Privacy Policy

Effective Date: March 1, 2026

Last Updated: March 18, 2026

Sonat LLC ("Sonat," "we," "us," or "our") operates the FlowKoi platform (the "Service"), an AI workflow automation application available at flowkoi.com. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By accessing or using FlowKoi, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information provided through your Google account used for authentication, including:

  • Email address
  • Display name
  • Profile photo URL

1.2 Workflow Files and Artifacts

When you create and manage workflows, we collect and store:

  • Workflow definition files (CLAUDE.md, workflow.md)
  • Claude CLI configuration files (.claude/ directory contents)
  • Tool scripts and utilities (tools/ directory contents)
  • Any other files you include in your workflow artifacts

1.3 Environment Variables and Credentials

When you configure environment variables for your workflows, we collect and store:

  • Environment variable names and values stored in .env files
  • API tokens, keys, and other credentials you provide for workflow execution
  • Claude CLI authentication tokens (OAuth credentials)

Your .env files, API tokens, and credentials are encrypted at rest and in transit. These values are injected into your workflow's isolated container at execution time and are never exposed to other users, other workflows, or any third party. We treat all environment variables and credentials as highly sensitive data.

1.4 Execution Data

When workflows are executed, we collect:

  • Terminal output and command history from Claude CLI sessions
  • Execution status, timestamps, and duration
  • Files created or modified during execution (synced as artifacts)
  • Execution logs and error information

1.5 Technical and Diagnostic Data

When you use the Service, we may collect:

  • Browser type and version (user agent)
  • Application error logs and network request failures

1.6 Contact Information

When you use our contact form, we collect your name, email address, stated reason for contacting us, and your message.

1.7 Automatically Collected Information

We store a minimal amount of data locally in your browser to improve your experience. We do not use tracking cookies, advertising cookies, or third-party analytics services.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the FlowKoi platform
  • Authenticate your identity and manage your account
  • Execute workflows in isolated Docker containers
  • Sync workflow files and artifacts between cloud storage and containers
  • Inject environment variables and credentials into execution containers
  • Display execution history, logs, and terminal output
  • Schedule and trigger automated workflow runs
  • Respond to your inquiries and support requests
  • Diagnose technical issues and improve application stability
  • Comply with legal obligations

3. How We Share Your Information

We do not sell your personal information. We share your data only with the following categories of third-party service providers, solely to operate and deliver the Service:

3.1 Authentication

Google Firebase Authentication: We use Firebase Authentication to manage sign-in. Your email and profile information are processed by Google in accordance with Google's Privacy Policy.

3.2 Cloud Infrastructure

Google Cloud Platform (Firestore and Cloud Run): Your account data, workflow files, artifacts, and execution metadata are stored in Google Cloud Firestore. Workflow containers run on Google Cloud Run. All data is encrypted at rest and in transit by Google Cloud's infrastructure.

3.3 AI Execution

Anthropic (Claude CLI): FlowKoi executes Claude CLI using your own Claude subscription. You authenticate with your Claude account, and the CLI runs inside your isolated container. We do not have access to the content of your Claude conversations or the AI-generated outputs beyond what is stored in your workflow artifacts. Your Claude authentication tokens are encrypted and used solely to authorize CLI execution on your behalf.

3.4 Support and Bug Reports

GitHub: Bug reports and contact form submissions may be stored as issues in a private GitHub repository for our internal tracking. These submissions may include your name, email, and diagnostic information.

3.5 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency).

4. Security of Your Files and Data

We take the security of your files, credentials, and data seriously:

  • Environment variables and .env files: All API tokens, keys, and credentials stored in .env files are encrypted at rest in Firestore and encrypted in transit via HTTPS/TLS. They are only decrypted and injected into your isolated container at execution time.
  • Workflow files: All files in your workflows (CLAUDE.md, tools, configuration) are private to your account. No other user can access your workflow files or artifacts.
  • Container isolation: Every workflow execution runs in its own isolated Docker container. Containers have no access to other users' data, other workflows, or the host system. Containers are destroyed after execution completes.
  • Signed authentication tokens: Communication between the main application and execution service uses cryptographically signed JWT tokens. The execution service never has direct database access.
  • Output files: Files generated in the designated output directory during execution are available for your review but are not permanently synced as artifacts unless configured to do so.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service to you. If you request deletion of your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

Workflow artifacts and execution history are retained for as long as your account is active. Upon account deletion, all workflow files, artifacts, execution logs, and stored credentials are permanently deleted.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal information, subject to legal retention requirements
  • Export your workflow files and data
  • Withdraw consent for data processing where consent is the legal basis
  • Revoke your Claude authentication at any time through the application

To exercise any of these rights, please contact us at support@flowkoi.com.

7. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to opt out of the sale of personal information — we do not sell your personal information
  • The right to non-discrimination for exercising your privacy rights

To submit a request, email us at support@flowkoi.com with the subject line "CCPA Request."

8. Children's Privacy

FlowKoi is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and third-party service providers are located. These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to these countries.

10. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us: