Privacy Policy

What data we collect, how we use it, and your rights.

Last updated: 27 February 2026

1. Who We Are

Flow Studio MCP is operated by Flow Studio Solutions (ABN pending). The service is hosted at mcp.flowstudio.app.

For privacy questions, contact [email protected].

2. Data We Collect

2.1 Account Data

When you sign in via Microsoft Entra ID, we receive:

  • Display name and email address
  • Azure AD Object ID (unique identifier)
  • Tenant ID

This data is used to identify your account, manage your subscription, and issue your MCP API key.

2.2 Subscription & Payment Data

Payment processing is handled entirely by Stripe. We never receive or store your credit card number, CVV, or bank details. We receive from Stripe:

  • Stripe Customer ID
  • Subscription status and plan tier
  • Billing email

2.3 Usage Data

We log MCP tool calls for usage metering:

  • Timestamp and tool name (e.g. list_live_flows)
  • Hashed user identifier
  • Environment name targeted
  • HTTP status and latency

We do not log flow definitions, action payloads, connection secrets, or run output data.

2.4 Power Platform Data (Team Tier)

If you subscribe to the Team tier, our store tools cache flow metadata, run statistics, governance tags, and connection inventories. This does not include flow action source code or runtime payloads. Cached data is deleted within 30 days of cancellation.

2.5 Analytics

We use Google Analytics 4 (measurement ID: G-JG031E26Z4) to understand site traffic and feature usage. GA4 collects anonymised usage data including page views, button clicks, and device type. We do not enable Google Signals or advertising features.

3. How We Use Your Data

  • Provide the service — authenticate you, call Power Automate APIs on your behalf, meter usage
  • Billing — manage subscriptions, enforce call limits
  • Support — diagnose issues you report
  • Improvement — aggregated, anonymised analytics to improve the product

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Third-Party Services

Service Purpose Data Shared
Microsoft Entra ID Authentication & consent Email, display name, tenant ID, OAuth tokens
Stripe Payment processing Email, subscription plan (card data stays with Stripe)
Microsoft Azure Hosting & infrastructure All service data (encrypted at rest and in transit)
Google Analytics 4 Site analytics Anonymised page views & events (no PII)

5. Cookies

Cookie Purpose Duration
StaticWebAppsAuthCookie Session authentication (Azure SWA) Session
_ga, _ga_* Google Analytics Up to 2 years

We also use localStorage to persist consent state and UI preferences. This data never leaves your browser.

6. Data Retention

  • Account data — retained while your account is active; deleted within 30 days of account closure
  • Usage logs — retained for 90 days in Azure Application Insights, then auto-purged
  • Team tier cached data — deleted within 30 days of subscription cancellation
  • Stripe records — retained per Stripe's privacy policy

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Deletion — request we delete your data
  • Portability — receive your data in a structured format
  • Revoke consent — withdraw Power Platform consent at any time (see Security page)

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a banner on the site. The "Last updated" date at the top reflects the most recent revision.