Legal

Privacy notice

Version 2026-07-11. This notice is maintained by the operator of Executive Flow and explains how personal data is handled under the UK GDPR and the EU GDPR. It is app-owner editable content — not an independent certification.

Who is the controller

The operator of this Executive Flow instance is the data controller for personal data you enter into the product. The controller is TBC (to be confirmed before going live). Contact for privacy matters: Amiehg@hotmail.com. Where the UK GDPR requires an EU/UK representative, that representative will be named here.

What data we process

Where your data lives

Meetings, tasks, drafts and other in-product content are stored in your browser's local storage on this device in this build. Nothing you type is stored on our servers unless and until you explicitly enable a cloud sync feature. Clearing the browser storage deletes that data. See the Privacy Centre to export or erase it.

Lawful bases (UK/EU GDPR Art. 6)

AI processing

AI features are optional and off by default. When enabled, the prompt (which may include content you have entered such as meeting attendees or draft context) is transmitted to our AI processor, Lovable AI Gateway, which routes it to Google Gemini for generation. Neither Lovable nor Google uses this content to train their models. We keep a local record of every AI call (purpose, model, timestamp) which you can review or clear in the Privacy Centre.

Recipients and subprocessors

We use a small set of processors to deliver the service. The current list is on the DPA & subprocessors page. All processors are bound by data processing agreements meeting UK/EU GDPR Art. 28 requirements.

International transfers

Some processors (for example, our AI gateway) are located outside the UK/EEA. Where this is the case, transfers rely on the UK International Data Transfer Addendum or EU Standard Contractual Clauses (2021/914), together with a transfer risk assessment.

Retention

You control retention. In the Privacy Centre you can set an automatic purge window (default: 365 days) for historical items and trigger an immediate purge. AI audit records are capped at 500 entries locally and can be cleared at any time. Account records are retained for the life of your account plus the period needed to meet legal obligations.

Your rights

Under UK/EU GDPR you have the right to:

Automated decision-making

AI features generate drafts for your review — they never take automated decisions with legal or similarly significant effects on anyone. You approve every email and document before it leaves the app.

Security

Traffic is transported over TLS. Authenticated routes require a signed session. Local data is stored in your browser's storage — please keep the device itself secure. Report suspected incidents to the privacy contact above; we aim to notify affected users and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that meets the reporting threshold.

Changes to this notice

Material changes will be communicated in-app and will prompt for consent again where required. The current version identifier is shown at the top of this page.