Skip to content

What the Vault Sends Home

Flowsta Vault is built to keep your identity and data on your device. This page is the complete list of what it sends to Flowsta anyway - every field, every trigger, and who can see what.

The Vault is open source, so nothing here is taken on trust: each section links to the code that does the sending. If you find something leaving your device that isn't on this page, that's a bug - tell us.

The short version

While unlocked, the Vault sends three kinds of background traffic:

WhatWhenContains
Network version checkOn unlockNothing about you - a plain request for current network versions
Usage recordOne record per connected app per calendar monthA random per-app ID, the month, and a use counter
Sign It quota countAfter each signature you publishA signed counter, so your plan's allowance works offline-first

Everything else the Vault sends is something you initiated: a sign-in you approved, a signature you published, an account upgrade you started, an email verification you requested.

The usage record, field by field

Flowsta's plans (including the free tier and per-active-user developer pricing) need to know one thing: how many people used an app this month. The Vault answers that with the smallest record we could design. One record exists per connected app per calendar month:

json
{
  "client_id": "flowsta_app_...",      // which registered app
  "analytics_id": "6f1e...-uuid",      // random ID, unique to this app on your Vault
  "month_year": "2026-07",
  "first_seen_at": 1783600000,          // first use this month
  "last_seen_at": 1783660000,           // most recent use this month
  "activity_count": 14                  // uses this month
}

What the record deliberately is not:

  • Not a log. There is no entry per action and no timestamps beyond first-and-last-of-month. A month of heavy use of one app produces exactly one record.
  • Not a stream. The Vault checks every 30 minutes whether unsynced records exist and sends them if so. Most of those checks send nothing - steady state for someone using three apps is three records a month.
  • Not correlatable across apps. The analytics_id is a random UUID generated once per app on your device. Two apps' records share no identifier, so app A's developer can learn nothing about your use of app B.
  • Not your content. No files, no file names, no signatures, no messages, no keys, no passwords, no email, no username - the fields above are the entire record.

Records are stored encrypted on your device until they sync, and each is integrity-signed so tampering is detectable. Code: mau.rs.

Pseudonymous to Flowsta, aggregate to everyone else

The sync request carries one account-level identifier: your recovery lookup hash. It's a one-way hash - it cannot be turned back into your recovery phrase, your keys, or your email - but it is stable, and it is how your account row is found for billing and quotas.

Being precise about what that means:

  • To Flowsta, your usage is pseudonymous, not anonymous. Our servers can tie "this account was active in these apps this month" together - that's what makes plans and quotas work, the same way any business ties service usage to an account. It is the only place that link exists.
  • To developers, your usage is an aggregate number: MAU, monthly active users. A developer sees "N active users this month" for their own app and nothing else: no identities, no per-user activity, nothing about other apps or Flowsta services. MAU is what developer billing is based on, and that billing is what supports running the network - it's how the free tier stays free.
  • To everyone else, it's nothing. The records travel over HTTPS to Flowsta and appear in no public network, no DHT, and no third-party service.

Where zero-knowledge fits

It's worth being clear about what "Flowsta can tie usage to an account" does and doesn't mean, because the account itself is not what you might expect. The account Flowsta bills is a cryptographic identity: public keys, one-way hashes, a DID. Everything personal behind it - your private records, your files, your app data, the email address itself - is encrypted in your Vault, on your device, and nobody sees any of it unless you consent to share it. That includes Flowsta. It's the point of the zero-knowledge design: we can count that an account was active, but we cannot look inside it.

The identity only becomes you if you make that link yourself - by claiming a public username, sharing your DID, or consenting to share your email with an app. What the usage record ties together is only ever what you've chosen to make public.

The Sign It quota count

When you publish a signature, the Vault tells the API to count it against your monthly allowance - a signed message containing your agent key, the one-way account hash, a count, and a timestamp. This exists so quotas can be enforced locally (you can keep signing offline) while staying accurate server-side. It carries nothing about the file you signed; the signature itself goes to the public signing network only because publishing it is the point.

What never leaves your device

For contrast, the things the Vault holds that have no path to Flowsta at all: your recovery phrase, your private keys, your vault password, your private records and app backups, and the contents of any file you sign (only its hash is ever published, and only when you publish it).

Can I verify this?

Yes - that's the reason the Vault is open source. The three senders on this page are mau.rs (usage records), the quota sync in commands.rs, and the version check in dna_updater.rs. Build from source and watch the wire if you like - the page and the code should always agree.

Documentation licensed under CC BY-SA 4.0.