Terms of Service

Effective Date: December 12, 2025
Last Updated: April 15, 2026

1. Acceptance of Terms

By creating a Flowsta identity, you agree to these Terms of Service and our Privacy Policy.

Requirements:

  • You must be 13+ years old (16+ in the European Union)
  • You are responsible for your account security
  • You understand the technical limitations of our zero-knowledge architecture
  • You agree to use Flowsta lawfully and in accordance with these Terms

2. Account & Security

Your Responsibilities

  • Keep your password secure - We cannot reset it due to our zero-knowledge architecture
  • Protect your recovery phrase - This is the only way to recover your account if you forget your password
  • Maintain access to your registered email - We use this for important account notifications
  • Notify us immediately of any unauthorized access to your account

Critical Zero-Knowledge Limitations

Due to our privacy-first architecture:

  • ❌ We cannot reset your password
  • ❌ We cannot recover your account without your recovery phrase
  • ❌ We cannot access your encrypted data
  • ⚠️ If you lose your recovery phrase, your account is permanently unrecoverable

3. Flowsta Vault Desktop App (Optional)

Flowsta Vault is an optional desktop application that runs a local Holochain conductor on your device.

Your Responsibilities

  • Secure your device — Your local signing keys are stored on your machine, encrypted with your password
  • Back up your data — Local Vault data is your responsibility; we have no access to it
  • Approve links carefully — Identity attestations created through Vault are permanent and cannot be revoked

Agent Linking

You can link your Vault identity with your web account or with third-party apps:

  • You see a clear approval dialog before any link is created
  • If you approve, a cryptographic attestation (IsSamePersonEntry) is committed to the public Holochain identity DHT
  • This attestation is immutable — it cannot be deleted or revoked after creation
  • The attestation contains only your public keys and signatures — no personal data
  • Your private keys never leave your device

Holochain Signing Service

Some apps may request permission to sign Holochain actions on your behalf:

  • Apps request signing permission through OAuth
  • You see a consent screen explaining what the app wants
  • If you approve, the app can sign actions using your Holochain agent key
  • Your private keys remain on Flowsta's conductor — only the signature is provided to the app
  • You can revoke signing permissions at any time
  • All signing activity is logged in your private Holochain data

3B. Sign It — File Signing (Optional)

Sign It lets you cryptographically sign files with your Flowsta identity.

How It Works

  • You compute a SHA-256 hash of your file (happens in your browser — the file is never uploaded)
  • You optionally attach metadata: intent, AI-generation disclosure, content rights, contact preference, thumbnail
  • A signature record is committed to a public Holochain signing DHT
  • Anyone with the same file hash can verify that you signed it and see your declared metadata

What You Agree To

  • Declared content rights (license, AI-training policy, commercial-licensing stance, contact preference) are your own public statement. You are responsible for only declaring rights you actually hold.
  • You will not sign content that is illegal in your jurisdiction or makes false claims of authorship.
  • Signature records are immutable. Revocation is supported but leaves the original record visible alongside a signed revocation entry.

Flowsta's Role

  • We do not police or enforce declared content rights. They are a cryptographically-signed public statement that you and others can use as evidence.
  • We provide a blind contact relay so verifiers can message you without learning your email address — we forward messages; you decide whether to reply.

Quotas and Overage

Sign It has monthly signature quotas. Current limits and overage pricing are shown on the Premium page. Verification is always free and unlimited.

3A. Two-Factor Authentication (Optional)

You can enable two-factor authentication (2FA) for additional login security.

How It Works

  • 2FA adds a time-based one-time password (TOTP) step after your password
  • Your TOTP secret and backup codes are stored encrypted in your private Holochain data (zero-knowledge)
  • We cannot recover your 2FA secret if you lose access to your authenticator app

Your Responsibilities

  • Save your backup codes — 8 backup codes are provided during setup; store them securely offline
  • Keep your authenticator app accessible — If you lose both your authenticator and all backup codes, you may be permanently locked out of your account
  • We cannot disable 2FA on your behalf due to our zero-knowledge architecture

4. Acceptable Use Policy

You May NOT Use Flowsta For:

1. Activities Creating Direct Legal Liability:

  • Child sexual abuse material (CSAM)
  • Credible threats of violence against specific individuals or groups

2. Infrastructure Abuse:

  • Automated attacks (DoS, spam)
  • API abuse beyond rate limits
  • Security compromise attempts

3. System Integrity Violations:

  • Large-scale identity theft
  • Systematic bot account creation
  • DHT manipulation attempts

What We Don't Enforce

  • We don't police speech or opinions
  • We don't moderate content on partner sites
  • Partner sites make their own moderation decisions
  • We provide identity infrastructure, not a content platform

5. Partner Site Independence

Each website using Flowsta sets its own policies:

  • ✅ Sites can ban users from their specific platform
  • ❌ Sites cannot delete your Flowsta identity
  • ✅ Your identity works across all sites unless specifically banned
  • ℹ️ Bans are site-specific, not system-wide

6. Enforcement & Suspension

If We Ban You

We will:

  • ✅ Delete your email from our database
  • ✅ Revoke all JWT tokens
  • ✅ Block API access

We cannot:

  • ❌ Delete your DID from Holochain DHT (immutable by design)
  • ❌ Access your encrypted private data
  • ❌ Stop you from using your keys
  • ❌ Block P2P DHT sync

Your Options After Ban

  • Your keys remain yours (via recovery phrase)
  • Your DID remains on DHT (censorship resistant)
  • You can self-host an Auth API if technically capable

7. Technical Limitations

You Acknowledge:

  1. Immutable DHT - Your DID cannot be deleted, by design for censorship resistance
  2. Immutable Agent Links - Identity attestations created via Vault cannot be deleted or revoked
  3. Zero-Knowledge - We cannot access your encrypted data, reset your password, or recover your 2FA secrets
  4. Recovery Phrase - The only way to recover your account - store it safely offline
  5. Vault Local Data - Data stored by the Vault desktop app is on your device and your responsibility

8. Cryptographic Autonomy License Compliance

Flowsta uses Holochain, which is licensed under the Cryptographic Autonomy License (CAL). This license ensures you maintain full control over your identity and data.

Your Data Rights Under CAL

  • Full Data Export: Export all your data at any time via Dashboard → Your Data
  • Recovery Phrase Access: Export your recovery phrase to set up your identity on any compatible Holochain conductor
  • No Data Withholding: We cannot and will not withhold your User Data (CAL Section 4.2.1)
  • No Technical Restrictions: We do not use technical measures to limit your access to your own data (CAL Section 4.2.2)
  • No Legal Restrictions: We do not contractually restrict your ability to use your data independently (CAL Section 4.2.3)
  • True Portability: Your identity can exist independently of Flowsta's services

What This Means

Your Flowsta identity is truly yours. Even if Flowsta ceased operations, you could use your recovery phrase to restore your identity on any compatible Holochain infrastructure. The export feature provides:

  • Your 24-word recovery phrase (BIP39 mnemonic)
  • Your DID and agent public key
  • Your email address (decrypted client-side)
  • Your activity history and connected sites
  • Your privacy settings

Zero-Knowledge Export

All decryption happens in your browser. We never see your decrypted data during export. Password verification is required to ensure only you can access your sensitive data.

9. Service Availability

  • We strive for 99.9% uptime
  • Service provided "as is" without warranty
  • Your identity survives on the DHT even if we shut down

10. Fees & Premium Features

Current pricing and included quotas are always listed on the Premium page. The tiers below summarise the general structure.

10.1 Free

  • Account creation and login
  • 8+ character usernames
  • 1 Sign It signature per month
  • Unlimited Sign It verification
  • Use across all partner sites

10.2 Premium

  • Monthly or annual billing
  • 100 Sign It signatures per month
  • 6–7 character usernames included
  • Access to purchase shorter username add-ons (1–4 characters)
  • Priority support
  • Auto-renews unless cancelled; cancellation takes effect at the end of the billing period (no prorated refunds)

10.3 Premium Plus

  • Monthly or annual billing
  • 1,000 Sign It signatures per month
  • 5-character username included
  • Access to purchase shorter username add-ons (1–4 characters)
  • Priority support

10.4 Short-Username Add-Ons (Annual Only)

Shorter usernames require an active Premium or Premium Plus subscription plus an annual add-on fee. Current pricing is on the Premium page.

Terms:

  • Requires active Premium or Premium Plus — the add-on is cancelled if your base subscription ends
  • One username per account at a time
  • First-come-first-serve — availability is not guaranteed
  • No refunds when changing username tier mid-term
  • Username released when the add-on ends — it becomes available to others
  • 14-day grace period — if your subscription lapses, your short username is held for 14 days before being released

10.5 Username Changes

  • You may change your username at any time (subject to availability and tier restrictions)
  • Changing between add-on tiers requires a new purchase
  • When Premium or Premium Plus ends, your short username is released and you must set a new 8+ character username (if desired)

10.6 Reserved Usernames

Some usernames may be reserved (brand names, offensive terms, etc.) and unavailable for purchase. Reserved usernames may be assigned to verified owners upon request.

11. Termination

You Can:

  • Delete your account via settings
  • Request data deletion (GDPR)

We Can:

  • Terminate for Terms violations
  • Terminate with 30 days notice

Effect:

  • API access revoked
  • Email deleted from database
  • DID remains on DHT (immutable)
  • Your keys remain yours

12. Governing Law & Contact

Jurisdiction: Victoria, Australia

Contact:

Changes to These Terms

We may update these Terms from time to time. We will notify you of material changes via:

  • Email notification (30 days advance notice)
  • Notice on this page

Continued use of Flowsta after changes constitutes acceptance of the new Terms.