Privacy Policy

This Privacy Policy explains how FLOWPIX LIMITED, also referred to in this policy as we, us, or Eryx, collects, uses, stores, and shares personal data when you visit our website, create an account, use the Eryx platform, contact us, or interact with our billing flows.

This policy applies to the public website, account access pages, and the web application used for lead discovery, enrichment, scoring, project management, and related workflow features.

Account data vs content you upload. Data about your account, authentication, billing, and how you use the product is processed by us to operate the service. Where you add lead, prospect, or campaign data, you are typically responsible as a business for the lawfulness of that processing and for your use of integrations and outreach features. We process such content to provide the features you enable.

• Account and identity data, such as your email address, login credentials, and basic profile details used for authentication.
• Social sign-in data when you choose Google, GitHub, or Apple login, processed through Supabase Auth and the relevant identity provider.
• Authentication and security data, including session state, CSRF tokens, password reset events, and sign-in activity needed to secure the service.
• Workspace and service data, such as projects, lead records, filters, scoring results, run history, usage data, and actions taken in the product.
• Billing data, such as subscription plan, trial status, Stripe customer and subscription references, invoice-related metadata, and payment status.
• Transactional email delivery metadata when we send product or billing-related messages through Resend (and, for some auth flows, mail sent or relayed via Supabase Auth depending on configuration).
• Web push subscription data (such as push endpoint and related subscription keys) if you opt in to browser notifications.
• Optional connected integrations, such as Google Mail, Microsoft mail, or WhatsApp Cloud, including tokens and configuration needed to send messages on your behalf. Tokens are stored with encryption at rest where that feature is enabled in our environment.
• Support and communications data, including messages you send to us by email or through support-related contact points.
• Product analytics and funnel events (for example page views, pricing or paywall views, signup steps, checkout steps, and usage surfaces) when PostHog is enabled for the deployment.
• Error reports, performance traces, and, on the web client, optional session replay clips processed by Sentry (with text masking and media blocking configured in our client setup).
• Technical and device data, such as browser type, diagnostics, timestamps, and request metadata processed by our infrastructure providers.
• Browser storage data, including cookies and local storage used for authentication, CSRF protection, analytics identifiers, saved views, table settings, and interface preferences.

• To create and manage accounts and authenticate users.
• To deliver the platform, including project execution, lead workflows, automation webhooks you trigger, and usage metering.
• To process subscriptions, billing events, plan changes, invoices, and customer support requests.
• To send transactional notifications by email or web push where you have enabled them.
• To secure the service, prevent misuse, investigate suspicious activity, and maintain platform integrity.
• To understand how the product is used and to improve conversion and reliability, including product analytics (PostHog) and error monitoring or replay (Sentry) as described in our Cookie Policy.
• To comply with legal obligations, enforce our terms, and protect our legal rights.

Where UK GDPR or similar laws apply, we generally rely on the following legal bases:

• Performance of a contract, where we need data to provide your account and the service you request.
• Legitimate interests, such as securing, operating, and improving the platform, and understanding product usage in a proportionate way.
• Compliance with legal obligations, including accounting, tax, and fraud prevention requirements.
• Consent, where required by law for optional communications, web push, or non-essential technologies.

We may share personal data with service providers that help us run the service. A summary table of typical categories is available on our Subprocessors page. Providers include, among others:

• Stripe for payments, subscriptions, tax or invoicing features, and the customer billing portal.
• Supabase for authentication, database storage, and related managed infrastructure.
• Cloudflare for hosting and operating our API (Workers), and Vercel for hosting the web application.
• PostHog for product analytics and Sentry for error and performance monitoring (including session replay on the frontend as configured).
• Resend for transactional email, and identity or mail providers (Google, Microsoft, Meta) when you connect optional integrations or use social login.
• Automation infrastructure (for example n8n workflows and OpenAI or Anthropic APIs) that we or our subprocessors operate to execute enrichment and related pipelines initiated from the product. Payloads may include project and lead fields needed to run the workflow.
• Professional advisers, auditors, insurers, or acquirers where reasonably necessary for corporate, legal, or compliance purposes.
• Authorities or law enforcement where disclosure is required by law or necessary to protect rights, safety, or the service.

We do not sell your personal data.

Business customers (DPA). If you need a Data Processing Addendum for your organisation, contact us at business@eryx.digital.

Some providers we use may process data outside the United Kingdom or your home jurisdiction. Where that happens, we take reasonable steps to use lawful transfer mechanisms and safeguards where required.

We keep personal data for as long as reasonably necessary to provide the service, maintain security, resolve disputes, comply with legal obligations, and enforce agreements. Retention periods vary depending on the type of data, whether your account remains active, and applicable legal requirements.

Depending on your location, you may have rights to access, correct, delete, or restrict the use of your personal data.

• Request access to the personal data we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion where we no longer need the data or must erase it under applicable law.
• Object to certain processing or request portability where available.
• Withdraw consent where processing depends on consent.

You may also have the right to complain to the UK Information Commissioners Office or your local data protection authority.

We use reasonable technical and organizational measures designed to protect personal data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

The service is intended for business users and not for children. We do not knowingly collect personal data from anyone under 18.

We may update this Privacy Policy from time to time. When we make material changes, we may update the effective date above and take reasonable steps to notify users where appropriate.

For privacy questions or requests, contact us at business@eryx.digital.