Effective date: May 26, 2026
FlowManual(“FlowManual,” “we,” “us,” or “our”) provides a document analysis platform for construction contractors. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
By creating an account or using FlowManual, you agree to this Privacy Policy. If you are using FlowManual on behalf of an employer or other organization, you represent that you have authority to bind that organization to this policy.
When you register, we collect your name, email address, and a hashed (one-way encrypted) password. We never store your password in plaintext.
FlowManual processes PDF documents you upload. How these are stored depends on your deployment:
FlowManual extracts plain text from your uploaded documents. This text is stored encrypted in our database and is used to power document analysis features. Raw document files are never transmitted to the analysis provider. Only the extracted plain text is sent.
Annotations, comparison discrepancies, scope gaps, cost estimates, RFI entries, equipment schedules, vendor price history, and GC pattern observations you generate are stored in our database, encrypted at the field level.
We maintain an audit log of document analysis calls that includes: timestamp, user ID, document ID, operation type, bytes transmitted, and a keyed HMAC-SHA-256 hash of the prompt (when an audit key is configured). Full prompt text is never stored. This log is visible only to you at /admin/security and is used to maintain an audit trail of analysis usage.
We do not sell your data. We do not use your document content for advertising. We do not share your data with third parties except as described in Section 3.
You can choose to let FlowManual use the documents you upload and the corrections you make to improve extraction quality for all customers. This is off by default and applies only if you turn it on from your account settings. You can turn it off at any time from the same setting, which immediately stops any future use of your data for this purpose; it does not undo improvements already made. Data used this way is never sold and never shared with third parties. This setting never applies to on-premise deployments, where your data stays on your own server and FlowManual has no access to it.
We share data with the following processors only as necessary to provide the service:
For accounts on flowmanual.com, the application, the database, and uploaded files are hosted on DigitalOcean. Files are kept on an encrypted volume. DigitalOcean processes this data on our behalf under a data processing agreement. This does not apply to self-hosted (on-premise) deployments, where all data stays on your own infrastructure.
When you run document analysis, extracted plain text from your documents is sent to Anthropic’s API. Anthropic operates under a zero-data-retention policy: prompts and responses are not stored and are not used to train models. Raw document files are never transmitted. See Anthropic’s Privacy Policy.
We use Resend to send service-related emails such as account confirmation, sign-in verification codes, and material changes to this policy. Resend processes the recipient email address and message contents on our behalf under a data processing agreement.
If you sign in with Google, Google authenticates you and shares your name and email address with us. This is governed by Google’s Privacy Policy.
We have no marketing or advertising vendors. The hosted service at flowmanual.com uses one privacy-preserving analytics provider (PostHog) to understand product usage: which features are used, how far new accounts get in setup, and where errors happen. These are server-side event counts tied to an account identifier. They never include document content, filenames, or client and vendor names, and we do not use analytics cookies or session recording (see Cookies below). On-premise deployments send no analytics at all (see On-Premise Deployments below).
For customers running FlowManual on their own infrastructure via Docker, we have a strict no-access policy after installation:
In practice, FlowManual cannot access on-premise customer data even if legally compelled. We simply do not have it.
FlowManual uses strictly necessary session cookies to keep you authenticated. We do not use tracking, advertising, or analytics cookies. No cookie consent banner is required because we do not place any non-essential cookies.
We implement industry-standard safeguards including AES-256-GCM encryption for sensitive data, HTTPS-only transport, hashed passwords (scrypt, memory-hard), and no plaintext storage of credentials. No security measure is perfect; please notify us immediately if you suspect unauthorized access to your account.
For a technical overview of how we protect your data, see our Security page.
You have the right to:
To exercise any of these rights, email us at legal@flowmanual.com.
FlowManual is intended for professional use by adults. We do not knowingly collect personal data from anyone under 18. If we learn we have collected data from a minor, we will delete it promptly.
We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the new policy takes effect. Continued use of FlowManual after the effective date constitutes acceptance of the updated policy.
Questions, requests, or concerns about this Privacy Policy should be directed to:
FlowManual
legal@flowmanual.com