Privacy policy and security statement

Last updated February 22, 2024

Saxea (“Saxea”, “we”, “us”, or “our”) is committed to protecting the security and privacy of your data when you use the Flowie app or website (the “Services”). This Data Security and Privacy Statement (“Statement”) describes the measures we take to safeguard your information and data that you provide or that is generated through your use of the Service, while adhering to a conservative approach to data collection and sharing.

This policy also explains your choices surrounding how we use information about you, which include how you can object to certain uses of information about you and how you can access and update certain information about you. If you do not agree with this policy, do not access or use our Services or interact with any other aspect of our business.

Data collection

1.1 We collect product usage information necessary to provide you with the Services. This may include anonymized usage information, such as your activities within the Services, IP address, and device information, but will not include any personally identifiable information, such as your name, email address, or other contact information.

1.2 We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

1.2 We collect information about you when you input it into the Services or otherwise provide it directly to us.

1.3 Information you provide through our support channels: The Services also include our customer support, where you may choose to submit information regarding a problem you are experiencing with a Service. Whether you designate yourself as a technical contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation, screenshots or information that would be helpful in resolving the issue.

1.4 Information we collect automatically when you use the Services: We collect information about you when you use our Services, including browsing our websites and taking certain actions within the Services.

1.5 Payment Information: We collect payment and billing information when you register for certain paid Services. For example, we ask you to designate a billing representative, including name and contact information, upon registration. You might also provide payment information, such as payment card details, which we collect via secure payment processing services.

1.6 Cookies and Other Tracking Technologies: Saxea and our third-party partners, such as our advertising and analytics partners, use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Services and devices. For more information, please see our Cookie policy, which includes information on how to control or opt out of these cookies and tracking technologies.

1.7 Legal bases for processing (for EEA users) - If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the Services you use and how you use them. This means we collect and use your information only where:

  • We need it to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;

  • It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;

  • You give us consent to do so for a specific purpose; or

  • We need to process your data to comply with a legal obligation.

If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we or a third party (e.g. your employer) have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services.

Use of information

2.1 We do not process, store or analyze any source code or content in the repositories. Flowie only processes commit info, file names.

2.2 We use the product usage information we collect solely to provide, maintain, and improve the Services; to monitor and analyze usage and trends; and to enhance the security and integrity of the Services.

2.3 We do not sell any type of data - personal or otherwise - to any third parties.

Non-sharing of information

3.1 In the event we are legally compelled to share your information, we will use commercially reasonable efforts to notify you, unless such notification is prohibited by law or court order.

Data security

4.1 We maintain reasonable administrative, technical, and physical safeguards to protect your information from unauthorized access, use, alteration, or disclosure. These safeguards may include, but are not limited to, encryption, access controls, and secure storage.

4.2 We apply security best practices, including external scans (Atlassian Ecoscanner), dynamic application security testing (DAST), penetration testing, and vulnerability scanning. Our CAIQ page provides more detail about security controls.

4.3 We host our services in Amazon Web Services, the same provider used by Bitbucket Cloud. All data is processed security by Flowie within the AWS network.

4.4 Flowie is an Atlassian Connect App that runs on the client (browser), and has a server component that runs on AWS using the Lambda service. From the AWS and Atlassian shared security models perspective, this component is Flowie’s responsibility — as in is operated and managed by the Flowie team.

4.5 The access granted to Flowie is based on the Connect security/authentication model. The access required is described on the application descriptor and in full access to our Bitbucket instance, including pull requests information and source code. Flowie only uses the commit log, branches, pull request info and etc.; it doesn’t use or process any source code as stated in the use of information section.

4.6 All data produced and handled by Flowie is stored on Atlassian cloud using the properties API. The only exception to this is usage and error data.

4.7 Both client and server collect usage and error data.

4.8 All data flow is encrypted using TLS.

4.9 Flowie uses Bitbucket webhooks, where Bitbucket servers send payloads to the Flowie service (AWS Lambda). Flowie then can react to these events and access Bitbucket customer info using the Bitbucket REST APIs using a JWT token. It processes the data and saves it back into Bitbucket using custom properties.

4.10 Flowie service can also be triggered via user interactions, directly from the browser.


Data retention

5.1 We will retain your product usage information for as long as necessary to fulfill the purposes for which it was collected, comply with applicable laws and regulations, resolve disputes, and enforce our agreements.

International data transfers

6.1 Your product usage information may be stored and processed in countries other than your country of residence, which may have different data protection laws. By using the Service, you consent to the transfer of your information to these countries.

Changes to this statement

7.1 We may update this Statement from time to time to reflect changes in our practices, applicable laws, or other factors. We will notify you of any material changes by posting the updated Statement on the Service or through other means of communication. Your continued use of the Service after the effective date of the updated Statement constitutes your acceptance of the changes.

Contact us

8.1 If you have any questions or concerns about this Statement or our data practices, please contact us.