Trust

Security & Trust

This page is maintained by FlowSight to answer common security and privacy questions about the product. It describes controls we operate today and is not an independent certification.

Authentication

Sign in with email and password or Sign in with Google. Passwords are hashed at rest and checked against known-compromised password lists (HIBP) at sign-up and password change.

Sessions use short-lived access tokens with automatic refresh.

Encryption

All traffic is served over TLS. Application data and backups are encrypted at rest by our managed database provider.

Row-level security

Every table that holds customer data enforces row-level security at the database layer. Users can only read and write rows scoped to their own account — the check runs on every query, regardless of which client made it.

Payments

Paddle is our Merchant of Record and handles all payments, tax, invoicing, and refunds. Card details are collected directly by Paddle — they never touch FlowSight servers.

Live and test environments are separated cryptographically: webhooks are verified against environment-specific signing secrets before any subscription state is written.

Bank connections

Bank connections are powered by Plaid, a licensed account information provider. You enter your bank credentials into Plaid's own widget — FlowSight never sees or stores them. Plaid returns a revocable access token which we store server-side and never expose to the browser.

Access is read-only: we can retrieve transactions and balances only. We cannot move money. Disconnecting a bank in Settings revokes the token with Plaid and deletes all imported transactions from your account. In the UK and EEA, consent is renewed every 90 days per PSD2 through Plaid's re-authorisation flow.

Hosting & subprocessors

We use a short list of well-known providers:

  • Cloudflare — application hosting and global edge delivery.
  • Supabase — managed Postgres database and authentication.
  • Paddle — Merchant of Record for payments, tax, and invoicing.
  • Plaid — bank account aggregator (only where you link a bank).
  • Google — AI models used by the Copilot, accessed via the Lovable AI Gateway.

Data handling

We collect only what we need to run the product: account details, your business profile, the transactions you upload, and your Copilot conversations. See the Privacy Notice for the full list, purposes, and retention.

You can delete your account by contacting us; data is removed or anonymized within 30 days, except where retention is legally required.

AI usage

Your prompts and relevant finance context are sent to the AI provider only to produce the response you asked for. Providers used through the Lovable AI Gateway do not train their models on your data.

Reporting a vulnerability

Found something? Email security@flowsight.app. Please give us a reasonable window to fix issues before public disclosure.

Last updated: 7/5/2026