Privacy Policy

Last Updated: February 28, 2025

1. Introduction

This Privacy Policy ("Policy") describes how Midnight Coders, Inc. ("Company," "we," "us," or "our"), a Texas corporation, collects, uses, discloses, and protects information in connection with the FlowRunner platform and related services (the "Service") available at flowrunner.ai.

This Policy applies to all visitors to our website, registered account holders, authorized users, and any individuals whose personal information is processed through the Service. It applies to both our cloud-hosted and self-hosted deployment options, though data handling responsibilities differ based on deployment model as described in Section 10.

Capitalized terms not defined in this Policy have the meanings given to them in our Terms of Service, available at flowrunner.ai/terms.

1.1 Our Dual Role

With respect to personal data, we operate in two distinct capacities:

As a data controller: We determine the purposes and means of processing your Account Data (registration information, billing details, usage analytics, and communications with us). Sections 2 through 9 of this Policy describe our controller activities.

As a data processor: When you use the Service to process your own data through Workflows, AI Agents, and Human-in-Loop interactions, we act as a processor on your behalf. You, as the Customer, are the controller of that data. Section 10 describes our processor obligations.

2. Information We Collect

2.1 Account Data

When you register for an account, we collect:

(a) Identity information: Full name, corporate email address.

(b) Authentication credentials: Password (stored in hashed form) and, where applicable, single sign-on tokens from identity providers (Okta, Azure AD, Google Workspace);

(c) Billing information: We do not collect or store payment card numbers, expiration dates, or billing addresses. All payment processing is handled entirely by Stripe, Inc., our third-party payment processor. We receive only a transaction confirmation and Stripe customer identifier - no payment card details ever touch our systems.

(d) Account preferences: Notification settings, Subscription Plan selection, and feature configurations.

2.2 Usage Data

We automatically collect information about how you interact with the Service:

(a) Platform activity: Workflows created, Executions run, AI Agents configured, features used, errors encountered, and performance metrics;

(b) Device and access information: IP address, browser type and version, operating system, device identifiers, referring URL, pages visited, and access timestamps;

(c) Execution metadata: Workflow execution start and end times, Running Time consumed, Waiting Time periods, execution status (success, failure, paused), and Execution counts against tier limits.

2.3 Communication Data

When you contact us or we contact you, we collect:

(a) Support communications: Emails, chat messages, and support tickets, including any attachments or screenshots you provide;

(b) Sales communications: Records of discovery calls, demo sessions, and business correspondence.

2.4 Cookie and Tracking Data

We use cookies and similar technologies as described in Section 7.

2.5 Information We Do Not Collect

We do not intentionally collect:

(a) Personal information from individuals under 18 years of age;

(b) Social Security numbers, government-issued identification numbers, or biometric data;

(c) Information from personal email accounts - account registration requires a corporate email address.

2.6 Customer Content

Customer Content is data that you, as a Customer, transmit through or store within the Service through your Workflows, AI Agents, and Human-in-Loop interactions. We process Customer Content on your behalf as a data processor. We do not determine the categories or types of personal information contained in Customer Content - you do. See Section 10 for our processor obligations regarding Customer Content.

3. How We Use Your Information

3.1 To Provide and Operate the Service

We use your Account Data and Usage Data to:

(a) Create and manage your account;

(b) Authenticate your access and enforce role-based access controls;

(c) Process payments and manage billing;

(d) Deliver the Service, including Workflow execution, AI Agent orchestration, and Human-in-Loop communications;

(e) Monitor and enforce Subscription Plan limits (Execution counts, Running Time, concurrent Executions);

(f) Provide customer support and respond to inquiries.

3.2 To Improve and Develop the Service

We use Usage Data in aggregated and anonymized form to:

(a) Analyze platform performance and identify areas for improvement;

(b) Understand feature adoption patterns and usage trends;

(c) Develop new features and capabilities;

(d) Conduct internal research and analytics.

We do not use Customer Content for product development, model training, or any purpose other than providing the Service to you.

3.3 To Communicate with You

We use your contact information to:

(a) Send transactional notifications (account confirmation, password resets, Execution limit warnings, credit depletion alerts, billing receipts);

(b) Notify you of material changes to the Service, this Policy, or our Terms of Service;

(c) Send product updates, feature announcements, and educational content (you may opt out of non-transactional communications at any time);

(d) Respond to your support requests and inquiries.

3.4 To Protect and Secure the Service

We use Account Data, Usage Data, and Device and Access Information to:

(a) Detect and prevent fraud, abuse, and unauthorized access;

(b) Monitor for security threats and vulnerabilities;

(c) Enforce our Terms of Service and Acceptable Use policies;

(d) Comply with legal obligations and respond to lawful requests.

3.5 How We Do Not Use Your Information

We do not:

(a) Sell your personal information to third parties;

(b) Share your personal information for third-party advertising purposes;

(c) Use Customer Content for AI model training, product development, or any purpose beyond providing the Service;

(d) Use personal information for automated decision-making that produces legal or similarly significant effects without human involvement.

4. Legal Bases for Processing (EEA, UK, and Swiss Individuals)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Performance of a contract (Article 6(1)(b)): Processing your Account Data to provide the Service, manage your subscription, process payments, and deliver support. This is the primary basis for most processing activities.

Legitimate interests (Article 6(1)(f)): Processing Usage Data for security, fraud prevention, service improvement, and analytics, where our interests do not override your fundamental rights. Our legitimate interests include operating and improving the Service, protecting against misuse, and understanding how the Service is used.

Consent (Article 6(1)(a)): Processing for non-essential cookies, marketing communications, and any other activities for which we specifically request your consent. You may withdraw consent at any time.

Legal obligation (Article 6(1)(c)): Processing required to comply with applicable laws, regulations, court orders, or governmental requests.

5. Information Sharing and Disclosure

We do not sell your personal information. We share personal information only in the following circumstances:

5.1 Service Providers (Sub-Processors)

We engage the following third-party service providers to help us deliver the Service. These providers process data only on our instructions and are bound by contractual data protection obligations:

DigitalOcean - Cloud infrastructure hosting. Data processed: All data stored in the Service (encrypted at rest).

Stripe, Inc. - Payment processing. Data processed: Transaction confirmations, Stripe customer identifiers (no payment card data).

MailerSend  Transactional email delivery. Data processed: Email addresses, notification content.

Alphabet, Inc - Website analytics. Data processed: Device/access info, anonymized usage patterns.

We maintain a current list of sub-processors at flowrunner.ai/sub-processors. We will notify you at least thirty (30) days before adding a new sub-processor that processes Customer Content, as described in our Terms of Service.

5.2 Third-Party AI Services (BYOK)

When you provide your own API keys for third-party AI services (the BYOK model), data from your Workflows is transmitted directly to those third-party services using your credentials. We do not control, monitor, or have visibility into data transmitted to third-party AI providers through your API keys. Your use of those services is governed by your own agreements with those providers. We recommend reviewing the privacy policies of any AI service you integrate.

5.3 Human-in-Loop Communication Channels

When your Workflows use Human-in-Loop features, communications are transmitted through third-party channels (email infrastructure, Slack, WhatsApp, telephone carriers). We facilitate the delivery of these communications on your behalf but do not independently collect or retain the personal information of Human-in-Loop recipients beyond what is necessary to deliver the communication and maintain audit logs where enabled.

5.4 Legal and Compliance Disclosures

We may disclose personal information if required to do so by law, or in the good-faith belief that such disclosure is necessary to:

(a) Comply with a legal obligation, court order, subpoena, or governmental request;

(b) Protect and defend our rights or property;

(c) Prevent or investigate possible wrongdoing in connection with the Service;

(d) Protect the personal safety of users of the Service or the public.

5.5 Business Transfers

If Midnight Coders, Inc. is involved in a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your personal information becomes subject to a different privacy policy.

5.6 With Your Consent

We may share your personal information for other purposes with your explicit consent.

5.7 Midnight Flow Consulting

If you engage Midnight Flow consulting services, relevant Account Data and project information may be shared between the FlowRunner platform team and Midnight Flow consultants to deliver the consulting engagement. This sharing is governed by your consulting agreement with Midnight Flow.

6. Data Retention

We retain personal information only for as long as reasonably necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law. Specific retention periods are:

Account Data - Duration of active subscription + 30 days. Basis: Contract performance; 30-day reactivation window per ToS.

Billing records - 7 years after transaction. Basis: Tax and financial reporting obligations.

Execution logs (Growth) - 7 days. Basis: Per Subscription Plan.

Audit trails (Professional) - 30 days. Basis: Per Subscription Plan.

Audit trails (Business) - 90 days. Basis: Per Subscription Plan.

Audit trails (Enterprise) - Unlimited, configurable. Basis: Per Enterprise agreement.

Customer Content (post-termination) - 30 days active + 90 days in encrypted backups. Basis: Per ToS Section 8.4.

Usage Data (aggregated) - Indefinite, anonymized. Basis: Legitimate interest in service improvement.

Support correspondence - 3 years after resolution. Basis: Legitimate interest; legal defense.

Cookie data - See Section 7. Basis: Per cookie category.

After the applicable retention period, we delete or anonymize personal information. You may request earlier deletion subject to our legal retention obligations (see Section 8).

7. Cookies and Tracking Technologies

7.1 Cookies We Use

Strictly Necessary Cookies: Required for the Service to function (session management, authentication, security tokens). These cannot be disabled. Duration: session or up to 30 days for "keep me signed in."

Functional Cookies: Remember your preferences (language, notification settings, interface customizations). Duration: up to 12 months.

Analytics Cookies: Help us understand how visitors interact with our website and Service (page views, navigation patterns, feature usage). Duration: up to 24 months.

Marketing Cookies: Used to track visitors across websites for the purpose of displaying relevant advertisements. Duration: up to 12 months.

7.2 Cookie Consent

When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies (functional, analytics, and marketing). Strictly necessary cookies do not require consent. You can change your cookie preferences at any time through our cookie settings page at flowrunner.ai/cookie-preferences.

7.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals, as there is no industry-standard interpretation of these signals. We will update this Policy if a standard emerges that we decide to follow.

7.4 Application vs. Marketing Website

Marketing cookies and remarketing pixels operate only on our marketing website (flowrunner.ai public pages). We do not deploy marketing cookies, remarketing pixels, or third-party advertising trackers within the authenticated FlowRunner application environment. This separation is maintained to protect the privacy of Customer Content and to support our customers' compliance requirements.

8. Your Privacy Rights

8.1 Rights for All Users

Regardless of your location, you may:

(a) Access your personal information by logging into your Account settings;

(b) Update or correct your Account Data through your Account settings;

(c) Delete your account by contacting support@flowrunner.ai or through Account settings;

(d) Opt out of marketing communications by clicking the unsubscribe link in any marketing email or updating your notification preferences;

(e) Export your data (Workflows, configurations) through the Service's built-in export features.

8.2 Additional Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following additional rights under GDPR:

(a) Right of access (Article 15): Request a copy of all personal data we hold about you in a structured, commonly used, machine-readable format;

(b) Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data;

(c) Right to erasure (Article 17): Request deletion of your personal data, subject to our legal retention obligations;

(d) Right to restriction (Article 18): Request that we restrict processing of your personal data in certain circumstances;

(e) Right to data portability (Article 20): Receive your personal data in a machine-readable format and transmit it to another controller;

(f) Right to object (Article 21): Object to processing based on legitimate interests, including profiling;

(g) Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing performed before withdrawal;

(h) Right to lodge a complaint: File a complaint with your local data protection supervisory authority.

We will respond to GDPR requests within thirty (30) days. If we require additional time (up to an additional sixty days for complex requests), we will inform you of the extension and the reasons for the delay.

8.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide the following rights:

(a) Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it;

(b) Right to delete: You may request deletion of personal information we have collected, subject to certain exceptions;

(c) Right to correct: You may request correction of inaccurate personal information;

(d) Right to opt out of sale or sharing: We do not sell personal information or share it for cross-context behavioral advertising. No opt-out is necessary, but we honor Global Privacy Control (GPC) signals as a valid opt-out request;

(e) Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

We will respond to verified CCPA requests within forty-five (45) days. You may submit requests up to twice per twelve-month period.

8.4 Additional Rights for Texas Residents

The Texas Data Privacy and Security Act (TDPSA) provides Texas residents with rights including access, correction, deletion, data portability, and the right to opt out of targeted advertising, sale of personal data, and profiling. We honor these rights consistent with the procedures described above.

8.5 How to Exercise Your Rights

To exercise any of the rights described above, contact us at:

Email: privacy@flowrunner.ai

Mail: Midnight Coders, Inc., Attn: Privacy, 539 W. Commerce St, Suite 2023, Dallas, TX 75208

We may need to verify your identity before processing your request. For account holders, we will verify through your authenticated Account. For non-account holders, we may request additional information to confirm your identity.

If you are a Customer exercising rights regarding personal data contained within your Customer Content (i.e., data processed through your Workflows), you should use the Service's built-in tools to access, export, correct, or delete that data directly, as you are the data controller for Customer Content.

9. Data Security

We implement reasonable administrative, technical, and organizational security measures designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These measures include:

(a) Encryption in transit: All data transmitted between your browser and the Service is encrypted using TLS 1.2 or higher;

(b) Encryption at rest: Customer Content and sensitive Account Data are encrypted at rest using AES-256 or equivalent encryption;

(c) Access controls: Internal access to personal data is restricted to authorized personnel on a need-to-know basis, with multi-factor authentication required;

(d) Infrastructure security: Cloud infrastructure is hosted in SOC 2-audited data centers operated by DigitalOcean;

(e) Monitoring and logging: We maintain security monitoring and logging to detect and respond to potential incidents;

(f) Credential handling: BYOK API keys are encrypted at rest and are not accessible to Company personnel in plaintext.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

9.1 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

(a) Notify affected individuals without undue delay and, where required by GDPR, within seventy-two (72) hours of becoming aware of the breach;

(b) Notify the relevant supervisory authority as required by applicable law;

(c) Provide details of the breach, the likely consequences, and the measures taken or proposed to address it;

(d) For Customers with active subscriptions, notify the Account administrator via email.

10. Customer Content and Data Processing

10.1 Customer as Controller

When you use the Service to process data through your Workflows, AI Agents, and Human-in-Loop interactions, you are the data controller for that Customer Content. You determine what data is processed, the purposes of processing, and the lawful basis for processing. We process Customer Content solely on your instructions as documented in our Terms of Service and any applicable Data Processing Agreement.

10.2 Data Processing Agreement

For Customers who require a Data Processing Agreement (DPA) under GDPR or other applicable data protection laws, we offer a standard DPA that covers our processor obligations, including data security measures, sub-processor management, data breach notification, audit rights, and cross-border transfer mechanisms. Contact legal@flowrunner.ai to execute a DPA.

10.3 HIPAA and Protected Health Information

If you are a Covered Entity or Business Associate under HIPAA and intend to use the Service to process Protected Health Information (PHI), you must execute a Business Associate Agreement (BAA) with us before transmitting any PHI through the Service. Contact legal@flowrunner.ai to initiate a BAA.

Without a BAA in place, you must not use the Service to process PHI. The availability of compliance features (audit trails, RBAC, SLA tracking) varies by Subscription Plan - you are responsible for selecting a plan that meets your HIPAA obligations.

10.4 Cloud vs. Self-Hosted Deployment

Cloud Deployment: For cloud-hosted Customers, we manage the infrastructure and act as a data processor. The security, availability, and backup practices described in this Policy apply to cloud deployments.

Self-Hosted Deployment: For self-hosted Customers (Community Edition or Enterprise self-hosted), you are responsible for the security, availability, and data protection of your own infrastructure. We do not have access to or visibility into Customer Content on self-hosted installations. This Policy's data security and breach notification commitments do not apply to self-hosted deployments except to the extent we provide managed support services under an Enterprise agreement.

10.5 International Data Transfers

The Service is hosted in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on:

(a) Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreement;

(b) Any applicable adequacy decisions;

(c) Other lawful transfer mechanisms as may be available under applicable data protection laws.

You may obtain a copy of the SCCs by contacting legal@flowrunner.ai.

11. Children's Privacy

The Service is designed for business use and is not directed at individuals under eighteen (18) years of age. We do not knowingly collect personal information from children under 18. Our Terms of Service require users to be at least 18 years old, and our corporate email requirement is designed to prevent registration by minors. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@flowrunner.ai.

12. Third-Party Links and Services

The Service may contain links to third-party websites and integrate with Third-Party Services. This Policy does not apply to the practices of third parties. We encourage you to review the privacy policies of any third-party services you connect to the Service, including AI model providers (OpenAI, Anthropic, Google, Cohere), communication platforms (Slack, WhatsApp), and enterprise applications you integrate through your Workflows.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your Account) or by posting a prominent notice on the Service at least thirty (30) days before the changes take effect. We will also update the "Last Updated" date at the top of this Policy.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Midnight Coders, Inc.Attn: Privacy539 W. Commerce St, Suite 2023Dallas, TX 75208

Privacy inquiries: privacy@flowrunner.ai
‍Legal inquiries: legal@flowrunner.ai
‍Security inquiries: security@flowrunner.ai
‍Data subject access requests: privacy@flowrunner.ai
‍BAA/DPA requests: legal@flowrunner.ai