studioflow
studioflow

Privacy Policy

Effective Date: 9 March 2026

1. Introduction

StudioFlow is operated from Ireland and is subject to the General Data Protection Regulation (GDPR) and Irish data protection law. This policy explains what data we collect, why we collect it, and your rights in relation to it. If you have any questions, contact us at Loading....

2. Two Roles: Your Data vs Your Clients' Data

Your data (as an instructor): StudioFlow is the data controller for your personal information — the account details and usage data you generate when using the app. This privacy policy covers that data.

Your clients' data: You (the instructor) are the data controller for your clients' personal data. StudioFlow acts as your data processor, handling that data only on your behalf. Your clients should receive a privacy notice from you — not from StudioFlow. The full terms of this relationship are set out in our Data Processing Agreement.

3. Information We Collect About You (Instructors)

Account information:

  • Name, email address, hashed password
  • Apple ID or Google account identifier (if you sign in with those)

Business and profile information:

  • Business name, phone number, social media links, bio, and timezone

Usage data:

  • Features used, session information, device type, OS, and app version — collected via PostHog

Support communications:

  • Messages you send to us via the Crisp in-app chat

Credit and payment records:

  • Transaction history and credit balance. Card or payment details are handled entirely by Apple, Google, and RevenueCat — we never see them.

4. Information Instructors Store About Their Clients

As a data processor, StudioFlow stores whatever client data you choose to add to the system. This may include:

  • Contact details: name, email address, phone number, date of birth
  • Class enrolment, attendance records, and pack purchases
  • Form submissions — including any health or medical information you collect
  • Communication history (SMS, email, WhatsApp)
  • Communication consent records (opt-ins for email, SMS, WhatsApp)

You are responsible for having a lawful basis to collect and process this data, and for obtaining appropriate consent — including explicit consent for any health or medical information.

5. How We Use Your Information

  • Providing and operating the StudioFlow service
  • Processing credit transactions via Apple, Google, and RevenueCat
  • Sending service emails such as account alerts and receipts
  • Analytics and product improvement via PostHog (anonymised or aggregated where possible)
  • Customer support via Crisp
  • Referral and promotional tracking

Lawful basis for processing

We process your personal data under the following lawful bases under GDPR Article 6:

  • Performance of a contract (Article 6(1)(b)): Processing necessary to provide the StudioFlow service you signed up for — including account management, credit transactions, and service communications.
  • Legitimate interests (Article 6(1)(f)): Analytics and product improvement, customer support, fraud prevention, and security monitoring. We have assessed that these interests are not overridden by your rights.
  • Legal obligation (Article 6(1)(c)): Retaining financial and transaction records as required by Irish law.

6. Third-Party Services We Use

We work with the following service providers under data processing agreements:

ServicePurposeData shared
TwilioSMS deliveryClient phone numbers when sending SMS
AWS SESEmail deliveryClient email addresses when sending emails
Meta WhatsApp Business APIWhatsApp messagingClient phone numbers when sending WhatsApp messages
RevenueCatIn-app purchase managementUser ID, purchase events
Apple App Store / Google PlayCredit purchasesHandled by Apple/Google under their own privacy policies
PostHogAnalytics and session dataUsage data and device info (anonymised)
CrispCustomer support chatYour name, email, and support messages
AWSCloud infrastructure and file storageAll app data (stored on AWS servers in the EU region)

7. AI Assistant Integrations (MCP)

StudioFlow supports connection to AI tools (such as Claude.ai) via the MCP protocol. This connection is initiated and controlled entirely by you.

These AI tools can only access class and schedule information. No personal client data — including names, contact details, or health information — is shared with AI assistants via this integration.

8. Cookies and Tracking

Our website uses essential cookies required for the site to function, and analytics cookies via PostHog to understand how visitors use the site.

You can manage or disable non-essential cookies in your browser settings at any time.

9. Data Sharing and Disclosure

We do not sell or rent your data to anyone.

Data is shared only with the service providers listed in Section 6, each operating under a data processing agreement with us.

We may disclose data if required to do so by law, or to protect the rights, property, or safety of StudioFlow, our users, or others.

In the event of a business acquisition or merger, your data may transfer to the new entity. We will notify you if this happens.

10. Data Security

  • All data is encrypted in transit (HTTPS/TLS) and at rest
  • JWT-based authentication with short-lived tokens
  • Rate limiting and account lockout protections

No system is 100% secure. We recommend using a strong, unique password for your StudioFlow account.

11. Your Rights Under GDPR

As an Irish-operated service, you have the following rights under GDPR:

  • Access: Request a copy of the data we hold about you — email us and we will provide it
  • Correction: Ask us to correct inaccurate data
  • Erasure: Request deletion of your account and data by emailing us (see Section 12 for retention details)
  • Restriction: Ask us to limit how we process your data in certain circumstances
  • Portability: Request a copy of your data in a portable, machine-readable format by emailing us
  • Object: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on your consent, you can withdraw it at any time

To exercise any of these rights, email us at Loading.... We will respond within 30 days as required by GDPR (we aim for 48 hours).

You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at dataprotection.ie.

12. Data Retention

  • Data is retained while your account is active
  • On deletion: your data is held in backup for 30 days, then permanently deleted
  • Credit and financial transaction records may be retained for longer where required by law
  • Anonymised or aggregated usage data may be retained indefinitely

To request deletion of your account and data, email us at Loading.... We will confirm once deletion is complete.

13. Children

StudioFlow is not intended for anyone under 18 years old. We do not knowingly collect personal data from minors. If you believe a child has registered, please contact us immediately.

14. International Data Transfers

Your primary data is stored in the EU on AWS eu-west-1 (Ireland) servers.

Some of our service providers are US-based (including Twilio, PostHog, and Crisp). Data transfers to those providers are covered by Standard Contractual Clauses or equivalent safeguards as required under GDPR.

15. Changes to This Policy

We will notify you of material changes to this policy via email or in-app notification. Continued use of StudioFlow after a change is notified means you accept the updated policy.

16. Contact

StudioFlow — Ireland

Email: Loading...

Response time: We aim to respond within 48 hours