FlowScore

Legal

Privacy Policy

Effective date: May 16, 2026

1. Who We Are

FlowScore (klaviyoscore.com) is operated by Signify Studio LLC, a Florida limited liability company. This policy explains what data we collect, how we use it, your rights, and how to contact us. Questions? Email us at hello@signifystudio.com

2. What We Collect

We collect only what we need to provide the audit service:

  • Account information — your name and email address, provided when you create an account via Clerk authentication. Clerk handles password storage; we never see your password.
  • Klaviyo metadata — flow names, send counts, open rates, click rates, campaign dates, and list size. We connect via read-only OAuth. We never store your actual email content or individual subscriber data.
  • Audit results — the scores, grades, and recommendations generated from your Klaviyo data, stored in Supabase so you can view your history and track changes over time.
  • Billing information — handled entirely by Stripe. We receive a customer ID and subscription status but never your full card number, CVV, or bank account details.
  • Usage data — standard server logs (IP address, browser type, pages visited). These are retained for up to 90 days for debugging and security purposes.

3. How We Use Your Data

We use your data to:

  • Run Klaviyo audits and generate your score report
  • Store and display your audit history
  • Send transactional emails (audit complete, score change alerts) via Resend
  • Process payments and manage your subscription via Stripe
  • Respond to support requests
  • Generate anonymized aggregate benchmarks — no individual accounts are identifiable in benchmarks
  • Improve the accuracy of our scoring models

We do not sell your data, share it with advertisers, use it to train third-party AI models, or use it for any purpose other than those listed above.

4. Third-Party Services

FlowScore uses the following services to operate:

  • Clerk — authentication and user session management
  • Supabase — database and storage, hosted on AWS (us-east-1)
  • Stripe — payment processing and subscription management
  • Klaviyo — read-only OAuth connection to your account; we use their official API
  • Resend — transactional email delivery
  • Vercel — application hosting and CDN
  • Anthropic — AI-powered suggestions (if enabled); prompts include only anonymized flow metadata, never subscriber data

Each service operates under its own privacy policy and security certifications.

5. Klaviyo OAuth Access

When you connect your Klaviyo account, we request read-only OAuth access. We use this access solely to retrieve the flow and campaign metrics needed to generate your audit. We do not read, access, or store subscriber email addresses, email content, or any personally identifiable information about your customers. Your Klaviyo OAuth token is encrypted at rest using AES-256-GCM before being stored.

You can revoke our access at any time from your Klaviyo account under Account → Integrations → OAuth Apps, or by visiting your FlowScore dashboard settings.

6. Data Retention

We retain your audit history for the lifetime of your account. If you delete your account, we delete your personal data and audit records within 30 days. Billing records are retained for 7 years as required by tax law. Anonymized, aggregated benchmark data may be retained indefinitely as it contains no personal information.

7. Your Rights

You may request access to, correction of, or deletion of your personal data at any time. Email hello@signifystudio.com and we will respond within 30 days. You may also:

  • Disconnect your Klaviyo account from your dashboard settings at any time
  • Export your audit history (contact us to request a data export)
  • Delete your FlowScore account from dashboard settings
  • Opt out of non-transactional emails using the unsubscribe link in any email we send

If you are located in the EU or UK, you have additional rights under GDPR/UK GDPR including the right to object to processing and the right to data portability.

8. Cookies

We use only functional cookies necessary to operate the service:

  • Session cookies — managed by Clerk to keep you signed in
  • OAuth state cookies — short-lived cookies used during the Klaviyo OAuth flow to prevent CSRF attacks; deleted after authentication completes

We do not use advertising cookies, tracking pixels, or any third-party analytics cookies.

9. Security

All data in transit is encrypted via TLS 1.2+. Klaviyo OAuth tokens are encrypted at rest using AES-256-GCM. Our database (Supabase) uses row-level security policies to ensure users can only access their own data. We conduct periodic reviews of our security practices and access controls.

If you discover a security vulnerability, please contact us at hello@signifystudio.com and we will respond promptly.

10. Children's Privacy

FlowScore is a business tool and is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify active subscribers by email at least 14 days in advance. The effective date at the top of this page always reflects when the policy was last updated. Continued use of FlowScore after the effective date constitutes acceptance.