Privacy Policy
This policy describes what information FlowVista collects, how we protect it, and the rights you have under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
- We store your account and the transactions you upload — nothing else.
- Your data is encrypted at rest and protected by row-level security so only you can read it.
- We never sell your data, share it with advertisers, or use it to train AI.
- You can delete everything, permanently, from Settings → Data → Clear All Data, or by emailing us.
1. Who we are
FlowVista is a Canadian-built personal cashflow dashboard operated by an independent developer based in Ontario, Canada. For the purposes of PIPEDA, we are the accountable organization for any personal information we handle.
Contact: hello@flowvista.app
2. Information we collect
We collect only what we need to run the dashboard for you:
- Account information — email address and password hash (password is never stored in plain text).
- Financial information you upload — transactions from CSV exports, mortgage details from PDF statements, bills and pay periods you add manually, and assets / liabilities you enter on the Net Worth tab.
- Preferences — your theme, category rules, budget targets, and display name.
- Basic usage signals — the app version you last loaded, to prompt you to refresh when we ship updates.
We do not collect banking credentials, connect to your bank via OAuth or open-banking APIs, or use third-party aggregators. The only way financial data enters FlowVista is by you exporting a file from your bank and uploading it yourself.
3. Why we collect it
To show you your own financial data — that's the entire purpose. Specifically:
- Parse and categorize your transactions so the dashboard can render.
- Persist your pay periods, bills, and goals across sessions so you don't have to re-upload.
- Power features you opt into (scenario planning, Ask FlowVista, PDF mortgage parsing).
4. How your data is stored and protected
Your data is stored in a Postgres database operated by Supabase, with the following safeguards:
- Encryption at rest — data is encrypted on disk by the database provider.
- Encryption in transit — all connections use TLS.
- Row-Level Security (RLS) — every query against your transactions, bills, and net-worth rows is filtered by
user_id = auth.uid()at the database layer, so no other authenticated user can ever read your records. - Authentication — handled by Supabase Auth; passwords are hashed and never accessible to FlowVista.
5. Where your data is processed
Our database and authentication provider is Supabase. Your data may be processed on servers located outside Canada (commonly in the United States). This means your information may be subject to the laws of the country in which it is processed, including lawful-access requests by foreign government authorities. By using FlowVista, you consent to this cross-border processing.
6. Who we share your data with
Nobody, by default. Specifically, FlowVista:
- Does not sell your data. Ever.
- Does not run ads or share data with advertising networks.
- Does not use your financial data to train artificial intelligence models.
- Does not share your data with other users, employers, family members, or third parties.
Limited exceptions where we may process or disclose data:
- Service providers we depend on (currently: Supabase for database and auth, Vercel for hosting) — they process data only to deliver the service to you and are bound by their own privacy commitments.
- Ask FlowVista — if you type a question into the Ask tab, the question and a summary of your financial snapshot (income, expenses, categories — never raw transactions, bank names, or account numbers) are sent to the large-language-model provider that answers your question. This is only triggered by you pressing Ask.
- Legal compliance — if compelled by a lawful Canadian court order, we will comply, and will push back on any request that overreaches.
7. Your rights
Under PIPEDA — and consistent with Canada's evolving privacy framework, including the proposed Consumer Privacy Protection Act — you have the right to:
- Access your personal information. You already see all of it when signed in; for a machine-readable copy, use Settings → Data → Export Data to download everything as CSV.
- Correct your personal information. Edit any transaction, bill, category rule, or net-worth entry directly in the app.
- Delete your personal information. Use Settings → Data → Clear All Data to permanently wipe your transactions, bills, and net-worth entries. To delete your account entirely, email hello@flowvista.app and we will remove your account within 14 days.
- Withdraw consent to further processing at any time (subject to your continued use of the service).
- Challenge our compliance — if you believe we have mishandled your information, email us first and we will respond within 30 days. If you are not satisfied, you may file a complaint with the Office of the Privacy Commissioner of Canada.
8. Retention
We keep your data for as long as your account is active. If you delete your data or your account, we remove your records from the live database immediately and from encrypted backups within 30 days.
9. Cookies and local storage
FlowVista uses your browser's localStorage to remember your theme preference, the app version you last loaded, and a few small UI settings. We do not use tracking cookies, analytics pixels, or advertising cookies.
10. Children
FlowVista is not directed at children under 13, and we do not knowingly collect information from them. If you believe a child has created an account, email us and we will remove it.
11. Changes to this policy
If we make material changes to this policy, we will update the "Last updated" date at the top and notify you by email before the change takes effect. Minor wording clarifications may be made without notice.
12. Contact
For any privacy question, request, or complaint, email us at hello@flowvista.app. We aim to respond within 2 business days.