← Flow Story Weaver

Privacy Policy

Last updated: February 2026

1. Who We Are

Data controller: The Flow Church
Contact: [email protected]

This application runs on Hostinger server1479, London, UK. Photo blobs are stored in Cloudflare R2 using the Europe (EEUR) storage region to keep data within the EU/UK.

2. What Data We Collect

  • Email address — used for account creation and sign-in (magic link).
  • Photos you upload — stored in Cloudflare R2 (EU/UK). Never shared or used for any purpose beyond generating your photo book.
  • Project state — page layouts, text content, and template choices stored in MySQL on Hostinger (UK).
  • Usage logs — application errors are captured by Sentry for debugging purposes. Logs are anonymised where possible and retained for 90 days.

3. Why We Process Your Data

  • Providing the service (legal basis: contract) — We process your data to create and store your photo books.
  • Security monitoring (legal basis: legitimate interest) — Error logs help us identify and fix issues that would otherwise break the service.

4. How Long We Keep Your Data

  • Photos and projects: retained until you delete your account.
  • Sessions: JWT tokens expire after 30 days.
  • Sentry error logs: 90 days (Sentry free tier limit).

5. Third Parties We Share Data With

  • Cloudflare — R2 photo storage, Europe (EEUR) data centre.
  • Sentry — anonymised application error data only. No personal data is intentionally sent to Sentry.

We do not sell your data or share it with advertisers.

6. Your Rights (UK GDPR)

Under UK GDPR you have the right to:

  • Access — request a copy of the data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — delete your account and all associated data via Account Settings → Delete Account.
  • Data portability — request your data in a machine-readable format.
  • Object to processing — object to us processing your data under legitimate interest.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. Cookies

This application uses a single HTTP-only session cookie set by NextAuth.js to maintain your login state. It contains a signed JWT token and no personally identifiable information beyond your user ID.

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

8. Contact

For data-related requests or concerns:
Email: [email protected]
Address: The Flow Church, [address]