Privacy Policy | MockupFlow

This Privacy Policy describes how MockupFlowAI ("we", "us", "our") handles information when you use our desktop application and website.

1. Overview

MockupFlowAI is a local desktop application. It runs entirely on your machine. We are committed to minimal data collection. The core application does not require an internet connection to function, except when communicating with third-party APIs that you configure yourself (e.g., Etsy OAuth, cloud storage).

                Key Principle: Your shop data, designs, product content, and API credentials remain on your local machine at all times. We do not operate cloud servers that process or store your marketplace data.
            

2. Local-First Architecture

All processing happens on your computer:

Mockup rendering is performed locally via Adobe Photoshop's scripting engine.
Database storage uses a local SQLite file on your filesystem.
Etsy API connections are made directly from your machine using your own OAuth credentials.
Voice transcription (Faster-Whisper) runs entirely on your local CPU when using the local engine.
PDF generation and image processing are performed locally.
Third-party service connections are made directly from your machine. We do not proxy these requests.

3. Data We Collect

3.1. License Validation

To validate your software license, we collect:

License key — the key you purchased
Hardware fingerprint — a SHA-256 hash derived from your machine's MAC address, hostname, OS, and CPU identifier. This is used solely to enforce device limits per your license tier.

This data is sent to our licensing server (Supabase) and is the only data that leaves your machine to our servers.

3.2. Payment Information

When you purchase a license, payment is processed by Lemon Squeezy (our merchant of record, powered by Stripe). They collect your name, email, billing address, and payment method. We receive your name, email, and order details (product, amount, date) but never your full credit card number or PayPal credentials. This data is used to provision your license and send purchase receipts.

3.3. Waitlist / Contact Forms

If you submit your email via our website waitlist form, we collect your email address via Web3Forms. This is used solely to notify you about product availability. You can unsubscribe at any time.

4. Data We Do NOT Collect

We do not collect, transmit, or store:

Your designs or generated artwork
Your product listings, titles, or descriptions
Your shop data, sales data, or customer information
Your API keys or marketplace credentials
Your research data or niche analysis results
Usage analytics or telemetry from the desktop application
Browsing history or keystrokes
Voice recordings or audio data

5. Voice & Audio Data

5.1. Microphone Access

The voice input feature requests access to your device's microphone via the web browser. Microphone access is optional and can be denied without affecting other functionality.

5.2. Voice Transcription Processing

When you use voice input, audio is processed according to the engine you select:

Web Speech API (Browser) — Audio is processed by your browser's built-in speech recognition. Data handling is governed by your browser vendor's privacy policy (e.g., Google Chrome, Safari).
Faster-Whisper (Local) — Audio is processed entirely on your device. No audio data leaves your machine. The Whisper model runs on your local CPU.
Cloud Transcription (Optional) — Audio is sent directly from your machine to the transcription provider using your own API key. We do not proxy, intercept, or store this audio. The provider's privacy policy applies.

5.3. Text-to-Speech

The voice reply feature uses gTTS (Google Text-to-Speech), an open-source library. When voice replies are enabled, the text of the assistant's response is sent to Google's TTS service to generate audio. No personal information, API keys, or metadata is transmitted — only the text content. The generated audio file is stored temporarily on your device and deleted after playback.

5.4. Audio Data Retention

Audio recordings and generated speech files are stored as temporary files on your local machine and are deleted immediately after processing or playback. We never retain, transmit, or store audio data on our servers.

6. Third-Party Services

MockupFlowAI integrates with third-party services that have their own privacy policies. When you use these integrations, data flows directly between your machine and the third-party service:

6.1. Payment Processing

All purchases are processed by Lemon Squeezy (powered by Stripe), which acts as our merchant of record. When you purchase a license, Lemon Squeezy collects your payment information (credit card, PayPal), billing address, email, and name. We do not have access to your full payment details. See Lemon Squeezy Privacy Policy and Stripe Privacy Policy.

6.2. Software Integrations

The following services are accessed directly from your machine using your own credentials:

Etsy (Open API v3, OAuth2 PKCE) — Etsy Privacy Policy
Google gTTS (Text-to-Speech) — Google Privacy Policy
Google Trends (Trend analysis) — Google Privacy Policy
RapidAPI (Trademark checking) — RapidAPI Privacy Policy
Supabase (License validation) — Supabase Privacy Policy

6.3. Optional Third-Party Services

When you provide your own API keys for optional features (design tools, SEO writing, voice transcription), the Software connects directly from your machine to those providers. MockupFlow does not proxy, store, or log these requests. You are responsible for reviewing the privacy policies of any third-party services you choose to connect.

7. API Keys & Credentials

All API keys and OAuth tokens are:

Stored locally in your SQLite database
Encrypted at rest using Fernet symmetric encryption (AES-128-CBC)
Never transmitted to MockupFlow servers

You are responsible for the security of your own API keys. We recommend keeping your database backups in a secure location.

8. Etsy Platform Data

When you connect your Etsy shop via OAuth, MockupFlowAI accesses certain Etsy data to provide its services. With respect to this data, MockupFlowAI acts as a service provider (data processor) to you, the Etsy seller (data controller), and processes such data solely to fulfill the services described in our Terms of Service.

8.1. What Etsy Data We Access

Through the Etsy API, MockupFlowAI may access:

Shop information — Shop name, shop ID, and shop status
Listings — Product titles, descriptions, tags, images, prices, and categories
Orders — Order details, shipping information, and order status
Taxonomy — Etsy category and attribute data for listing creation

8.2. How Etsy Data Is Stored

All Etsy data accessed through the API is stored exclusively on your local machine in the application's SQLite database. We do not transmit, copy, or store Etsy data on our servers. OAuth tokens are encrypted at rest using Fernet symmetric encryption.

8.3. Data Freshness & Caching

In compliance with the Etsy API Terms of Use:

Listing data (titles, descriptions, prices, images) is cached for no more than 6 hours
Other Etsy data (shop info, taxonomy, orders) is cached for no more than 24 hours

Cached data is refreshed from the Etsy API on subsequent access after expiration.

8.4. Disconnecting Your Etsy Account

You can disconnect your Etsy shop at any time from the Settings panel. Upon disconnection:

Your OAuth access token and refresh token are immediately deleted from local storage
Cached Etsy data (listings, orders, shop info) is purged from the local database
No Etsy data is retained after disconnection

8.5. Data Breach Notification

In the unlikely event that any Etsy member data accessed via the API is compromised or suspected to be compromised, we will promptly notify Etsy at dpo@etsy.com and the affected Etsy seller within 24 hours of discovery.

9. Cookies & Analytics

Our website (mockupflow.ai) may use basic analytics cookies to understand traffic patterns. The desktop application does not use cookies, tracking pixels, or any form of telemetry.

The Software includes an optional telemetry module (disabled by default) that, when explicitly enabled by you, sends anonymized usage statistics to help us improve the product. No personal data, designs, or business information is included in telemetry data. You can enable or disable this at any time from the Settings panel.

As a company based in the European Union (Croatia), we comply with the General Data Protection Regulation (GDPR).

10.1. Legal Basis for Processing

Contract performance — License key validation and hardware fingerprinting (necessary to deliver the Software you purchased)
Legitimate interest — Security monitoring and license fraud prevention
Consent — Email marketing communications (waitlist, product updates). You can withdraw consent at any time.

10.2. Your Data Rights

Under GDPR, you have the right to:

Access — Request a copy of all personal data we hold about you
Rectification — Correct any inaccurate personal data
Erasure — Request deletion of your personal data ("right to be forgotten"). We will delete your license activation records, hardware fingerprints, and email from our systems within 30 days of request.
Portability — Receive your data in a structured, machine-readable format (JSON)
Object — Object to processing of your personal data for marketing purposes
Restrict — Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at info@mockupflow.ai. We will respond within 30 days as required by GDPR.

10.3. International Data Transfers

License validation data is stored on Supabase servers. When you use third-party APIs, data flows directly from your machine to those providers. We do not control or process this data. Refer to each provider's privacy policy for their data transfer practices.

11. Data Retention

License records — Retained for the duration of your license plus 12 months after expiration
Hardware fingerprints — Retained only while your license is active; deleted upon deactivation or erasure request
Payment records — Retained by Lemon Squeezy/Stripe according to their retention policies and applicable tax law requirements
Email addresses (waitlist) — Retained until you unsubscribe or request deletion
Backblaze uploads — Auto-deleted after 36 hours
Audio/voice data — Temporary files deleted immediately after processing; never stored on our servers

12. Children's Privacy

MockupFlowAI is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us to have it deleted.

13. Open-Source Licensing

MockupFlowAI uses open-source libraries under permissive licenses (MIT, BSD, Apache 2.0). These libraries do not collect personal data independently. All open-source components used in this Software are commercially licensed and permit redistribution. A full list of third-party components is available in the Software's documentation.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For significant changes that affect your data rights, we will provide notice via email (if you are a registered user) or via a notification in the Software. Continued use of the Software after changes constitutes acceptance of the updated policy.

15. Contact & Data Protection

If you have questions about this Privacy Policy, want to exercise your data rights, or wish to file a complaint, contact us at:

Email: info@mockupflow.ai
Company: MockupFlowAI
Location: Croatia, European Union

If you are unsatisfied with our response, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or your local EU supervisory authority.

Last updated: April 6, 2026