Legal

Privacy Policy

Last updated: July 10, 2026

FlowOversee is a local-first desktop application. It runs entirely on your own device. It does not phone home, contains no analytics, telemetry, crash reporting, or advertising, and sends no data of any kind to the developer or any third party. The only network connections FlowOversee makes are directly from your device to Microsoft's own service endpoints, using your own credentials, to read your own Power Automate and Power Platform data.

Who this applies to

This policy covers the FlowOversee desktop application distributed through the Microsoft Store. FlowOversee is an independent product and is not affiliated with or endorsed by Microsoft Corporation (see the Legal Notices).

What data FlowOversee accesses

When you sign in with your own Microsoft Entra ID (work or school) account, FlowOversee reads data from your organization's Power Platform tenant so it can show it to you:

FlowOversee requests read-only access (Flows.Read.All, User.ReadBasic.All, and Dataverse user_impersonation for discovery). It cannot create, modify, run, or delete your flows.

Where your data is stored

All FlowOversee data stays on your computer, under %LOCALAPPDATA%\FlowOversee\ (i.e. C:\Users\<you>\AppData\Local\FlowOversee\):

File / folderContents
config.jsonYour settings, including the Microsoft Entra application (client) ID and tenant ID you enter during setup.
msal-cache.binYour sign-in tokens, encrypted with Windows DPAPI so they can be read only by your Windows user account on this machine. Written only while "Stay signed in on this device" (Settings → Security) is on — the default. Turn it off and FlowOversee keeps no sign-in data on disk at all.
logs\Local diagnostic logs (rolling files, kept on your machine for troubleshooting).
folders.jsonThe flow folders you create to organise your flows — folder names plus the workflow IDs and cached display names of the flows you place in them, grouped by environment. A folders.json.bak copy of the previous version is kept alongside so your folders can be recovered automatically if the live file is ever corrupted. A local convenience layer; never sent anywhere.
anomaly-state.jsonYour anomaly triage decisions — which "Needs attention" findings you've muted, snoozed, or acknowledged (environment ID, flow ID and name, signal type, severity, and when) — and, if you turn on Alerts, the alert monitor's record of the findings it has already reported (environment ID, flow IDs, and signal types per environment) so a restart doesn't notify you about the same finding twice. Keeps an anomaly-state.json.bak copy of the previous version for automatic recovery. Local only; never sent anywhere.
Windows notification registrationCreated only if you turn on Alerts: a small per-user Windows registration (app name and icon) so Windows can show FlowOversee's toast notifications. Notifications are rendered locally by Windows and contain only your own flow and environment names; nothing is transmitted. Removed by Settings → "Reset application data".

FlowOversee never transmits these files anywhere.

What FlowOversee transmits, and to whom

FlowOversee communicates only with Microsoft endpoints, directly from your device, to authenticate you and read your data:

When you click an "open in maker portal" link, FlowOversee opens make.powerautomate.com in your default browser. That is a normal link you choose to follow, not a background data transfer.

Microsoft's handling of the data in these services is governed by the agreement between your organization and Microsoft, and by the Microsoft Privacy Statement. FlowOversee adds nothing to that exchange and copies nothing out of it.

What FlowOversee does not do

Deleting your data

To remove all FlowOversee data from your machine: sign out, uninstall FlowOversee, and delete the %LOCALAPPDATA%\FlowOversee\ folder. You can also revoke FlowOversee's access at any time from your Microsoft Entra account or by removing the app registration you created for it.

Security

Sign-in tokens are stored using the Windows Data Protection API (DPAPI), tied to your Windows user account. FlowOversee uses Microsoft's official authentication library (MSAL) and, where available, the Windows account broker (WAM) so your credentials are handled by Windows, not by FlowOversee.

Two optional layers are available in Settings → Security: turn off "Stay signed in on this device" to run with a memory-only token cache (nothing app-managed is written to disk; you pick your account each launch), and turn on "Require Windows Hello at launch" to ask for a PIN, face, or fingerprint before FlowOversee opens.

Children

FlowOversee is a professional tool for Power Platform users and is not directed at children.

Changes to this policy

If this policy changes, the updated version will be published at this address and the "Last updated" date above will change.

Contact

Questions about privacy in FlowOversee: [email protected]