Privacy Policy

Last updated: January 7, 2026

Overview

Flocus ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our flow state tracking application and related services.

Information We Collect

Account Information

When you create an account, we collect your email address and, if you sign up with Google, basic profile information. We use this to authenticate your account and communicate with you about your subscription.

Session Data

We store aggregated session metrics including: session duration, flow/overload/boredom time percentages, average and peak flow scores, and Pomodoro interval data if enabled. This data is linked to your account if you're logged in.

EEG Data

Your raw EEG brainwave data is processed entirely in your browser and is never sent to our servers. We only store the computed metrics (flow scores, state classifications) derived from this data. The raw brainwave signals remain on your device.

How We Use Your Information

  • To provide and maintain the Flocus service
  • To process your subscription and payments via Stripe
  • To send you important service updates and notifications
  • To respond to your support requests
  • To improve our service through aggregated, anonymized analytics

Data Storage & Security

Your data is stored securely using Supabase, which provides enterprise-grade security with encryption at rest and in transit. Session data is also stored locally in your browser using IndexedDB for offline access.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Third-Party Services

We use the following third-party services:

  • Supabase - Database and authentication
  • Stripe - Payment processing
  • Google Analytics - Website analytics (anonymized)
  • Vercel - Hosting and deployment

Each of these services has their own privacy policy governing how they handle data.

Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your session data
  • Withdraw consent at any time

To exercise any of these rights, contact us at josh@flocus.org.

Data Retention

We retain your account and session data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

Cookies

We use essential cookies for authentication and session management. We use Google Analytics which sets its own cookies for analytics purposes. You can control cookie settings in your browser.

Children's Privacy

Flocus is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, please contact us at josh@flocus.org.