Flow.0G

Privacy Policy

Last updated: February 20, 2026

1. Introduction

Flow.0G ("we", "our", or "the Service"), operated by 0G Group, provides a unified document workflow and business operations platform. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

By using Flow.0G, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, name, and profile information. If you sign in via Google OAuth, we receive your Google profile information (name, email, profile picture) as authorized by you.

2.2 Service Data

We collect data you provide while using the Service, including:

  • Financial documents and bank statements you upload
  • Transaction records and matching data
  • OKR objectives, key results, and check-in data
  • Team and organizational structure information
  • Settings and configuration preferences

2.3 Connected Service Data

When you connect third-party services (Gmail, Google Drive, Slack, QuickBooks), we access only the data necessary for the Service to function:

  • Gmail (gmail.readonly): Read-only access to search for invoices and documents. We do not read, store, or modify your emails. Search results are cached temporarily and discarded.
  • Gmail (gmail.send): Used solely to send system-generated notifications (e.g., check-in reminders) from your account when you opt in.
  • Google Drive (drive.file): Access only to files you explicitly open or create through Flow.0G. We cannot access other files in your Drive.
  • Slack: Workspace identity linking and notification delivery. We store your Slack user ID for notifications; we do not read your Slack messages.

2.4 Usage Data

We collect anonymized usage data including page views, feature usage patterns, and performance metrics to improve the Service.

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Process and match financial documents
  • Deliver notifications and reminders you configure
  • Enforce security policies and prevent unauthorized access
  • Comply with legal obligations

4. Data Storage and Security

Your data is stored in Supabase-hosted PostgreSQL databases with row-level security (RLS) policies ensuring complete isolation between organizations. Sensitive credentials (OAuth tokens, API keys) are encrypted using Supabase Vault.

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Row-level security for multi-tenant data isolation
  • Encrypted token storage via Supabase Vault
  • 24-hour session timeouts with automatic sign-out
  • Rate limiting on sensitive operations

5. Third-Party Sharing

We do not sell your personal data. We share data only with:

  • Infrastructure providers: Supabase (database), Vercel (hosting), Resend (email delivery) — all bound by data processing agreements.
  • Connected services: Only data necessary for integrations you explicitly authorize (Google, Slack, QuickBooks).
  • Legal requirements: When required by law or to protect our rights.

6. Data Retention

Your data is retained for as long as your account is active. When you disconnect a service, associated tokens are immediately revoked and deleted. When you delete your account or are removed from an organization, all your data is permanently deleted within 30 days.

7. Your Rights

You have the right to:

  • Access and export your data
  • Correct inaccurate information
  • Delete your account and associated data
  • Disconnect third-party services at any time
  • Opt out of non-essential notifications

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

9. Contact

For privacy-related questions, contact us at privacy@0g.ai.