CNC Flow

Privacy Policy

Last updated: March 17, 2026

This Privacy Policy describes how Håkon Torve, doing business as CNC Flow ("we", "us", or "our"), collects, uses, and protects your personal information when you use the CNC Flow application and related services (the "Service").

By using the Service, you acknowledge that we process personal information as described in this Privacy Policy.

1. What Information Do We Collect?

Information you provide directly

When you create an account or use the Service, we collect:

• Account information: name, email address, and company name. Your password is handled by our authentication provider (Supabase Auth) and is hashed using bcrypt before storage — we never store or have access to your plaintext password.
• Production data: jobs, parts, machines, operators, work logs, schedules, and other manufacturing data you enter into the Service.
• Enterprise inquiry data: if you submit an Enterprise contact form, we collect company name, contact name, email, phone number, machine count, and any additional notes you provide.
• Feedback: any messages or feedback you submit through the in-app feedback feature.

Information collected by our service providers

We do not operate our own server infrastructure. The Service is built on third-party cloud platforms (see Section 5) that may automatically collect technical data as part of normal operations, such as:

• Request metadata: IP addresses, request timestamps, and HTTP headers (including user-agent strings) are logged by Supabase as part of their platform infrastructure.

We do not use any analytics, tracking, or crash-reporting libraries in the application. We do not collect usage patterns, feature usage statistics, or device information beyond what our service providers log as described above.

2. How Do We Use Your Information?

We use the information we collect to:

• Provide the Service: create and manage your account, store and process your production data, generate schedules, and deliver the core functionality of CNC Flow.
• Process payments: manage subscriptions and billing through Stripe (see Section 5).
• Respond to inquiries: follow up on Enterprise contact requests, feedback, and support questions.
• Ensure security: enforce Row Level Security policies to keep each organization's data isolated, and manage authentication.
• Comply with legal obligations: fulfill our legal and regulatory requirements.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or Norway, we process your data based on:

Legal Basis	Purpose
Contract performance	Providing the Service, managing your account, storing your production data, processing payments
Legitimate interest	Ensuring security and data isolation, responding to Enterprise inquiries
Legal obligation	Compliance with tax, accounting, and regulatory requirements
Consent	Enterprise contact form submissions (you actively submit your details)

4. When and With Whom Do We Share Your Information?

We may share your information only in the following situations:

• Service providers: trusted third-party platforms that we use to operate the Service (see Section 5).
• Within your organization: other users in the same CNC Flow workspace can see shared production data (jobs, machines, schedules, work logs, etc.). Each organization's data is isolated from other organizations via Row Level Security.
• Legal requirements: if required by law, regulation, legal process, or governmental request.
• Business transfers: in connection with a merger, acquisition, or sale of assets, your data may be transferred. You would be notified of any such change.

5. Third-Party Services

The Service relies on the following third-party providers:

Service	Purpose	Data Involved	Privacy Policy
Supabase	Authentication, database, real-time sync, serverless functions	Account info (email, hashed password), production data, request metadata (IP, headers)	supabase.com/privacy
Stripe	Subscription billing and payment processing	Email, payment card details (handled entirely by Stripe — we only store a Stripe customer ID and subscription ID)	stripe.com/privacy
Resend	Email delivery for internal Enterprise lead notifications only	Enterprise lead details (name, email) are sent to the service owner — Resend does not receive regular user data	resend.com/legal/privacy-policy

Each third-party service operates under its own privacy policy. We encourage you to review them. Payment card numbers and bank details are processed and stored exclusively by Stripe and never touch our systems.

6. Cookies and Tracking

The CNC Flow mobile application does not use cookies. Authentication tokens are stored locally on your device.

When you interact with web-based pages related to the Service (such as the Stripe checkout page or the post-checkout confirmation page), Stripe may set cookies necessary for payment processing. These are governed by Stripe's cookie policy.

We do not use any analytics cookies, advertising cookies, or cross-site tracking mechanisms.

7. How Long Do We Keep Your Data?

• Account and production data: retained for as long as your account is active. When you delete your account, your profile and associated data are deleted from our database (the profile deletion cascades from the authentication system).
• Billing records: Stripe retains payment and subscription records in accordance with their policies and applicable tax/accounting regulations. We retain a Stripe customer ID and subscription ID on your organization record until account deletion.
• Enterprise inquiries: retained until we have responded and the inquiry is resolved, or up to 24 months, whichever comes first.
• Feedback submissions: retained until you delete your account.
• Infrastructure logs: request logs (IP addresses, timestamps) are managed by Supabase according to their data retention policies. We do not operate independent logging infrastructure.

When data is no longer needed and there is no legal obligation to retain it, it is deleted.

8. How Do We Keep Your Data Safe?

We implement the following security measures:

• Password hashing: passwords are hashed using bcrypt via Supabase Auth. We never store or have access to plaintext passwords.
• Encryption in transit: all communication between the application and our backend is encrypted using HTTPS/TLS.
• Row Level Security (RLS): every data table in our database has Row Level Security enabled, ensuring that users can only access data belonging to their own organization. This is enforced at the database level.
• Authentication tokens: JSON Web Tokens (JWT) are used for session management. Tokens are stored locally on your device and are automatically refreshed.
• Payment security: all payment card data is handled exclusively by Stripe, which is PCI DSS Level 1 certified. Card details never pass through our systems.
• Production console logging disabled: debug logging is disabled in production builds of the application.

9. Do We Collect Data From Minors?

The Service is designed for use by manufacturing professionals and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we have collected such data, please contact us.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

For all users

• Access: request a copy of the personal data we hold about you.
• Correction: request that we correct inaccurate or incomplete data.
• Deletion: request that we delete your personal data (see Section 15).
• Data portability: request your data in a structured, machine-readable format.

Additional rights under GDPR (EEA/Norway)

• Right to restriction: request that we restrict the processing of your data under certain circumstances.
• Right to object: object to processing based on legitimate interest.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority. In Norway, this is Datatilsynet (datatilsynet.no).

Additional rights under CCPA (California residents)

• Right to know: what personal information is collected, used, and shared.
• Right to delete: request deletion of personal information.
• Right to non-discrimination: you will not be discriminated against for exercising your privacy rights.
• No sale of data: we do not sell personal information and have not done so in the preceding 12 months.

To exercise any of these rights, contact us at support.cncflow@gmail.com. We will respond without undue delay and in any event within one month, as required by GDPR. If the request is complex, we may extend this by up to two additional months, and we will inform you of any such extension.

11. Do-Not-Track Signals

We do not track users across third-party websites or services, and we do not use advertising or analytics tracking in the application. As such, there is no tracking behavior to modify in response to Do-Not-Track (DNT) browser signals.

12. International Data Transfers

Your data is processed by our third-party service providers, which may store and process data in different regions:

• Supabase: your database is hosted in the region you selected when creating your Supabase project. Supabase offers regions in the EU and the US, among others. Refer to Supabase's privacy policy for details on their data processing locations.
• Stripe: processes payment data primarily in the United States. Stripe is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs) for data transfers from the EEA. See Stripe's privacy policy.
• Resend: used only for sending internal enterprise lead notifications. See Resend's privacy policy for their data processing locations.

Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place through our service providers, including Standard Contractual Clauses (SCCs) and adequacy decisions as applicable.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, or legal requirements. When we make changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. How Can You Contact Us?

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: support.cncflow@gmail.com
• Business name: CNC Flow (Håkon Torve)
• Country: Norway

For GDPR-related inquiries or to file a complaint, you may also contact the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

15. How Can You Delete Your Data?

You can delete your account and all associated data directly from the CNC Flow application:

• Open Settings
• Scroll to the bottom
• Tap "Delete Account"
• Confirm the deletion (requires two confirmations)

This permanently deletes your user account from the authentication system. Your profile is automatically deleted via cascade, along with associated workspace data.

Some data may be retained as required by law (e.g., Stripe retains billing records for tax and compliance purposes according to their retention policies).

You can also request data deletion by emailing us at support.cncflow@gmail.com.