This Privacy Policy explains how Flow Mock (“we,” “us,” or “our”) collects, uses, stores, and shares information when you use flowmock.dev and related services (the “Service”).

1. Who we are

The Service is operated by Petar Slovic, an individual based in the Republic of Serbia.

Contact: support@flowmock.dev

2. Controller and processor roles

We act as the data controller for account and authentication data described in Section 3.

We act as a data processorfor data that you route through your Flow Mock proxy endpoints (“Proxied Data”). In that role, you are the data controller and are responsible for ensuring you have a lawful basis to collect and process Proxied Data, including configuring redaction and retention appropriately. This mirrors our Terms of Use.

3. Account data we collect

When you create and use an account, we collect and store:

Email address, display name, and optional avatar URL
Authentication credentials: a password hash, or OAuth tokens if you sign in with GitHub or Google
Session security data: IP address and user agent associated with your authentication sessions
Organization and team membership, roles (owner, admin, member, viewer), and invitation emails

We use account data to provide the Service, authenticate you, and communicate with you.

4. Proxied traffic we capture

Whatever your application sends through your Flow Mock proxy URL is captured by design — this is the core function of the product. When traffic passes through your proxy endpoint, we record:

Full request and response bodies, stored in Cloudflare R2 object storage
Metadata stored in our database: HTTP method, path, query parameters, status code, timing, and 512-character previews of request and response bodies
Request and response headers (subject to automatic redaction — see Section 5)

For QA session identification, JSON Web Tokens in incoming requests are decoded without cryptographic verification. We never store raw JWTs. Instead we store a one-way hash of the session key, an optional display label derived from a claim (such as an email address), a masked IP prefix (for example, 203.0.113.x), and a truncated user-agent string.

5. Built-in protections and redaction

Before data is stored, we apply protections that cannot be reversed:

Automatic header redaction at capture time for sensitive headers, including authorization, cookie, set-cookie, x-api-key, and header names that resemble tokens or secrets
Configurable field-level redaction for request and response bodies and query parameters. Projects can use store_all mode or redact_by_default mode with custom redaction rules

Redaction is applied before storage and is irreversible. You are responsible for configuring redaction rules appropriate for the data your tests may carry.

6. Retention

Proxied traffic logs are automatically deleted after the retention period configured for your project or organization. The default retention is 14 days, configurable from 1 to 90 days. Deletion removes both database metadata and the full request/response bodies stored in R2. A daily scheduled job performs this cleanup.

Account data is retained until you delete your account. After deletion, account data is removed subject to any legal obligations that require longer retention.

7. Who can see your data

All members of your organization can view all QA sessions, request logs, and stored request/response bodies for projects within that organization. Role-based permissions (owner, admin, member, viewer) control what actions members can take, but all roles can view logs and session data within the org.

There is no cross-organization access— members of one organization cannot see another organization's data.

Flow Mock operators may access data when necessary for support, security investigation, or abuse review.

8. Subprocessors

We use the following subprocessors to operate the Service:

Cloudflare, Inc.— compute (Workers), database (D1), object storage (R2), Durable Objects, and transactional email delivery. Proxied Data and account data are processed and stored on Cloudflare's global network.
Vercel, Inc. — hosting for the Flow Mock dashboard web application.

These providers may process data outside the European Economic Area. They rely on their own contractual safeguards and standard contractual clauses where applicable.

9. Cookies and tracking

The dashboard uses first-party authentication cookies only (session cookies on the .flowmock.dev domain in production). We do not use analytics scripts, advertising trackers, or third-party tracking pixels in the web application.

10. Your rights

If you are in the European Economic Area, United Kingdom, or another jurisdiction with similar data protection laws, you may have the right to:

Access the personal data we hold about you
Rectify inaccurate data
Request erasure of your data
Data portability
Object to or restrict certain processing

To exercise these rights for account data, email support@flowmock.dev. We will respond within the time required by applicable law.

For Proxied Data, direct requests to the organization (data controller) that routed the traffic through Flow Mock. We will assist controllers with processor obligations as required by law.

11. Security

We use TLS encryption in transit, hashed credentials, and Cloudflare's infrastructure for storage and compute. The Service is in beta; we have not obtained formal security certifications (such as SOC 2 or ISO 27001) and make no representation that the Service is free from vulnerabilities.

12. Data breaches and policy changes

If we become aware of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.

We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated “Last updated” date. Material changes may also be communicated by email or through the dashboard.

13. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact support@flowmock.dev.