flow — Privacy Policy

Last updated: June 2026

flow is a focus tool: a planner plus a friend-gated website blocker, made of a web app, an optional Chrome extension, and an optional macOS helper. This policy explains exactly what each part handles. In short: flow stores your data in your own Supabase backend, blocks sites locally on your device, and never sells or shares your data with advertisers or other third parties.

What the browser extension handles

  • Your sign-in session. When you open the flow web app while signed in, it passes your authentication tokens to the extension so it can read your block list. These tokens are stored only in the browser (chrome.storage.session) and are sent only to your flow backend.
  • Your block list and active access grants.The extension reads these from your backend to decide which sites to block, and redirects blocked page-loads to a local “ask a friend” page bundled in the extension.
  • Desktop notifications.When a friend in your group requests screen-time access, or when your own request is approved or denied, the extension shows a local desktop notification so you don’t have to keep the app open. These are generated from your group’s own data and sent nowhere else.
  • It does notread the content of the pages you visit, record your browsing history, inject scripts into pages, or send any data to third parties. Blocking is done locally with Chrome’s declarativeNetRequest rules; the extension blocks connections and never closes your tabs.

What the web app handles

  • Account. Your email address, via Supabase Auth (magic link or Google sign-in), to identify your account.
  • Your private data. Planner entries (time blocks, tasks, habits, calendar, notes) and your block list, stored in your Supabase project under your account and readable only by you (enforced by row-level security).
  • Shared accountability data. Access requests, approvals, and grants are visible to the members of your group (your chosen friends), because that is the point of the product. Your planner data is never shared with them.

What the macOS helper handles (only if you install it)

The optional helper enforces blocking system-wide and reports tamper attempts (e.g. disabling enforcement) to your group, so accountability is visible. It runs locally on your Mac and talks only to your flow backend.

Why the extension asks for broad permissions

  • declarativeNetRequest + host access: to block the specific sites on your list and redirect them to the blocked page. The rules are generated only from your own block list.
  • storage: to hold your session and the current block list.
  • alarms: to re-check your grants once a minute so access re-locks when a time window ends.

Data sharing, retention, and control

flow has no advertising and no third-party analytics. Your data lives in your Supabase backend; you can delete your account and its data there at any time. We do not sell your data.

Contact

Questions about this policy: pineapplealien101@gmail.com. (Replace with your preferred contact address.)