Privacy Policy: Flow Studio MCP

1. Who We Are

Flow Studio MCP is operated by Flow Studio Solutions, based in Sydney, New South Wales, Australia. The service is hosted at mcp.flowstudio.app.

For privacy questions, contact [email protected].

2. Data We Collect

2.1 Account Data

When you sign in via Microsoft Entra ID, we receive:

Display name and email address
Azure AD Object ID (unique identifier)
Tenant ID

This data is used to identify your account, manage your subscription, and issue your MCP API key.

2.2 Subscription & Payment Data

Payment processing is handled entirely by Stripe. We never receive or store your credit card number, CVV, or bank details. We receive from Stripe:

Stripe Customer ID
Subscription status and plan tier
Billing email

2.3 Usage Data

We log MCP tool calls for usage metering:

Timestamp and tool name
User identifier
HTTP status

We do not log flow definitions, action payloads, connection secrets, or run output data.

2.4 Power Platform Data (Pro+ Tier)

If you subscribe to the Pro+ tier, we automatically scan and cache your environment and connection inventories. Flow-level metadata needed for monitoring and reporting is only cached after you explicitly opt in on a per-flow basis. We do not cache runtime payloads or connector credentials. On cancellation, API access is revoked immediately. Cached data is deleted on request. See our Security page for details on what is cached.

2.5 What We Do NOT Collect

On Starter and Pro tiers, every tool call is a pass-through. We do not store:

Run input/output payloads or runtime data
Connection secrets or connector credentials
Mailbox, calendar, or file data (we request no such scopes)

Pro+ tier caches flow data only for flows you explicitly opt in to monitor (see section 2.4). No tier stores runtime payloads or credentials.

Billing and enforcement are based on call counts and plan entitlements, not on the business content inside your flows. See our Responsible AI page for more detail on how we handle error data.

2.6 Analytics

We use Google Analytics 4 on publicly accessible pages to understand site traffic and feature usage. We configure GA4 for basic site analytics and do not intentionally send personal data in analytics events. We do not enable Google Signals or advertising features. GA4 is not used in the MCP agent request path.

3. How We Use Your Data

Provide the service: authenticate you, call Power Automate APIs on your behalf, meter usage
Billing: manage subscriptions, enforce call limits
Support: diagnose issues you report
Improvement: aggregated analytics to improve the product
Communications: product updates, feature announcements, and newsletters sent to your account email. You can unsubscribe at any time via the link in each email.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Third-Party Services

Service	Purpose	Data Shared
Microsoft Entra ID	Authentication & consent	Email, display name, tenant ID, OAuth tokens
Stripe	Payment processing	Email, subscription plan (card data stays with Stripe)
Microsoft Azure	Hosting & infrastructure	All service data (encrypted at rest and in transit)
HubSpot	Email communications	Email address, name
Google Analytics 4	Site analytics	Page views & site usage events (configured to avoid PII)

5. Cookies

Cookie	Purpose	Duration
`StaticWebAppsAuthCookie`	Session authentication (Azure SWA)	Session
`_ga`, `_ga_*`	Google Analytics	Up to 2 years

We also use localStorage to persist consent state and UI preferences. This data never leaves your browser.

Analytics cookies (_ga) are non-essential. If your jurisdiction requires explicit cookie consent for analytics, you may block these cookies in your browser settings.

6. Data Retention

Account data: retained while your account is active. On subscription cancellation, your API key is immediately revoked and plan access is removed.
Usage logs: retained while your account is active and deleted on request
Pro+ tier cached data: retained while the account is active. We do not currently apply automatic time-based deletion. Data is deleted on request or when the account is closed.
Stripe records: retained per Stripe's privacy policy

To request full deletion of your account data, email [email protected].

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access: request a copy of your personal data
Rectification: correct inaccurate data
Deletion: request we delete your data
Portability: receive your data in a structured format
Revoke consent: withdraw Power Platform consent at any time (see Security page)

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Lawful Basis for Processing

We process personal data on the following bases:

Contract: processing necessary to provide the service you signed up for (authentication, billing, usage metering)
Legitimate interest: operational monitoring, security, service improvement, and fraud prevention
Consent: analytics cookies and optional marketing communications (where applicable)

If you are in the UK or EU, this basis is provided in accordance with the UK GDPR and EU GDPR. You may withdraw consent at any time without affecting the lawfulness of prior processing.

9. Complaints

If you believe your personal information has been mishandled, you can:

Contact us at [email protected]. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response
If you are in the UK, contact the Information Commissioner’s Office (ICO). If you are in the EU, contact your local data protection authority.

10. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a banner on the site. The "Last updated" date at the top reflects the most recent revision.