PRIVACY POLICY

Last updated: June 18, 2026

1. Introduction

This Privacy Policy governs the collection, use, disclosure, and protection of personal information and non-personal data collected by Flowell ("Flowell," "we," "us," or "our") through our website located at iamflowell.com (the "Site") and the services offered thereon (collectively, the "Services"). Flowell is operated by an independent producer based in the State of Maryland, United States.

By accessing, browsing, or using the Site or Services, you expressly consent to the data practices described in this Privacy Policy. If you do not agree with this Policy, you must not access or use the Site or Services.

This Policy is designed to comply with all applicable United States federal and state privacy laws, including but not limited to the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), the Children's Online Privacy Protection Act ("COPPA"), and all state-level consumer privacy statutes. It is also structured to align with the European Union General Data Protection Regulation ("GDPR") (Regulation 2016/679) and the United Kingdom Data Protection Act 2018 for international visitors.

2. Information We Collect

2.1 Information You Provide Directly

  • Contact Information: Name, email address, and any message content you submit through our contact forms or direct email to flowellbeats@gmail.com.
  • Purchase Information: When you purchase beats, packs, or services, your transaction is processed by Stripe, Inc. We receive transaction confirmations from Stripe that may include your name, email, billing address, and transaction amount. We do not collect, store, or process credit card numbers, CVV codes, or full payment card data — all such data is handled exclusively by Stripe in accordance with PCI-DSS Level 1 compliance.
  • Account Information: If you create an account for the Flowell Club or community features, we collect your chosen username, email address, and password (stored as a cryptographic hash, never in plaintext).

2.2 Information Collected Automatically

  • Device and Usage Data: IP address, browser type and version, operating system, device type, referring URL, pages visited, time spent on pages, click paths, and timestamps.
  • Cookies and Local Storage: Session cookies for site functionality, analytics cookies to understand usage patterns, and preference cookies to remember your settings.
  • Audio Playback Data: When you preview beats, we log which beats were played, duration of playback, and whether playback completed, solely for analytics and improving our catalog presentation.

2.3 Information From Third Parties

We may receive aggregated, non-identifying analytics data from third-party services including Stripe (payment processor), Google Analytics or equivalent analytics platforms, and social media platforms whose widgets or embeds appear on the Site.

3. How We Use Your Information

  • Service Delivery: To process and fulfill your orders, deliver digital products, and provide customer support.
  • Communication: To respond to your inquiries, send transactional emails (receipts, license confirmations), and provide critical service notifications.
  • Legal Compliance: To comply with applicable laws, regulations, legal process, or government requests; to enforce our Terms of Service, Privacy Policy, and licensing agreements; and to protect the rights, property, safety, and security of Flowell, our users, or third parties.
  • Security and Fraud Prevention: To monitor for and prevent fraudulent transactions, unauthorized access, abuse, and other malicious activity.
  • Analytics and Improvement: To analyze usage trends, measure the effectiveness of our content, and improve the Site, Services, and product offerings.
  • Marketing (Opt-In Only): With your express opt-in consent, to send you promotional emails about new beats, packs, or services. You may unsubscribe at any time using the link in any marketing email or by contacting flowellbeats@gmail.com.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area, the United Kingdom, and Switzerland, we process personal data under the following lawful bases:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to fulfill purchase orders, deliver licensed products, and provide the Services you requested.
  • Legal Obligation (Art. 6(1)(c)): Processing required to comply with legal obligations such as tax record retention and law enforcement responses.
  • Legitimate Interests (Art. 6(1)(f)): Processing for fraud prevention, site security, analytics, and enforcing our intellectual property rights, balanced against your privacy rights.
  • Consent (Art. 6(1)(a)): Processing for marketing communications and non-essential cookies, based on your explicit, withdrawable consent.

5. Cookie Policy

We use the following categories of cookies:

  • Essential Cookies: Required for the Site to function (session management, shopping cart, security). These cannot be disabled.
  • Analytics Cookies: Used to understand how visitors interact with the Site. May be disabled without affecting functionality.
  • Preference Cookies: Remember your settings such as volume preferences or display preferences.
  • Marketing Cookies: Used only with your consent to deliver relevant content across platforms.

Most browsers allow you to refuse or accept cookies. Disabling essential cookies may impair Site functionality. You can manage cookies through your browser settings or by contacting us.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We share data only under the following circumstances:

  • Payment Processors: Transaction data is shared with Stripe, Inc. for payment processing. Stripe's handling of your data is governed by Stripe's Privacy Policy and PCI-DSS compliance.
  • Service Providers: We may engage third-party vendors (hosting, analytics, email delivery) who have access to limited personal data solely to perform services on our behalf. All such vendors are bound by contractual obligations of confidentiality and data protection.
  • Legal Compliance: We may disclose information when required by law, subpoena, court order, or government request, or when we believe in good faith that disclosure is necessary to protect our rights, enforce our Terms, investigate fraud, or protect safety.
  • Business Transfer: In the event of a merger, acquisition, asset sale, or similar transaction, information may be transferred. We will notify you via email or prominent notice on the Site before such transfer occurs.

7. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described in this Policy or as required by applicable law:

  • Transaction Records: Retained for a minimum of seven (7) years to comply with tax and financial record-keeping requirements under U.S. federal law and Maryland state law.
  • License Records: Retained indefinitely to evidence and enforce music licensing agreements and intellectual property rights.
  • Contact Form Submissions: Retained for up to three (3) years for customer support and legal reference.
  • Account Data: Retained for the life of your account plus seven (7) years for legal compliance. You may request deletion at any time.
  • Analytics Data: Aggregated and anonymized within ninety (90) days of collection.

8. Your Privacy Rights

8.1 California Consumer Rights (CCPA/CPRA)

California residents have the right to:

  • Know what personal information is collected about them (Right to Know)
  • Know whether their personal information is sold or shared (Right to Know)
  • Opt out of the sale or sharing of personal information (Right to Opt-Out)
  • Request deletion of their personal information (Right to Delete)
  • Correct inaccurate personal information (Right to Correct)
  • Not receive discriminatory treatment for exercising privacy rights

To exercise these rights, submit a request to flowellbeats@gmail.com. We will verify your identity before processing. We will respond within forty-five (45) days, extendable by an additional forty-five (45) days with notice.

We do not sell personal information. "Sale" as defined by CCPA includes any exchange for monetary or other valuable consideration. We do not engage in this practice.

8.2 Other U.S. State Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have substantially similar rights, including access, deletion, correction, and opt-out of targeted advertising and profiling. Submit requests to flowellbeats@gmail.com.

8.3 GDPR/UK Data Protection Rights

EEA, UK, and Swiss residents have the right to:

  • Access their personal data (Right of Access)
  • Rectify inaccurate data (Right to Rectification)
  • Request erasure of their data (Right to Erasure / "Right to Be Forgotten")
  • Restrict processing (Right to Restriction)
  • Receive a portable copy of their data (Right to Data Portability)
  • Object to processing (Right to Object)
  • Withdraw consent at any time (Right to Withdraw Consent)
  • Lodge a complaint with their supervisory authority

Submit requests to flowellbeats@gmail.com. We will respond within thirty (30) days, extendable by sixty (60) additional days for complex requests with notice.

9. Children's Privacy (COPPA)

The Site and Services are not directed to, and we do not knowingly collect personal information from, children under thirteen (13) years of age. If you believe we have collected information from a child under 13, contact us immediately at flowellbeats@gmail.com and we will delete such information expeditiously. Parents or guardians may also contact us to review, request deletion of, or refuse further collection of their child's information.

10. Data Security

We implement industry-standard technical, administrative, and physical security measures designed to protect personal data from unauthorized access, use, alteration, disclosure, or destruction, including:

  • TLS/SSL encryption for all data in transit
  • Secure hosting on Vercel's platform with SOC 2 Type II and ISO 27001 compliance
  • Payment data handled exclusively by Stripe (PCI-DSS Level 1 compliant)
  • Regular security reviews and access controls limiting data access to authorized personnel only
  • Password hashing using industry-standard cryptographic algorithms

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

11. International Data Transfers

Flowell is based in the United States. If you access the Site from outside the United States, your personal data will be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards including the EU-U.S. Data Privacy Framework, the UK Extension to the Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, or Standard Contractual Clauses (SCCs) where applicable. By using the Site, you consent to the transfer of your data to the United States.

12. Third-Party Links and Services

The Site contains links to third-party websites and embeds third-party services (Stripe, YouTube, Spotify, Instagram, TikTok, Traktrain, BeatStars). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites or services you interact with.

13. Do Not Track Signals

We currently do not respond to "Do Not Track" (DNT) browser signals as no uniform industry standard for DNT has been established. We will update this Policy if and when such a standard is adopted.

14. Intellectual Property Notice

Flowell is a registered trademark (USPTO Serial No. 97/492,523). All content on the Site, including but not limited to beats, compositions, sound recordings, pack contents, cover art, logos, text, and code, is the exclusive intellectual property of Flowell and is protected under United States and international copyright, trademark, and intellectual property laws. Unauthorized use, reproduction, distribution, or exploitation of any content without a valid license is strictly prohibited and may result in civil and criminal liability. See our Terms of Service for licensing terms.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting a prominent notice on the Site and, where appropriate, via email. The "Last updated" date at the top of this Policy indicates the effective date. Continued use of the Site after changes constitutes acceptance of the revised Policy.

16. Contact Information

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, contact:

Flowell

Email: flowellbeats@gmail.com

Location: State of Maryland, United States

For GDPR matters, our representative for EEA/UK/Swiss residents can be reached at the same email. For legal inquiries regarding intellectual property enforcement, please direct correspondence to the email above with "Legal — IP Enforcement" in the subject line.