Flow Signals Open the app
← Back to Legal Center

Security

Version 1.0 Last updated July 8, 2026 Effective July 8, 2026 Draft for attorney review

How we protect payments, sign-in, and your session, and how to report a vulnerability.

This page explains, in plain terms, the reasonable safeguards we use to protect your account and your data, and how to report a security issue. Security is a shared effort, so it also covers a few steps you can take.

Honest by design

We describe what we actually do. We do not claim certifications we do not hold. We do not claim to be perfectly secure, because no online service can. We use reasonable safeguards designed to protect your data and we keep improving them.

1. Payments#

All payments are processed by Stripe, a major payment provider, through a secure checkout. We do not see or store your full card number on our servers. Stripe handles card data under its own security program.

2. Sign in#

You sign in with Google, so we do not store a password for you. This means there is no Flow Signals password for an attacker to steal or guess. Keeping your Google account secure, for example with two step verification, is the best way to protect your Flow Signals access.

3. Encryption in transit#

Traffic to and from our sites is protected with encryption in transit using HTTPS, so data moving between your browser and us is encrypted. Our sites are served behind Cloudflare for delivery and protection.

4. Session protection#

  • Your session uses a cookie that is marked secure and HTTP only, so it is only sent over HTTPS and is not readable by page scripts.
  • We use anti cross site request forgery tokens to protect actions you take while signed in.
  • We apply rate limits and monitoring on sign in and sensitive endpoints to slow down abuse.

5. Access and data handling#

We limit who can access production systems and follow the principle of least privilege. Secrets such as payment and mail keys are stored outside the public web root. We keep only the data we need and retain it as described in the Privacy Policy.

6. What you can do#

  • Protect your Google account and turn on two step verification.
  • Do not share your account. It is meant for one person, per our Acceptable Use Policy.
  • Be alert to phishing. We will never ask for your password, and we do not have one for you.

7. Responsible disclosure#

Found a vulnerability?

We welcome reports from security researchers. Email [email protected] with the details and steps to reproduce. Please give us a reasonable chance to fix the issue before you share it publicly, and do not access other users data, degrade the Service, or run destructive tests. We will not pursue good faith research that follows these rules.

8. If something goes wrong#

If we learn of a security incident that affects your data, we will investigate, take steps to contain it, and notify affected users and regulators where the law requires. No promise of absolute security can be made, but we take incidents seriously.

9. Contact#

For security questions or reports, email [email protected].

Questions about this policy?

Email us at [email protected].

We read every message and reply as soon as we can.