the fine print

Privacy Policy

Last updated: 2026-05-07 · Datenschutzerklärung gemäß Art. 13 DSGVO

Summary: we do not store your drawings. Drawing content goes directly from your browser to Notion using your Notion access token - it never touches our servers. We store a hashed identifier and your monthly drawing count to enforce the free-tier limit, plus your Pro license status if you upgrade. The website uses Cloudflare Web Analytics (cookieless, no fingerprinting, no cross-site tracking) for aggregate page-view stats; no advertising cookies, no third-party tracking scripts.

1. Who is the data controller

Alexander Kagoshima
Email: [email protected]

The full postal address of the data controller is published in our Impressum as required under § 5 DDG.

We are responsible for the processing of personal data in connection with this website (flowblock.app) and the Flowblock Chrome extension.

2. Data processed when you visit flowblock.app

This website is hosted on Cloudflare Pages. When you load a page, Cloudflare automatically processes certain connection metadata to deliver the site and protect against abuse:

IP address of your device
User-agent string (browser and operating system)
Referrer URL, if any
Requested URL and HTTP status
Timestamp of the request

Legal basis: Art. 6(1)(f) GDPR - legitimate interest in operating and securing the website.
Retention: handled by Cloudflare under their own policies (typically rolling logs of a few days). See cloudflare.com/privacypolicy.

In addition, this website uses Cloudflare Web Analytics to measure aggregate page views and referrers. Cloudflare Web Analytics is cookieless, does not use browser fingerprinting, does not track you across other websites, and does not build a user profile. The beacon (static.cloudflareinsights.com) is injected automatically by Cloudflare when serving the page; no personal data such as your IP address is retained for analytics purposes (Cloudflare drops it after deriving the aggregate counters).
Legal basis: Art. 6(1)(f) GDPR - legitimate interest in understanding aggregate website usage. Because Web Analytics neither stores nor reads information on your device, no consent under § 25 TTDSG is required.
See cloudflare.com/web-analytics for details.

Apart from this, no cookies and no third-party tracking scripts are served from this website. Fonts (Caveat) are self-hosted and not loaded from any third party.

3. Data processed when you use the Flowblock Chrome extension

3.1 Notion OAuth token

When you connect your Notion account, Notion issues us an OAuth access token scoped to the Notion pages you explicitly select during the authorization flow. This token is stored locally in your browser (chrome.storage.local) and is used only to call Notion's API directly from your browser or our backend when uploading a drawing. We do not persist the Notion token on our servers.

Legal basis: Art. 6(1)(b) GDPR - necessary to provide the service you requested.

3.2 Hashed Notion user ID and diagram count

To enforce the free-tier limit of five drawings per calendar month, the extension sends to our Cloudflare Worker backend:

a SHA-256 hash of your Notion workspace user ID (the raw ID is not sent)
the current calendar month (e.g. 2026-04)
an increment request

The backend stores a counter in Cloudflare KV keyed by this hash. We cannot reverse the hash back to your Notion identity. When a drawing is created from a Mermaid code block, a second counter (mermaid_import) is incremented in the same way, so we can measure aggregate adoption of the Mermaid-import feature. The two counters together never reveal more than how many drawings, and how many of them came from Mermaid, you created in a given month.

Legal basis: Art. 6(1)(b) GDPR - necessary to enforce the terms of the free tier; Art. 6(1)(f) GDPR - legitimate interest in measuring aggregate feature adoption.
Retention: counter entries expire automatically at the end of each calendar month.

3.3 License key and subscription status (Pro users only)

If you upgrade to Pro, Polar.sh issues a license key. When you enter the key in the extension, we send it to our backend, which validates it against Polar.sh's API and caches the result (plan: "pro") in Cloudflare KV for up to 31 days. We do not receive or store payment card details - Polar.sh handles the full payment flow.

Legal basis: Art. 6(1)(b) GDPR - necessary to provide Pro features.
Retention: cached license status is purged 31 days after your subscription ends or when you clear the extension's storage, whichever comes first.

3.4 Drawing content

We do not process or store your drawing content. When you save a drawing, the SVG is uploaded directly from your browser to Notion's file-upload API using your Notion access token. Our servers never see the drawing bytes.

4. Recipients and third-party processors

We use the following service providers. Data transfers to US-based providers are covered by the EU–US Data Privacy Framework (adequacy decision of 10 July 2023) or by Standard Contractual Clauses where applicable.

Cloudflare, Inc. (USA, DPF-certified) - hosts this website, the backend Worker, and the KV store. Privacy policy.
Notion Labs, Inc. (USA, DPF-certified) - you authorize us to access your Notion workspace. Drawings are stored on Notion's own infrastructure. Privacy policy.
Polar Software Inc. (USA) - payment processor and Merchant of Record for Pro subscriptions. Privacy policy.
Google LLC (Chrome Web Store) (USA, DPF-certified) - distributes the extension. We have no direct data exchange with Google beyond what the Chrome Web Store itself collects on install.

5. Your rights

Under the GDPR you have the right to:

request a copy of the personal data we hold about you (Art. 15)
request correction of inaccurate data (Art. 16)
request deletion of your data (Art. 17)
request restriction of processing (Art. 18)
receive your data in a portable format (Art. 20)
object to processing based on legitimate interest (Art. 21)
withdraw consent at any time, where processing is based on consent
lodge a complaint with a data protection supervisory authority

To exercise any of these rights, email [email protected]. You can also trigger deletion yourself by uninstalling the extension and disconnecting the integration from your Notion workspace settings - this erases the OAuth token; the hashed counter entry expires automatically at month-end.

6. Supervisory authority

You have the right to lodge a complaint with the data protection supervisory authority of your country of residence. For users in Germany, this is the data protection authority of the federal state in which the controller is established:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

7. Changes to this policy

We may update this policy to reflect changes in the service or legal requirements. The "Last updated" date above will reflect any revision. Material changes will be announced in-extension or by email to Pro subscribers.