Privacy Policy

At Flowlytic Inc. ("Flow AI," "we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, mobile application, and related services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

We collect the following information to provide and improve our services:

• Account Information: Email address, full name, business name, business slug, city, and profile preferences
• Contact Data: Names, phone numbers, email addresses, notes, and important dates (birthdays, anniversaries, closing dates) of contacts you upload, import, or create within the Service. Contact data is imported only when you explicitly grant permission and confirm the import within the app.
• Communication Data: SMS, MMS, and email messages drafted and sent through the platform, including inbound message content received on your behalf
• Booking Data: Appointment details, availability schedules, duration, notes, and information submitted by visitors to your booking page
• Voice Interaction Data: Voice conversations with the Flow AI voice agent, including spoken queries and agent responses
• CRM Integration Data: API keys (encrypted at rest), contact sync mappings between Flow AI and your connected CRM, and sync activity logs
• Lead Search Data: Search queries submitted to our lead generation tools and the resulting lead information returned
• Subscription & Payment Data: Subscription plan, billing period, usage allowances, top-up balances, and transaction history
• Usage Data: How you interact with the app, features used, device type, operating system, IP address, browser type, and usage patterns
• Device Information: Device type, operating system version, unique device identifiers, and mobile network information

2. How We Use Your Information

We use the collected information for the following purposes:

• To provide and maintain the Service, including all messaging, booking, and AI features
• To send SMS, MMS, and email messages on your behalf to your contacts
• To power AI-assisted message drafting, polishing, and contact matching
• To provide voice-based AI agent interactions for hands-free communication management
• To sync your contacts and activity with CRM systems you choose to connect
• To generate AI coaching insights about your outreach performance and local market trends
• To manage appointment bookings and send confirmation notifications to you and your clients
• To search for and import business leads on your behalf
• To maintain compliance audit trails, including opt-in/opt-out tracking, message delivery logs, and consent records
• To process your subscription, payments, and usage-based billing
• To send important account, subscription, and security updates
• To improve app functionality, performance, and user experience
• To provide customer support and respond to inquiries
• To comply with legal obligations

3. App Permissions Explained

Our app requests the following permissions to function properly:

• Camera: To capture and upload images and documents (e.g., MMS photo messages)
• Microphone/Audio: Required for the Flow AI voice agent — enables real-time voice conversations for hands-free message management, booking, and lead outreach
• Contacts: Flow AI requests access to your device contacts so you can import and manage your clients within the app. When you choose to import contacts, your contact data (names, phone numbers, and email addresses) is uploaded to Flow AI servers to enable contact management, messaging, and CRM sync features. Contacts are stored securely and are not shared with third parties for advertising or marketing purposes. You will be asked for explicit consent before any contact data is uploaded. You can delete imported contacts at any time from within the app.
• Internet: Required for all app functionality, API communication, messaging, and data sync
• Storage: To save files, cache data, and store content locally on your device
• Notifications: To send you important updates, booking confirmations, and message alerts (optional)

Note: We only access these permissions when necessary for specific features, and we never access your data without your knowledge.

4. Data Storage and Security

Your data security is our priority:

• Data is securely stored using Supabase, a cloud database provider with enterprise-grade security and encryption
• All data transmission between your device, our servers, and third-party services is encrypted using industry-standard HTTPS/TLS protocols
• CRM integration API keys are encrypted at rest using AES-256-GCM symmetric encryption and decrypted only during active sync operations
• Authentication is handled via Supabase Auth — passwords are hashed and never stored in plain text
• Message content, contact data, and booking details are stored in our database to provide the Service
• SMS opt-in and opt-out status is tracked per contact for regulatory compliance
• Access to user data is restricted to authorized personnel on a need-to-know basis
• All third-party services we share data with are required to maintain equivalent or greater data protection standards
• We regularly review and update our security practices

Important: While we strive to use commercially acceptable means to protect your data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security.

5. Third-Party Services

We use the following third-party services to operate the Service. These providers may collect and process data according to their own privacy policies. We share only the minimum data necessary for each service to function.

• Supabase: Database, authentication, and backend infrastructure — Privacy Policy
• BRCK: SMS and MMS message delivery on your behalf. Receives recipient phone numbers and message content solely to deliver messages you initiate. — Contact BRCK for their privacy policy
• Mailgun: Email delivery on your behalf. Receives recipient email addresses, email content, and sender information solely to deliver emails you initiate. — Privacy Policy
• OpenAI: AI-powered message drafting, contact matching, and coaching insights. Processes message content and contact names/notes when you use AI features. Does NOT receive phone numbers or email addresses. OpenAI does not use your data for model training per their API data processing agreement. — Privacy Policy
• ElevenLabs: Voice AI agent conversations processed in real-time. Receives your spoken requests when you use the voice agent feature. — Privacy Policy
• BrightData: Lead search and data enrichment for lead generation features. Receives search queries and publicly available contact information. — Privacy Policy
• Stripe: Payment and subscription processing. We do not store your payment card details. — Privacy Policy
• Follow Up Boss: CRM contact and activity sync, when you choose to connect your account. Receives contact names, phone numbers, email addresses, lead information, and communication history. — Privacy Policy
• Lofty (formerly Chime): CRM contact and activity sync, when you choose to connect your account. Receives contact names, phone numbers, email addresses, lead information, and communication history. — Privacy Policy
• Google Play Services: In-app purchases and payment processing (Android)
• Apple App Store: In-app purchases and payment processing (iOS)

6. AI Data Processing

Flow AI uses artificial intelligence to enhance your productivity. Here is how your data is processed by AI systems:

• Message Drafting & Polishing (OpenAI): When you draft or send a message, the message content and recipient's first name and notes are sent to OpenAI for AI-assisted writing. Phone numbers and email addresses are NOT sent to OpenAI. You will be informed and asked for consent before AI features process your data for the first time.
• Voice Agent (ElevenLabs): When you use the Flow AI voice agent, your spoken requests are processed by ElevenLabs in real-time. The voice agent accesses only the data relevant to your current request (e.g., a specific contact's name to draft a message). You will be informed that voice data is processed by a third-party service before using the voice agent for the first time.
• Coaching Insights (OpenAI): Your aggregated outreach statistics (message counts, channel usage) are sent to OpenAI to generate personalized coaching recommendations. Individual message content is NOT included.
• Data Retention by AI Providers: Our AI providers process data in real-time and do not use your data for model training, per their respective data processing agreements.
• Your Consent: Before any personal data is sent to a third-party AI service, the app will clearly disclose what data will be sent, identify who the data is sent to, and request your explicit permission. You may decline to use AI features at any time.

7. Contact Data Specific Disclosures

This section provides additional detail about how contact data is handled, in compliance with Apple App Store Guidelines 5.1.1 and 5.1.2:

• Contact data is imported only when you explicitly choose to import contacts and confirm your consent within the app via a dedicated consent screen.
• Before importing, the app will clearly inform you that your contacts will be uploaded to Flow AI servers and explain the purpose.
• Imported contacts are stored securely on Flow AI servers to provide contact management, messaging, and CRM sync features.
• Contact data is not sold, rented, or shared for advertising or marketing purposes.
• Contact data shared with third-party services listed in Section 5 is shared only to fulfill the specific service purpose described (e.g., sending an email or SMS you initiated, syncing with a CRM you connected).
• You can delete all imported contacts at any time from within the app.
• When you delete your account, all contact data is permanently and immediately deleted.

8. SMS & Communication Compliance

Flow AI includes built-in compliance features for messaging:

• All outbound SMS messages include a mandatory compliance footer: opt-out instructions (reply STOP), help instructions (reply HELP), a link to this privacy policy, and a message and data rates disclaimer
• The STOP keyword automatically opts contacts out — opted-out contacts are blocked from receiving further messages through the Service
• The HELP keyword triggers an automated support response with contact information
• Users must certify that they have obtained proper contact consent before using messaging features
• All message delivery events, opt-in changes, and opt-out actions are logged for audit purposes
• Consent certification timestamps are recorded in your account profile

9. CRM Integrations & Data Sharing

When you connect a third-party CRM (such as Follow Up Boss or Lofty) to Flow AI:

• Your contact data (names, phone numbers, emails) and activity (messages sent, bookings created) may sync bidirectionally between Flow AI and the connected CRM
• You control which CRM systems are connected and can disconnect at any time from Settings > Integrations
• CRM API keys are encrypted at rest and are decrypted only during active sync operations
• All sync operations are logged in an audit trail that you can view in your account
• Flow AI is not responsible for how third-party CRM providers store, process, or handle your data after it has been synced to their systems
• By connecting a CRM, you authorize Flow AI to transmit your contact and activity data to that provider

10. Customer Compliance Responsibility

By using the Service, you represent and warrant that:

• You have obtained all necessary consents and authorizations from individuals before contacting them via SMS, email, or phone through the Service
• You are in compliance with all applicable laws and regulations, including but not limited to the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and all applicable state and local regulations
• All contact lists you import or create within the Service are lawfully obtained and have appropriate consent for the communications you intend to send
• You are solely responsible for the content of all messages sent through the platform
• You will maintain accurate opt-in records for your contacts
• You understand and accept responsibility for data sharing when connecting third-party CRM integrations

Flow AI provides audit trails and compliance infrastructure to assist you but does not guarantee regulatory compliance and shall not be held liable for violations arising from your use of the Service. Any fines, penalties, or legal actions resulting from non-compliance are your sole responsibility.

11. Data Sharing and Disclosure

We do not sell your personal information. We may share your data only in the following circumstances:

• With your consent: When you explicitly agree to share data (e.g., connecting a CRM integration, granting permission to use AI features, or importing contacts)
• Service providers: With the third-party services listed in Section 5, solely for the purpose of operating the Service
• On your behalf: When you instruct us to send messages, sync contacts, or perform actions that transmit data to recipients or connected services
• Legal requirements: When required by law, legal process, or government request
• Business transfers: In connection with a merger, acquisition, or sale of assets
• Protection: To protect the rights, property, or safety of Flowlytic Inc., our users, or the public

12. Data Retention & Account Deletion

We retain your data for as long as necessary to provide services and comply with legal obligations:

• Active accounts: Data is retained while your account is active and the Service is in use
• Message and communication logs: Retained for the duration of your account to support compliance audit trails

When you delete your account, the following happens immediately:

• Your profile, contacts, contact notes, and important dates are permanently deleted
• All messages (drafts and sent), bookings, and availability settings are permanently deleted
• CRM integrations are disconnected (webhooks removed) and all sync mappings are permanently deleted
• Uploaded CSV files, lead data, and phone number assignments are permanently deleted
• Your authentication account is permanently deleted

Retained for 90 days after deletion (then automatically purged):

• Anonymized billing records: Transaction amounts and types are retained with identifying details removed, for tax and billing dispute resolution
• Anonymized compliance audit logs: CRM sync activity logs are retained with identifying details redacted, to support regulatory compliance inquiries

After the 90-day retention period, all remaining data is automatically and permanently purged. A confirmation email is sent to your registered email address upon account deletion.

13. Your Rights and Choices

You have the following rights regarding your personal data:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and personal data
• Export: Download your data in a portable format
• Opt-out: Unsubscribe from marketing communications
• Withdraw consent: Revoke permissions granted to the app, including contact import and AI data processing
• Disconnect integrations: Remove connected CRM systems and stop data syncing at any time
• Decline AI features: Choose not to use AI-powered features; the app's core messaging and contact management features remain available without AI

To exercise these rights, contact us at the email address below.

14. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete such information.

15. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable laws.

16. Changes to This Privacy Policy

We may update Our Privacy Policy from time to time to reflect changes in our practices, features, or legal requirements. We will notify You of any material changes by:

• Updating the "Last updated" date at the top of this policy
• Sending an email notification to your registered email address
• Displaying a prominent notice in the app

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

17. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to deletion of personal information
• Right to non-discrimination for exercising your rights

18. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure (right to be forgotten)
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time

19. Collecting and Using Your Mobile Number

We respect your privacy. Mobile numbers collected through opt-in will only be used for the intended purpose, and will never be shared with third parties for marketing purposes.

Contact Us

All trademarks, service marks, logos, and copyrights displayed on flowlytic.ai remain the property of their respective owners. Any references to third-party trademarks, logos, or brands are solely for identification purposes and do not represent sponsorship, endorsement, partnership, or affiliation with Flowlytic AI unless explicitly stated otherwise.