Privacy Policy
Last updated: 17 June 2026
1. Who we are
This service, the Flow State Deal Guidance System, is operated by Flow State Sales (“we”). For the personal data of a customer’s own users and their prospects, we act as a processor on behalf of the customer organisation, which is the controller of that data. For data about our own account holders and the operation of the service, we act as a controller. You can reach us, including for any EU/UK representative matter, at privacy@flowstatesales.com.
2. Who this notice covers
This notice applies to two categories of person:
- Platform users— your organisation’s sales staff (sellers, managers, leaders, account admins) who sign in to use the service.
- Prospects / third parties whose details are entered by platform users — including a named economic buyer (name and email), customer company, deal value, and free-text notes.
If you are a prospect and received no direct notice, your details were provided to us by the customer organisation that uses this service; see “Your rights” below.
3. What data we collect
From platform users: work email, name, role, account/team membership, sign-in/session data, feedback you submit, and usage/navigation telemetry.
Prospect data entered by platform users: economic-buyer name and email, customer company, deal name/value/close date, MEDDIC/MEDDPICC scorecard responses and free-text notes, the forced-rationalisation transcript, and uploaded proof files.
Do not enter special-category data (Art 9) or sensitive personal information into free-text fields.
4. Why we use it (purposes)
- Authenticate and operate the service.
- Deal qualification scoring.
- AI-generated coaching on weak qualification dimensions.
- The forced-rationalisation honesty check.
- Team roll-up reporting.
- Transactional and digest emails.
- Product support and debugging (feedback widget).
- Security and abuse prevention.
5. Lawful bases (GDPR)
We rely on contract (Art 6(1)(b)) to operate the service for platform users; on legitimate interests (Art 6(1)(f)) for prospect data and product analytics, subject to a balancing test; and, where we act as a processor, on the customer’s lawful basis as it flows down to us. We do not rely on consent for core processing.
6. Automated decision-making and profiling (Art 22 — read this if you are a rep)
The service includes an AI “forced rationalisation” check. When you assert a qualification claim, an AI model evaluates whether your claim appears supported by the evidence you provided and may label it weak or unproven. That assessment (the verdict) is stored and shown to your manager. It supports performance coaching. A human manager reviews the result — it is a genuine human assessment, not a fully automated decision.
You can contest or request review of any AI assessment by contacting privacy@flowstatesales.com or your manager. We disclose this so it is clear that an AI evaluates and may flag your claims.
7. Who we share it with (subprocessors)
We share personal data with the following subprocessors. A current list with regions and transfer mechanisms is also published at /subprocessors.
| Subprocessor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, authentication, file storage | EU — AWS eu-central-1 (Frankfurt, Germany) | Intra-EU — no international transfer |
| OpenRouter | AI model gateway (routes coaching / rationalisation payloads to the model host) | United States | SCCs / UK IDTA (EU-US DPF where certified) |
| Anthropic (Claude Sonnet 4.6, via OpenRouter) | AI model inference (coaching, forced-rationalisation verdicts, deal summaries / analytics / proposals) | United States | SCCs / DPF — zero data retention, no training on inputs |
| Resend | Transactional and digest email | United States (EU sending domain pending) | SCCs / DPF |
| Sentry | Error monitoring | EU — Germany (*.ingest.de.sentry.io) | Intra-EU — no international transfer |
| Vercel | Application hosting and compute | United States (EU region pin pending) | SCCs / DPF |
We give customers at least 30 days’ notice before adding or replacing a subprocessor that processes personal data.
8. International transfers
Our database (Supabase, Frankfurt) and error monitoring (Sentry, Germany) keep data in the EU. Some subprocessors — notably the AI model gateway and model host, and currently our hosting/compute and email providers — process data in the United States. Where they do, transfers are safeguarded by Standard Contractual Clauses, the UK IDTA/Addendum, and/or the EU-US Data Privacy Framework and UK Data Bridge where the importer is certified. See the subprocessor table above for each importer’s mechanism.
9. How long we keep it (retention)
We keep personal data only as long as needed for the purposes above:
- Account and profile data — for the life of the engagement plus up to 12 months.
- Deal, scorecard and forced-rationalisation data — up to 24 months after the deal is closed or deleted.
- AI outputs and uploaded proof files — up to 180 days after generation.
- Feedback — up to 12 months.
We delete or anonymise data when it is no longer needed, and on a valid erasure request.
10. Your rights
GDPR / UK GDPR:access, rectification, erasure, restriction, portability, and objection (including objection to legitimate-interests profiling), plus the right to complain to the UK Information Commissioner’s Office (ICO) or your local EU supervisory authority.
CPRA (California): the right to know/access, delete, correct, and to opt out of sale/sharing, plus non-discrimination.
To exercise any right, contact privacy@flowstatesales.com. We respond within one month. Prospects may also contact the customer organisation that provided their details.
11. CPRA notice-at-collection (California consumers)
Categories of personal information collected: identifiers (names, emails), commercial information (deal/company data), internet/usage activity, and inferences from AI coaching. Purposes: as in “Why we use it” above. We do not sell personal information for money, and we do not consider our disclosures to service-provider subprocessors to be a “sale” or “share”. If that ever changes, we will provide a “Do Not Sell or Share My Personal Information” mechanism. Retention: see “How long we keep it”.
12. Cookies
We use only strictly-necessary functional cookies (your sign-in session and, for admins, an impersonation session cookie). We use no advertising or third-party tracking cookies. If analytics or tracking is added later, we will add a consent mechanism first.
13. Changes and contact
We will post changes here and update the “Last updated” date. Questions: privacy@flowstatesales.com.