Data, Retention & Training Policy

Last updated 2026-06-25 · Companion to the Privacy Policy

This policy explains, in one place, what happens to your prompts and outputs: whether they're used for training, how long anything is kept, and who processes them. It is deliberately specific because "we respect your privacy" means nothing without details.

1. We don't train on your data

Flow AI never uses your prompts or outputs to train any model — ours or anyone else's — and we never sell your data. Our routing is content-free: the model is chosen from tool-use and task-completion signals, not from reading your prompt content.

2. What we can and can't control about Upstream Providers

To perform inference, your request is forwarded to the selected Upstream Provider (see the sub-processor list). That provider receives your prompt under its own terms and privacy policy, which we do not control. We route to providers' standard paid API tiers and do not knowingly route to a tier that trains on inputs by default; however, you should review the policy of any provider you pin. If you require that specific content never reach a particular provider or region, pin an allowed provider or enable "trusted sellers only".

3. What is sent where

4. Retention

We keep operational logs (billing records, abuse-prevention signals, routing metadata) for 30 days unless we are legally required to keep them longer or need them to resolve a dispute or security incident. Prompt and output content is processed transiently to fulfill your request and is not retained beyond this operational window. Account, billing, and ledger records are kept for as long as your account is active and as required by law (e.g. tax/accounting).

5. First-party-only / sensitive mode

You can force all traffic to first-party Upstream Providers and your own connected keys by enabling "trusted sellers only," and our system automatically keeps secret- or PII-flagged prompts off operator machines. Every response reports who served it (served_by) and whether it was flagged (sensitive_flagged).

6. Your controls

Delete API keys, set spend budgets, pin providers, and request account deletion at any time. For data-subject requests (access, deletion, portability), email privacy@flowaiapi.com.

← Privacy Policy · Sub-processors →