Introduction
Storybeep UG ("Company," "we," "us," or "our") operates FlowCursor, a macOS application that provides AI-powered text explanations and audio transcription services. This policy applies to the FlowCursor macOS app and the informational site at flowcursor.app.
Data Protection Officer: Martin Musiol
Email: martin@generativeai.net
Address: Nymphenburger Straße 88A, 80636 Munich
Information we collect
Data you provide directly
| Data type | Purpose | Retention |
|---|---|---|
| Selected text | Processed by AI to generate explanations. | Transient only - not stored after processing. |
| Audio recordings | Processed by AI for transcription. | Transient only - not stored after processing. |
| Apple ID authentication | User authentication and account identification. | Token stored locally in macOS Keychain. |
| Feedback and feature requests | Product improvement via Featurebase. | Retained until you request deletion. |
Data collected automatically
| Data type | Purpose | Retention |
|---|---|---|
| Rate limit counters | Enforce daily usage limits (100 requests per day). | 24 hours (automatic expiration). |
| Site analytics | Understand landing and documentation usage patterns (Google Analytics). | Per Google's retention policy. |
Data we do not collect
- We do not store the content of your explanations or transcriptions.
- We do not collect clipboard contents.
- We do not track which applications you use.
- We do not sell your personal data to third parties.
How we use your information
| Purpose | Legal basis | Details |
|---|---|---|
| Provide AI explanations | Contract performance (Art. 6(1)(b)). | Processing text you submit to deliver the service. |
| Provide transcription | Contract performance (Art. 6(1)(b)). | Processing audio you record to deliver the service. |
| User authentication | Contract performance (Art. 6(1)(b)). | Verifying your identity via Apple Sign-in. |
| Rate limiting | Legitimate interest (Art. 6(1)(f)). | Preventing abuse and ensuring fair usage. |
| Site analytics | Consent (Art. 6(1)(a)). | Understanding how visitors use our landing and docs site. |
| Product improvement | Legitimate interest (Art. 6(1)(f)). | Analyzing aggregated usage patterns. |
Third-party services
AI processing services
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| OpenAI | Text explanation (GPT models). | Selected text content. | openai.com/privacy |
| xAI | Text explanation (Grok models). | Selected text content. | x.ai/privacy |
| Groq | Audio transcription (Whisper). | Audio recordings. | groq.com/privacy |
Important
When you use FlowCursor, your text and audio are sent to these AI providers for processing. These providers may process your data according to their own privacy policies.
Infrastructure services
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Vercel | API hosting and rate limiting. | Hashed user ID, request counts. | United States |
| Apple | User authentication. | Apple ID token. | United States |
| Stripe | Payment processing. | Payment information. | United States |
Analytics and feedback services
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Google Analytics | Website analytics. | Anonymized browsing data. | policies.google.com/privacy |
| Featurebase | Feature requests and feedback. | User-submitted content. | featurebase.app/privacy |
International data transfers
Your data may be transferred to and processed in the United States, where our third-party service providers are located. We ensure appropriate safeguards through:
- Standard Contractual Clauses approved by the European Commission.
- Data Processing Agreements with all service providers.
- Selection of providers with SOC 2 or equivalent certifications.
Data retention
| Data type | Retention period | Deletion method |
|---|---|---|
| Text/audio for processing | Immediate (transient). | Automatically discarded after API response. |
| Rate limit counters | 24 hours. | Automatic TTL expiration in Vercel KV. |
| Authentication tokens | Until sign-out. | Removed from Keychain on sign-out. |
| Account data | Until deletion request. | Manual deletion upon request. |
| Site analytics | 14 months. | Google Analytics default retention. |
Your rights (GDPR)
| Right | Description | How to exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your personal data. | Email martin@generativeai.net. |
| Rectification (Art. 16) | Correct inaccurate personal data. | Email martin@generativeai.net. |
| Erasure (Art. 17) | Request deletion of your data. | Email martin@generativeai.net. |
| Restriction (Art. 18) | Limit how we process your data. | Email martin@generativeai.net. |
| Portability (Art. 20) | Receive your data in a portable format. | Email martin@generativeai.net. |
| Object (Art. 21) | Object to processing based on legitimate interest. | Email martin@generativeai.net. |
| Withdraw consent (Art. 7) | Withdraw consent for analytics. | Adjust cookie preferences on our landing site. |
Response time: We respond to requests within 30 days. You also have the right to lodge a complaint with a supervisory authority in Germany.
California privacy rights (CCPA)
If you are a California resident, you have the following rights under the CCPA/CPRA:
| Right | Description |
|---|---|
| Right to know | Request disclosure of personal information collected. |
| Right to delete | Request deletion of your personal information. |
| Right to correct | Request correction of inaccurate information. |
| Right to opt out | Opt out of sale or sharing of personal information. |
| Right to limit | Limit the use of sensitive personal information (not applicable here). |
| Non-discrimination | Not be discriminated against for exercising rights. |
FlowCursor does not sell or share personal information. To exercise a CCPA right, email martin@generativeai.net with the subject line "CCPA Request - [Right Type]". We will verify your identity and respond within 45 days.
Children's privacy
FlowCursor is intended for users aged 16 years and older. We do not knowingly collect personal data from children under 16.
Security measures
- Encryption in transit with TLS 1.3.
- Authentication tokens stored in macOS Keychain.
- Access control via authentication and rate limiting.
- Minimal data collection necessary to provide the service.
Changes to this policy
- We update the "Last Updated" date at the top of this policy.
- We display a notice in the application for material changes.
- We may send email notifications for significant updates.
Contact
Storybeep UG
Data Protection Officer: Martin Musiol
Email: martin@generativeai.net
Address: Nymphenburger Straße 88A, 80636 Munich