Privacy Notice
Last updated: May 15, 2026
1. Who we are
Urban Flow AI ("we", "us", "our") is the data controller for personal data processed through the Urban Flow AI service (the "Service").
2. Personal data we collect and why
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account data | Name, email, password hash, language | Create and manage your account, authenticate you | Contract performance |
| Profile and content | Studies, listings, prompts, photos you upload | Provide the Service | Contract performance |
| Usage and telemetry | Pages viewed, feature interactions, device, IP, log data | Security, fraud prevention, product improvement | Legitimate interests |
| Support communications | Messages you send to support | Respond to your requests | Legitimate interests |
| Marketing | Email address, preferences | Send product updates and offers (only if you opt in) | Consent |
3. Who we share data with
- Paddle.com — our Merchant of Record, who processes payments, manages subscriptions, calculates and remits taxes and issues invoices on our behalf. Paddle is a separate data controller for the payment data it collects during checkout.
- Service providers / subprocessors — hosting (Cloudflare, Supabase), AI model providers (Anthropic, Google), mapping providers (Mapbox, Google Places), email and analytics tooling. They process data on our instructions under written agreements.
- Professional advisers — lawyers, accountants and auditors when needed.
- Authorities — when required by law or to protect our rights.
4. International transfers
Some of our processors are based outside the EEA/UK. Where this is the case, transfers are protected by Standard Contractual Clauses or another lawful safeguard.
5. Retention
We keep account data for as long as your account is active and for a reasonable period afterwards to comply with legal, accounting and dispute-resolution obligations. Logs and telemetry are retained for up to 24 months. After these periods, data is deleted or anonymised.
6. Your rights
Depending on your jurisdiction you may have the right to access, rectify, erase, restrict processing of, port or object to the processing of your personal data, and to withdraw consent at any time. To exercise these rights contact us via the contact page. EEA/UK users may also lodge a complaint with their local supervisory authority. We aim to respond within one month.
7. Security
We apply appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, audit logs and least-privilege practices.
8. Cookies
We use essential cookies to keep you signed in and remember your preferences. We may use limited analytics cookies to understand aggregated usage. You can manage cookies through your browser settings.
9. Changes
We may update this Notice; material changes will be notified via the Service or by email.
10. Contact
For privacy questions or requests, contact us via the contact page.