Last updated 2026-06-25 · Companion to the Privacy Policy
This policy explains, in one place, what happens to your prompts and outputs: whether they're used for training, how long anything is kept, and who processes them. It is deliberately specific because "we respect your privacy" means nothing without details.
Flow AI never uses your prompts or outputs to train any model — ours or anyone else's — and we never sell your data. Our routing is content-free: the model is chosen from tool-use and task-completion signals, not from reading your prompt content.
To perform inference, your request is forwarded to the selected Upstream Provider (see the sub-processor list). That provider receives your prompt under its own terms and privacy policy, which we do not control. We route to providers' standard paid API tiers and do not knowingly route to a tier that trains on inputs by default; however, you should review the policy of any provider you pin. If you require that specific content never reach a particular provider or region, pin an allowed provider or enable "trusted sellers only".
We keep operational logs (billing records, abuse-prevention signals, routing metadata) for 30 days unless we are legally required to keep them longer or need them to resolve a dispute or security incident. Prompt and output content is processed transiently to fulfill your request and is not retained beyond this operational window. Account, billing, and ledger records are kept for as long as your account is active and as required by law (e.g. tax/accounting).
You can force all traffic to first-party Upstream Providers and your own connected keys by enabling "trusted sellers only," and our system automatically keeps secret- or PII-flagged prompts off operator machines. Every response reports who served it (served_by) and whether it was flagged (sensitive_flagged).
Delete API keys, set spend budgets, pin providers, and request account deletion at any time. For data-subject requests (access, deletion, portability), email privacy@flowaiapi.com.