Privacy Policy
Last updated: 10 July 2026
This Privacy Policy explains how Flow Leap SASU ("FlowLeap", "we", "us") collects, uses, shares, and protects personal data when you use the FlowLeap desktop application, website at flowleap.co, dashboard, API, and related services (the "Service").
We are committed to protecting your privacy and the confidentiality of your patent work. We do not use your content to train AI models (see Section 5).
This policy is written for the European Union General Data Protection Regulation (GDPR) and French data-protection law, overseen by the CNIL.
1. Who is responsible for your data
For personal data processed through the Service, the data controller is:
Flow Leap SASU — registered in the French National Business Register (RNE) under SIREN 988 064 721, with head-office SIRET 988 064 721 00018, VAT number FR81 988 064 721, and registered office at 47 rue Marcel Bonnet, 94230 Cachan, France.
Privacy contact: contact@flowleap.co
Where we process personal data on behalf of an Organization (for example, content submitted by an Organization's members in the course of their work), we generally act as a data processor for that Organization, which is the controller of that data. In that case, our Data Processing Agreement governs that processing, and you should also consult your Organization's own privacy notice.
2. Scope
This policy covers personal data of account holders, Organization members, website visitors, and people who contact us. It does not cover third-party websites or services we link to, or the Model Provider and agent harness accounts you choose to connect, which have their own policies.
3. What data we collect
Data you provide:
- Identity and account data — name, email address, and authentication details (managed via our identity provider, Clerk).
- Organization data — Organization name, your role, membership, and settings.
- Billing data — subscription plan, billing details, and invoices (payments are handled by our payment provider, Polar; we do not store full card numbers).
- Your Content — the Inputs you submit (prompts, instructions, documents, prior-art references, drafts, claims) and the Outputs generated for you.
- Support and communications — messages you send us and related details.
Data collected automatically:
- Technical data — IP address, device and browser information, and application version.
- Usage data — feature usage, request counts, tool activity, diagnostics, and activity/audit events.
- Cookies and similar technologies — as described in Section 11.
We do not intentionally collect special-category personal data, and you should avoid submitting it as Input unless necessary and lawful.
4. How and why we use your data (purposes and lawful bases)
| Purpose | Examples | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Provide the Service | Authenticate you, run AI features and patent-data tools, return Outputs, and manage Organizations | Performance of a contract |
| Billing and payments | Process subscriptions, invoices, taxes | Contract; legal obligation |
| Security and abuse prevention | Protect accounts, detect and prevent fraud and misuse, maintain audit logs | Legitimate interests; legal obligation |
| Support | Respond to your requests | Contract; legitimate interests |
| Service improvement (aggregated) | Anonymous/aggregated statistics and diagnostics — not model training | Legitimate interests |
| Communications | Service and security notices | Contract / legitimate interests |
| Marketing (if any) | Product news, newsletters | Consent (you can opt out anytime) |
| Legal compliance and disputes | Comply with law, enforce our Terms, establish or defend legal claims | Legal obligation; legitimate interests |
Where we rely on legitimate interests, we balance them against your rights and have concluded our interests do not override them; you may object (see Section 12).
5. Your Content: our commitments
5.1 We do not train on your content. We do not use your Inputs or Outputs to train, fine-tune, or improve any AI models, and our agreements with AI Service Providers prohibit them from using your content to train their models. Your chosen Model Provider processes primary inference under its own terms.
5.2 Confidentiality. We treat Your Content as confidential. Access is limited to personnel and sub-processors who need it to provide the Service, under confidentiality obligations.
5.3 Primary model inference. Primary model inference uses the Model Provider account, credentials, or agent harness you select. FlowLeap does not proxy or pay for that model usage. Your selected provider processes those requests under your separate agreement with it, including its privacy, retention, and training terms.
5.4 FlowLeap-managed AI tools. Some features, including query building, analysis, embeddings, and OCR, may send relevant content to the AI Service Providers listed in Section 7. They process that content to provide the requested feature under FlowLeap's instructions.
5.5 You stay in control. You can access, export, and delete Your Content from the Service, subject to limited backup and legal-retention periods (Section 9).
6. We do not sell your data
We do not sell your personal data, and we do not use Your Content for advertising or to build advertising profiles.
7. Sharing and sub-processors
Your chosen Model Provider or agent harness processes primary inference under your separate relationship with it. User-selected BYOK providers are therefore not included in FlowLeap's subprocessor table for primary inference. If FlowLeap separately engages the same company for a FlowLeap-managed feature, that separate processing relationship appears below.
We share personal data only as needed to run FlowLeap-managed parts of the Service, with providers bound by data-protection terms, and with authorities where required by law. Our key sub-processors are:
| Sub-processor | Purpose | Location | Notes |
|---|---|---|---|
| Anthropic | Selected server-side query building and analysis | USA | No training under FlowLeap's provider terms |
| OpenAI | Selected server-side query building, analysis, and embeddings | USA | No training under FlowLeap's provider terms |
| Mistral AI | Document OCR | EU (France) | No training under FlowLeap's provider terms |
| Clerk | Authentication and account management | USA | — |
| Polar | Payments and billing | USA | Card data handled by the payment provider |
| Vercel | Application hosting and delivery | USA | — |
We may also share data with professional advisers, and with authorities, courts, or regulators (including the CNIL) where legally required, and in connection with a merger, acquisition, or sale of assets (with notice where required).
Patent-data queries are transmitted to the data services needed to fulfil your request, including EPO OPS and USPTO ODP. When you supply your own patent-data credentials, they are forwarded to the relevant service for authentication and are not persisted by FlowLeap.
We keep an up-to-date list of sub-processors and will update this policy when it changes.
8. International data transfers
Some of our sub-processors are located outside the European Economic Area (notably in the United States). Where we transfer personal data outside the EEA, we rely on appropriate safeguards under the GDPR, primarily the European Commission's Standard Contractual Clauses, together with supplementary measures where appropriate. You can request more information about these safeguards using the contact details below.
9. Data retention
We keep personal data only as long as necessary for the purposes above, then delete or anonymize it. Indicative periods:
- Your Content — until you delete it or your Account/Organization is terminated, subject to limited backups.
- Account data — for the life of your Account, then deleted or anonymized within a reasonable period after closure.
- Technical/usage logs — a limited rolling period for security and diagnostics.
- Billing records and invoices — as required by French law (typically up to 10 years).
- Support records — for a limited period after the matter is resolved.
10. Security
We use technical and organizational measures appropriate to the risk, including encryption in transit, access controls, and least-privilege access to Your Content. No system is perfectly secure, but we work to protect your data and will notify you and the relevant authority of a personal-data breach where the law requires.
11. Cookies
We use strictly necessary cookies to operate the Service and, with your consent where required, limited analytics. You can manage non-essential cookies through our cookie controls.
12. Your rights
Under the GDPR, you have the right to: access your data; rectify inaccurate data; erase data; restrict or object to processing (including processing based on legitimate interests); data portability; and to withdraw consent at any time where processing is based on consent. You also have the right not to be subject to solely automated decisions producing legal or similarly significant effects; we do not make such decisions about you.
To exercise your rights, contact us at contact@flowleap.co. We will respond within the time limits required by law. If your data is processed on behalf of an Organization, we may direct your request to that Organization as controller.
You also have the right to lodge a complaint with a supervisory authority — in France, the Commission Nationale de l'Informatique et des Libertés (CNIL), www.cnil.fr.
13. Children
The Service is for professional use by adults. It is not directed to children, and we do not knowingly collect personal data from anyone under 18.
14. Changes to this policy
We may update this policy as the Service evolves. For material changes, we will give reasonable notice (for example, by email or in-product notice). The "Last updated" date above shows the latest version.
15. Contact
Flow Leap SASU · SIREN: 988 064 721 · SIRET: 988 064 721 00018 · VAT: FR81 988 064 721 · 47 rue Marcel Bonnet, 94230 Cachan, France · Privacy and general contact: contact@flowleap.co
