Privacy Policy
Version 2.1 — Cloudflare sub-processor and transfer/analytics clarifications · Last updated: 2026-06-18
This Privacy Policy explains how Fraway S.r.l. ("Fraway", "we", "us") collects, uses, shares and protects personal data, and the rights you have in relation to it, in accordance with Regulation (EU) 2016/679 (the "GDPR") and Italian Legislative Decree 196/2003.
1. Scope of this Policy
This Policy covers two distinct things operated by Fraway:
- The Fraway website — the public marketing site at fraway.io and its subpages. The rules for the website are set out in Part A.
- The DevFlow product — Fraway's AI-assisted software-development service, where users log in via magic link, connect Git repositories, and submit natural-language tasks that automated AI agents act on. The rules for DevFlow are set out in Part B.
The common sections (international transfers, your rights, how to exercise them, changes, and how to contact us) apply to both, except where stated otherwise.
For DevFlow, the Terms of Use and the Data Processing Agreement (the "DPA", available at https://fraway.io/devflow/dpa) govern the contractual relationship; this Policy describes the related data processing and is intended to be read consistently with them.
2. Data Controller and Our Roles
The data controller is:
Fraway S.r.l. Registered office: Via Fiume Giallo 275, Rome, Italy VAT / P.IVA: IT01635990888 Email: info@fraway.io
Fraway has not appointed a Data Protection Officer. Privacy queries and data-subject requests should be sent to info@fraway.io.
Our role depends on the data:
- Controller: For the website and for DevFlow account and operational data (Section 7), Fraway acts as data controller.
- Processor: For content you submit to DevFlow (Section 8), you — the user or your organisation — are the data controller and Fraway acts as a data processor on your documented instructions. The third-party AI and infrastructure providers act as sub-processors.
Part A — The Fraway Website (fraway.io)
3. Data We Collect (Website)
We collect and process the following categories of personal data through the website:
Analytics Data (with consent)
- IP address (truncated/pseudonymised before storage; full IP addresses are not retained for analytics)
- Browser type and version
- Device type and operating system
- Pages visited and time spent
- Referral source
Contact Form Data
- Name
- Email address
- Company name (optional)
- Message content
Technical Data
- Cloudflare Turnstile verification tokens
- Theme preference (light/dark mode)
- Cookie consent preferences
4. Purposes and Legal Basis (Website)
We process your website data for the following purposes:
Website analytics
Your consent (Art. 6(1)(a) GDPR)
To understand how visitors use our website and improve user experience.
Responding to inquiries
Legitimate interest (Art. 6(1)(f) GDPR)
To respond to your contact form submissions and provide requested information.
Security
Legitimate interest (Art. 6(1)(f) GDPR)
To protect our website from spam and abuse using Cloudflare Turnstile.
5. Third-Party Processors (Website)
We share website data with the following service providers, who process it on our behalf:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Analytics | Website analytics | USA | Standard Contractual Clauses (and EU–US Data Privacy Framework where certified) |
| Cloudflare | Security, CDN, bot protection | USA | Standard Contractual Clauses (and EU–US Data Privacy Framework where certified) |
| AWS SES | Contact form email delivery | Ireland (EEA) | Within the EEA — no third-country transfer |
| Google Fonts | Web fonts delivery | USA | Standard Contractual Clauses (and EU–US Data Privacy Framework where certified) |
6. Data Retention (Website)
We retain website data for the following periods:
Part B — The DevFlow Product
DevFlow is an AI-assisted software-development service. Users authenticate via magic link, connect Git repositories, and submit natural-language tasks. Automated AI agents then read, generate and modify source code inside isolated working copies of the connected repositories.
7. DevFlow Account and Operational Data (Fraway as Controller)
For the data needed to provide, secure and operate DevFlow itself, Fraway is the data controller. Providing your email address and authentication data is necessary to create and operate a DevFlow account; without it we cannot provide the service. This includes:
- Magic-link email address used to sign in
- Authentication sessions and login/security events
- Workspace and membership data (organisations, teams, roles, access)
- Task metadata (identifiers, status, timestamps — not the task content itself, which is covered by Section 8)
- Cost and token-usage data (consumption and billing-related metering)
- Agent event logs (records of agent runs, system events, operational telemetry)
We process this data on the following legal bases:
Creating and operating your account, authenticating you, and delivering the contracted DevFlow service
Performance of a contract — Art. 6(1)(b) GDPR
Securing the service, preventing abuse and fraud, ensuring availability, debugging and metering usage
Legitimate interest — Art. 6(1)(f) GDPR
Complying with legal, accounting and tax obligations
Legal obligation — Art. 6(1)(c) GDPR
8. User-Submitted Content (You as Controller, Fraway as Processor)
To use DevFlow you submit or connect content, which may include: task descriptions, prompts, chat messages, attachments, connected repository contents, source code, and any data contained therein (together, "submitted content").
Controller / processor split. For any personal data you choose to include in submitted content, you (the user, or the organisation on whose behalf you act) are the data controller, and Fraway acts as a data processor, processing that content solely on your documented instructions. The third-party AI and infrastructure providers that process submitted content to perform your tasks act as sub-processors.
This processing is governed by a data processing agreement under Article 28 GDPR, available at https://fraway.io/devflow/dpa. In case of any inconsistency between this Section and the DPA in respect of submitted content, the DPA governs.
Because you are the controller of personal data within submitted content, you are responsible for having a valid lawful basis for that data and for the instructions you give us, including any international transfers (Section 13) and the limits described in Section 10.
9. DevFlow Sub-Processors and Recipients
To carry out the tasks you submit, submitted content is transmitted to and processed by third-party providers acting as sub-processors. The table below lists the sub-processors and recipients we rely on, where they process data, and the transfer safeguard relied on; processing may take place outside the EEA (see Section 13). The current, authoritative list is maintained in the sub-processor register referenced in the DPA.
| Provider | Purpose | Location | Transfer basis |
|---|---|---|---|
| Hetzner | Hosting and compute (running DevFlow and the isolated working copies) | Germany (EEA) | Within the EEA — no transfer |
| Google Cloud Storage | Encrypted backups | EU / europe-west (EEA) | Within the EEA — no transfer |
| Amazon SES | Authentication (magic-link) and transactional email | Ireland (EEA) | Within the EEA — no transfer |
| Cloudflare | DNS, CDN and WAF for the DevFlow application | USA | Standard Contractual Clauses (and EU–US Data Privacy Framework where certified) |
| GitHub (Microsoft) | Connecting and accessing the Git repositories you link | USA | SCCs (and EU–US Data Privacy Framework where certified) |
| Anthropic | AI/LLM processing of submitted content | USA | SCCs (and EU–US Data Privacy Framework where certified) |
| OpenAI | AI/LLM processing of submitted content | USA | SCCs (and EU–US Data Privacy Framework where certified) |
| Google (Gemini API) | AI/LLM processing of submitted content | USA | SCCs (and EU–US Data Privacy Framework where certified) |
| OpenRouter | AI/LLM routing to the model providers reachable through it | USA | SCCs (and EU–US Data Privacy Framework where certified) |
| Telegram (Telegram FZ-LLC) | Optional, user-activated task notifications | United Arab Emirates | Your explicit consent — Art. 49(1)(a) (see Section 13) |
Fraway does not use submitted content to train its own models.
We select AI providers and API tiers with the intention of avoiding model-training on submitted content where such an option is available from the provider. However, Fraway does not control, and does not warrant, any third-party provider's data retention, logging or model-training practices.
Customer-configured integrations
If you enable optional integrations such as error monitoring (Sentry) or vulnerability data sources, you configure and control these as the controller, and they receive data according to your configuration and their own terms. Fraway is not the controller of the processing you initiate through such integrations.
10. Data Minimisation — What Not to Submit
DevFlow is general-purpose and is not designed to receive sensitive or unlawfully processed data. Consistent with the DevFlow Terms of Use, you should not submit, connect or include in submitted content:
- Special categories of personal data (Art. 9 GDPR — e.g. health, racial or ethnic origin, political opinions, religious beliefs, biometric or genetic data, sexual orientation) or data on criminal convictions and offences (Art. 10 GDPR);
- Secrets or credentials — production passwords, API keys, access tokens, private keys or similar (use placeholders or secret management instead);
- Any personal data you do not have a lawful basis to process or to disclose to processors and sub-processors.
You remain responsible, as controller, for ensuring submitted content complies with this Section.
11. Security of Product Data
We implement appropriate technical and organisational measures designed to protect product data, taking into account the state of the art and the risks involved, including:
- Encryption at rest of credentials and other sensitive secrets we hold;
- Isolation of the working copies in which agents read, generate and modify code, so that one workspace's processing is separated from another's;
- Access controls based on the principle of least privilege, restricting access to authorised personnel and systems.
No method of transmission over the internet or of electronic storage is completely secure, and we cannot guarantee absolute security. Further detail is set out in the technical and organisational measures referenced in the DPA.
12. Data Retention (DevFlow Product)
We retain product data only as long as necessary for the purposes described in this Policy or as required by law:
For submitted content, deletion and return on termination are governed by the DPA and by your instructions as controller. Where we act as processor, we delete or return submitted content at the end of the service in accordance with the DPA, unless retention is required by law.
Common Provisions (Website and DevFlow)
13. International Data Transfers
Some processing involves transfers of personal data outside the EEA. We rely on an appropriate safeguard under Chapter V GDPR for each such transfer.
Website service providers
Some of our website service providers (Section 5) are located in the United States. We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) approved by the European Commission.
DevFlow product content
Transfers of submitted content to AI/LLM and infrastructure sub-processors (Section 9) may occur outside the EEA. Each such transfer relies on an appropriate Chapter V safeguard — an adequacy decision or the Standard Contractual Clauses (SCCs) — flowed down to the relevant sub-processor. Because you are the controller of personal data within submitted content, you are responsible for authorising such transfers in the instructions you give us; the applicable safeguards are described further in the DPA.
Optional notifications via Telegram (user-activated)
If you enable Telegram notifications, DevFlow sends task notifications to Telegram (Telegram FZ-LLC), which processes them in the United Arab Emirates — outside the EEA and without an EU adequacy decision. Because appropriate safeguards such as SCCs are not available for this recipient, this transfer is made only on the basis of your explicit, informed consent for that specific transfer (Art. 49(1)(a) GDPR), which you give when enabling the feature and can withdraw at any time by disabling it. To keep the transfer proportionate, these notifications contain only the task title, its status and a link to open the task in DevFlow — never code, diffs, prompts, secrets or other people's personal data. Telegram is an optional, user-activated recipient and is not part of the always-on sub-processors required to run DevFlow. We recognise that Art. 49(1)(a) derogations are intended for transfers that are not large-scale or systematic. Because this feature is strictly optional, off by default, activated per user, and limited to task title, status and a link (excluding code, diffs, prompts, secrets and any other person's personal data), the transfer remains occasional and proportionate to the individual user's own choice. You may withdraw at any time by disabling notifications.
14. Your Rights
Under the GDPR, you have the following rights:
Right of access
Obtain confirmation of whether we process your data and request a copy.
Right to rectification
Request correction of inaccurate personal data.
Right to erasure
Request deletion of your personal data ('right to be forgotten').
Right to restriction
Request limitation of processing in certain circumstances.
Right to data portability
Receive your data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests.
Right to withdraw consent
Withdraw consent at any time without affecting the lawfulness of prior processing.
Rights regarding content you submit to DevFlow
The rights above apply to personal data for which Fraway is the controller (the website and DevFlow account/operational data). For personal data you submitted to DevFlow as the controller (Section 8), a data subject's request should be directed to you, the controller of that data. Where Fraway acts as your processor, we will assist you in responding to such requests, as set out in the DPA.
Automated decision-making
DevFlow's AI agents read, generate and modify code on your instructions; they do not make decisions that produce legal effects concerning data subjects or similarly significantly affect them within the meaning of Art. 22 GDPR. Fraway does not carry out such solely-automated decision-making or profiling in providing the website or DevFlow. If this changes, we will update this Policy and provide the information required by Art. 22.
15. How to Exercise Your Rights
To exercise any of your rights, please contact us at info@fraway.io. We will respond within 30 days (extendable in line with the GDPR for complex requests, with notice to you). We may need to verify your identity before acting on a request. If you are not satisfied with our response, you have the right to lodge a complaint with your supervisory authority. In Italy, this is the Garante per la protezione dei dati personali (www.garanteprivacy.it). The governing law of this Policy is Italian law.
16. Changes to This Policy
We may update this Privacy Policy from time to time. The 'Last updated' date and version number above indicate when it was last revised. For material changes, we will notify you via a notice on our website and/or, for DevFlow, through the service or by email.