Flowstate Cyclist Privacy Policy

PRIVACY POLICY

Last Updated: December 1, 2025

FLOW MOMENTUM LIMITED ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy.

This privacy policy explains how we collect, use, share, and protect your personal information when you visit our websites (including flowstatecyclist.com, news.flowstatecyclist.com, and app.flowstatecyclist.com), use our mobile applications, join our community, or engage with our services.

We operate in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. WHO WE ARE (DATA CONTROLLER)

For the purposes of data protection laws, the Data Controller responsible for your personal data is:

FLOW MOMENTUM LIMITED

Company Number: 15513519

Registered Address: Bartle House, 9 Oxford Court, Manchester, England, M2 3WQ

Email: office@flowstatecyclist.com

2. THE DATA WE COLLECT ABOUT YOU

We may collect, use, store, and transfer different kinds of personal data about you, which we have grouped as follows:

• Identity Data: First name, last name, username, or similar identifier.

• Contact Data: Billing address, email address, and telephone numbers.

• Financial Data: Partial payment card details (e.g., last 4 digits) and payment history. Note: We do not store full credit card details; these are processed directly by our third-party payment processors (e.g., Stripe).

• Transaction Data: Details about payments to and from you and other details of products and services you have purchased (such as course enrollments).

• Technical Data: Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

• Profile Data: Your username and password, purchases or orders made by you, course progress, community posts, comments, preferences, feedback, and survey responses.

• Usage Data: Information about how you use our website, products, and services.

• Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.

• Integrated Service Data: Information from third-party services you choose to connect to our app (e.g., Google Drive metadata, files you select to process).

Special Categories of Personal Data (Health & Training Data)

In order to provide our individualized training plans, we may collect Health and Fitness Data via your connection with Garmin. This includes:

• Training activity details (duration, intensity, type).

• Physiological metrics (heart rate, power output, speed).

• Derived training indicators calculated from this data.

We only collect this data with your explicit consent when you connect your Garmin account. You may revoke this connection at any time.

3. HOW WE COLLECT YOUR DATA

We use different methods to collect data from and about you:

• Direct Interactions: You may give us your Identity, Contact, and Financial Data by filling in forms or by corresponding with us. This includes personal data you provide when you:

• Sign up for our newsletter (via Beehiiv).

• Join our community or enroll in a course (via Circle.so).

• Purchase a product or service.

• Give us feedback or contact us.

• Third-Party Integrations & Sign-On: We collect data when you choose to connect third-party services:

• Google SSO: When you register or log in using Google, we receive your basic profile information (name, email, profile picture) to authenticate you.

• Google Services: If you connect Google Drive, we access the specific files or metadata necessary to perform the requested actions within the app.

• Garmin Connect: When you link your Garmin account, we receive your training activities and health metrics to analyze your performance.

• Automated Technologies: As you interact with our website, we may automatically collect Technical Data about your equipment and browsing actions using cookies and server logs.

• Third Parties: We may receive personal data about you from payment providers (e.g., Stripe) or analytics providers (e.g., Google Analytics).

4. HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

1. Performance of Contract: Where we need to perform the contract we are about to enter into or have entered into with you (e.g., providing access to a course or the web app).

2. Legitimate Interest: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

3. Legal Obligation: Where we need to comply with a legal or regulatory obligation.

4. Consent: Generally, we do not rely on consent as a legal basis other than for sending marketing communications or processing Special Category Data (Health Data).

Purposes for which we will use your personal data

Purpose/Activity

Type of Data

Lawful Basis for Processing

To register you as a new user via Email or Google SSO

Identity, Contact, Technical

Performance of a contract with you

To analyze your training data and generate personalized plans

Identity, Health & Fitness Data (Special Category), Usage

Explicit Consent (Article 9 UK GDPR) obtained when you connect Garmin.

To facilitate Google Drive integration features

Identity, Technical, Integrated Service Data

Performance of a contract with you (providing the requested app functionality)

To process and deliver your order

Identity, Contact, Financial, Transaction

Performance of a contract with you

To manage our relationship with you

Identity, Contact, Profile, Marketing & Comms

Performance of a contract; Necessary for our legitimate interests

To administer and protect our business

Identity, Contact, Technical

Necessary for our legitimate interests (network security, troubleshooting)

To deliver relevant content and measure effectiveness

Identity, Contact, Profile, Usage, Marketing

Necessary for our legitimate interests

5. DISCLOSURES OF YOUR PERSONAL DATA

We may share your personal data with the parties set out below. We require all third parties to respect the security of your personal data and to treat it in accordance with the law.

External Third Parties (Service Providers):

• n8n: We use n8n (cloud version) to automate workflows and process complex data logic. Specifically, n8n processes your Garmin training data to calculate indicators and derive your training plan.

• Lovable (Lovable.dev) & Supabase: Hosts our web application and database (subdomain: app.flowstatecyclist.com). Your user profile and app settings are stored here.

• Google (Google Workspace / Google Cloud):

• Used for authentication (SSO).

• Used for integrations you authorize (e.g., accessing specific Drive files).

• Used for our internal email and domain hosting.

• Garmin (Garmin Ltd.): If you connect your account, data is exchanged between Garmin and our systems via API to sync your activities.

• Circle.so: Hosts our community platform and courses.

• Beehiiv: Hosts our newsletter services.

• Stripe: Processes payments securely.

6. INTERNATIONAL TRANSFERS

Many of our external third parties (including Google, Garmin, Circle, Beehiiv, Supabase, and n8n) are based outside the United Kingdom, specifically in the United States. Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• Adequacy Decisions: We transfer to countries deemed to provide an adequate level of protection (e.g., "UK Extension to the EU-US Data Privacy Framework").

• Standard Contractual Clauses (SCCs) / IDTA: We use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

By connecting services like Garmin or Google, you acknowledge that data processing may occur on servers located in the US.

7. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way.

• Specific to Google Data: Data accessed via Google APIs (such as Drive files) is used solely for the functionality visible to you in the app and is not used for developing, improving, or training generalized AI models without your permission.

• We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know.

8. DATA RETENTION

How long will you use my personal data for?

• General: We retain your data as long as you have an active account or as needed to provide services.

• Training Data (Garmin): We retain your synced training metrics to provide historical analysis. If you disconnect Garmin or delete your account, this data is deleted or anonymized.

• Tax & Legal: We keep basic transaction information for six years for tax purposes.

• Marketing: We retain marketing contact details until you unsubscribe.

9. YOUR LEGAL RIGHTS

Under UK data protection laws, you have rights including:

• Request access to your personal data.

• Request correction of your data.

• Request erasure of your data.

• Object to processing (especially regarding marketing).

• Withdraw consent at any time (specifically for the Garmin health data connection or marketing).

If you wish to exercise any of these rights, please contact us at [Insert Support Email].

10. CONTACT US

FLOW MOMENTUM LIMITED

Bartle House, 9 Oxford Court, Manchester, England, M2 3WQ

Email: office@flowstatecyclist.com

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO) (www.ico.org.uk).