control the scope yourself.
AI import: runs on our own server
Section titled “AI import: runs on our own server”Importing PPTX/PDF/DOC into a session plan uses a local AI model on our own server in Germany (Ollama) — not OpenAI, Google, or other US AI clouds. Your documents are therefore not sent to an external AI provider. The result is always only a suggestion for preview and correction, never an automatic direct import. For everyone who rightly takes a close look at “AI”: processing stays within your data sovereignty here.
Live translation: without Big Tech
Section titled “Live translation: without Big Tech”Live translation uses the open-source LibreTranslate on our own EU server in Germany — not Google Translate, DeepL, or the like. The slide content never leaves our infrastructure. It’s a machine translation meant for general orientation, not for legally binding contexts.
Cookies: no banner needed
Section titled “Cookies: no banner needed”flow present uses only strictly necessary elements: a session cookie (httpOnly, Secure)
for sign-in and localStorage for settings (e.g., theme) as well as the pseudonymous
participant key. Analytics (PostHog) too works without cookies and without storing anything
on the device. Because only information strictly necessary for operation is stored on or
retrieved from the device, no cookie banner is required (§ 25(2) TDDDG, formerly TTDSG).
Deletion, export & data subject rights
Section titled “Deletion, export & data subject rights”- Delete account: at any time yourself in the settings under “Profile” — deletion is immediate (personal organizations, including content and files, are removed; you leave shared organizations).
- Export: you can export your data yourself at any time during the term of the contract.
- Data subject rights of participants (access, rectification, deletion, restriction, portability, objection) are supported technically by flow present; requests that reach us directly we forward to you as the controller.
- Statutory retention obligations (above all billing data) remain unaffected.
Privacy contact: datenschutz@flowpresent.org. We answer requests under Art. 12 GDPR within one month.
For your privacy documentation
Section titled “For your privacy documentation”You can use these building blocks directly for your record of processing activities (Art. 30) and any data protection impact assessment:
- the personalized DPA as a PDF, including data categories, TOMs, and sub-processors — generatable on the DPA page (guide),
- the list of sub-processors (Annex 3) — in the DPA and in the privacy policy,
- the technical and organizational measures (Annex 2) — in the DPA,
- the public privacy policy and this page.
Common questions
Section titled “Common questions”Yes, as soon as you process third parties’ personal data via flow present (e.g., participant responses), you need a DPA. That’s exactly why it’s available for every plan — free included. You download the personalized PDF yourself.
Yes. Database, sign-in, and files are stored at Supabase on EU servers in Frankfurt (AWS eu-central-1, ISO 27001). Real-time collaboration, translation, and AI import run on our own server in Germany. For any US access by the providers, EU Standard Contractual Clauses or the EU-US Data Privacy Framework apply.
No. AI import runs on our own model in Germany and serves solely to turn an uploaded document into a draft plan. There is no passing of data to external AI providers and no training with your content.
No. No account and no sign-up are required. Responses are stored pseudonymously via a device-bound random key — with no link to a person.
Not for flow present itself — only strictly necessary cookies are set. Whatever else runs on your own website is for you to assess as usual.
You delete your account and personal organizations yourself in the settings — immediately. Alternatively, by email to datenschutz@flowpresent.org. Statutory retention obligations for billing data remain unaffected.
Still have a question? Write to us — we’re happy to add it to the FAQ.
Frage nicht dabei?
Schreib uns kurz — wir melden uns per E-Mail.