Privacy Policy
Last updated: 2026-01-28
For users residing in Japan, the Japanese version of this Policy is the governing text. For users residing outside Japan, the English version prevails. If there is any discrepancy, the governing version will control depending on the user's place of residence.
This Privacy Policy ("Policy") describes how FlowHub ("Service") handles personal information and information similar thereto (collectively, "Personal Information"). Please review this Policy when using the Service.
1. Information We Collect
- Account information (GitHub login name, display name, email address, avatar, profile URL)
- Organization information (organization name, member roles, invitation details [full name, email address, GitHub username, expiration date, status, etc.])
- Candidate information (name, email address, contact method, position, source, close reason, notes, etc.)
- We do not intentionally collect sensitive personal information as defined by applicable laws. Please do not provide such information.
- Sync and integration data (Issue/Project content and various webhook delivery information)
- Information collected through Google Calendar integration
- Google account email address, encrypted access and refresh tokens, scopes, organization domains, watch enablement flags
- Watch channel management info (channel_id, resource_id, token hashes, sync_token, status, expiration, etc.)
- Event titles, locations, times, descriptions, attendees, update timestamps, etc., which may be used for adding guests to FlowHub calendars or posting comments to GitHub Issues
- Payment-related information (Stripe customer IDs, subscription IDs, billing details, phone number, payment status and history)
- Logs for audit and incident response (operational and security logs, including audit and delivery logs)
- Access data for analytics purposes (page view and other statistical information)
2. Purposes of Use
- Authentication and authorization, GitHub integration, and automatic setup
- Managing candidate information and syncing with Projects/Issues, calendar delivery
- Google Calendar integration for event retrieval and updates, automatic comments on GitHub Issues, guest additions to FlowHub calendars, and watch channel management
- Billing, payment management, subscription management, and support
- Notifications (sending invitation emails) and inquiry handling
- Auditing and log analysis for quality improvement, incident response, and fraud prevention (organization_events / github_recent_delivery_logs, etc.) and usage analytics via Vercel Analytics
- Error reporting and investigation through Sentry (only when DSN is configured)
- Legal compliance and responding to user rights requests
3. Anonymized and Statistical Information
We may create anonymized or statistical information that cannot identify individuals and use it for service improvement, quality enhancement, and marketing analysis. Such information does not constitute Personal Information.
4. Methods of Collection
- User input and registration (organization settings, candidate information, invitations, etc.)
- Retrieval from GitHub APIs and webhooks (Issue/Project information, events, etc.)
- Retrieval from Google Calendar API and push notifications (event data, watch channel status, etc.)
- Retrieval from payment platforms including Stripe (payment results, subscription information, etc.)
- Delivery results via email delivery platforms (delivery status, etc.)
- Logs automatically generated during service use (errors, audit logs, delivery records, etc.)
- Access measurement via Vercel Analytics
5. Third-Party Provision
We do not provide Personal Information to third parties without prior consent, except as required by law, to protect life, body, or property, or to cooperate with governmental or similar institutions. We respond appropriately to requests for disclosure of records of third-party provision as required by law.
6. Outsourcing and Joint Use
To operate the Service, we may outsource Personal Information handling to the following providers to the extent necessary. Each provider handles data in accordance with its terms and policies.
- Supabase (authentication, database, storage)
- GitHub (storage of Issue/Project data, posting automatic comments, retrieving webhook delivery logs)
- Google (event retrieval and sync, watch channel management via Google Calendar API; tokens stored encrypted)
- Vercel (hosting and delivery, anonymized usage measurement via Vercel Analytics)
- Postmark (email delivery)
- Stripe (payments, subscription management)
- Sentry (error log transmission and visibility when DSN is configured)
We do not perform joint use at this time.
7. Cross-Border Transfers
Personal Information may be stored or processed in countries where our service providers are located. We review the personal information protection regimes and security measures of those providers and implement necessary contracts and oversight. We provide information on specific countries or safeguards upon request.
8. Use of Cookies and Similar Identifiers
The Service may use cookies and local storage identifiers for session management, invitation flows, and analytics. For invitation link participation, we may use HttpOnly and SameSite=Lax cookies. Vercel Analytics is primarily cookieless and collects statistics such as page views. You can disable cookies in your browser settings, but some features may not be available.
9. Retention Period
- Account and organization information is retained as necessary to fulfill the purposes of use.
- Invitation links have expiration dates and must be reissued after expiration.
- Tokens and watch channel information required for Google Calendar integration are stopped or invalidated upon expiration, and deleted upon unlinking or deletion requests.
- Payment-related information is retained only as long as required by law or contract.
- Webhook delivery and audit logs are retained according to settings and cleanup procedures and deleted as needed.
- Other logs for audit and incident response are retained as necessary and then appropriately deleted.
10. Security Measures
- Access control based on the principle of least privilege and proper protection of authentication information
- Auditing and log operations for detecting and preventing unauthorized use and access
- Selection, contracting, and monitoring of service providers
11. Requests for Disclosure, Correction, and Suspension of Use
We respond to requests for disclosure, correction, addition, deletion, or suspension of use in accordance with the law. We will verify identity and respond within a reasonable period. Please contact us using the details below.
12. Revisions
We may revise this Policy in response to legal changes or service updates. When important changes occur, we will notify users via their registered email address or in another manner we prescribe.
13. Additional Information for U.S. Residents
If you reside in the United States, you may have rights under applicable state privacy laws to request access to, correction of, or deletion of your personal information. Please contact us using the contact information below. We do not sell or share personal information as defined by applicable state privacy laws. We do not intentionally collect or use sensitive personal information.
14. Contact
For questions or inquiries about this Policy and the handling of Personal Information, please contact us at the email address below.