Privacy Policy

BoltFlow (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information about you when you use our Service, and describes your rights under applicable data protection laws including the General Data Protection Regulation (GDPR).

We collect the following categories of personal data:

• Account data: Email address, display name, and password (stored as a hashed credential)
• Usage data: Tasks, timers, tags, boards, and notes you create within the Service
• Technical data: IP address, browser type, device identifiers, and log data collected automatically when you access the Service
• Communication data: Any messages you send to our support team

We use your data to:

• Provide, maintain, and improve the Service
• Authenticate you and manage your account
• Send essential service notifications (e.g. security alerts, task reminders)
• Respond to support enquiries
• Comply with legal obligations
• Detect and prevent fraud or abuse

We do not sell your personal data to third parties, nor do we use your data for targeted advertising.

Your data is stored securely using Supabase, a managed PostgreSQL database service with encryption at rest and in transit. The Service is hosted on Vercel. Both providers comply with industry-standard security certifications. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or destruction.

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law.

If you are located in the European Economic Area, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate personal data
• Erase your personal data (“right to be forgotten”)
• Restrict processing of your personal data
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests
• Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at legal@boltflow.com.

We use essential cookies to keep you authenticated and remember your preferences. We do not use advertising or tracking cookies. For full details, see our Cookie Policy.

We use the following third-party services to operate BoltFlow:

• Supabase — database, authentication, and file storage
• Vercel — application hosting and deployment
• Resend — transactional email delivery
• Google (Gemini) — AI assistant features (voice and text queries)

Each provider processes data only as necessary to perform their function and is bound by their own privacy policies and data processing agreements.

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on this page with a revised date. We encourage you to review this policy periodically.

For any privacy-related questions or to exercise your data rights, contact us at legal@boltflow.com.