← Back to Home

Privacy Policy

Last updated: February 24, 2026

At Flowlytic Inc. ("Flow AI," "we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, mobile application, and related services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

We collect the following information to provide and improve our services:

  • Account Information: Email address, full name, business name, business slug, city, and profile preferences
  • Contact Data: Names, phone numbers, email addresses, notes, and important dates (birthdays, anniversaries, closing dates) of contacts you upload, import, or create within the Service
  • Communication Data: SMS, MMS, and email messages drafted and sent through the platform, including inbound message content received on your behalf
  • Booking Data: Appointment details, availability schedules, duration, notes, and information submitted by visitors to your booking page
  • Voice Interaction Data: Voice conversations with the Flow AI voice agent, including spoken queries and agent responses
  • CRM Integration Data: API keys (encrypted at rest), contact sync mappings between Flow AI and your connected CRM, and sync activity logs
  • Lead Search Data: Search queries submitted to our lead generation tools and the resulting lead information returned
  • Subscription & Payment Data: Subscription plan, billing period, usage allowances, top-up balances, and transaction history
  • Usage Data: How you interact with the app, features used, device type, operating system, IP address, browser type, and usage patterns
  • Device Information: Device type, operating system version, unique device identifiers, and mobile network information

2. How We Use Your Information

We use the collected information for the following purposes:

  • To provide and maintain the Service, including all messaging, booking, and AI features
  • To send SMS, MMS, and email messages on your behalf to your contacts
  • To power AI-assisted message drafting, polishing, and contact matching
  • To provide voice-based AI agent interactions for hands-free communication management
  • To sync your contacts and activity with CRM systems you choose to connect
  • To generate AI coaching insights about your outreach performance and local market trends
  • To manage appointment bookings and send confirmation notifications to you and your clients
  • To search for and import business leads on your behalf
  • To maintain compliance audit trails, including opt-in/opt-out tracking, message delivery logs, and consent records
  • To process your subscription, payments, and usage-based billing
  • To send important account, subscription, and security updates
  • To improve app functionality, performance, and user experience
  • To provide customer support and respond to inquiries
  • To comply with legal obligations

3. App Permissions Explained

Our app requests the following permissions to function properly:

  • Camera: To capture and upload images and documents (e.g., MMS photo messages)
  • Microphone/Audio: Required for the Flow AI voice agent — enables real-time voice conversations for hands-free message management, booking, and lead outreach
  • Internet: Required for all app functionality, API communication, messaging, and data sync
  • Storage: To save files, cache data, and store content locally on your device
  • Notifications: To send you important updates, booking confirmations, and message alerts (optional)

Note: We only access these permissions when necessary for specific features, and we never access your data without your knowledge.

4. Data Storage and Security

Your data security is our priority:

  • Data is securely stored using Supabase, a cloud database provider with enterprise-grade security and encryption
  • All data transmission between your device, our servers, and third-party services is encrypted using industry-standard HTTPS/TLS protocols
  • CRM integration API keys are encrypted at rest using AES-256-GCM symmetric encryption and decrypted only during active sync operations
  • Authentication is handled via Supabase Auth — passwords are hashed and never stored in plain text
  • Message content, contact data, and booking details are stored in our database to provide the Service
  • SMS opt-in and opt-out status is tracked per contact for regulatory compliance
  • We regularly review and update our security practices

Important: While we strive to use commercially acceptable means to protect your data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security.

5. Third-Party Services

We use the following third-party services to operate the Service. These providers may collect and process data according to their own privacy policies. We share only the minimum data necessary for each service to function.

  • Supabase: Database, authentication, and backend infrastructure — Privacy Policy
  • BRCK: SMS and MMS message delivery on your behalf
  • Mailgun: Email delivery on your behalf — Privacy Policy
  • OpenAI: AI-powered message drafting, contact matching, and coaching insights. Processes message content and contact names/notes. Does NOT receive phone numbers or email addresses. — Privacy Policy
  • ElevenLabs: Voice AI agent conversations processed in real-time — Privacy Policy
  • BrightData: Lead search and data enrichment for lead generation features — Privacy Policy
  • Stripe: Payment and subscription processing. We do not store your payment card details. — Privacy Policy
  • Follow Up Boss: CRM contact and activity sync, when you choose to connect your account — Privacy Policy
  • Lofty (formerly Chime): CRM contact and activity sync, when you choose to connect your account — Privacy Policy
  • Google Play Services: In-app purchases and payment processing (Android)
  • Apple App Store: In-app purchases and payment processing (iOS)

6. AI Data Processing

Flow AI uses artificial intelligence to enhance your productivity. Here is how your data is processed by AI systems:

  • Message Drafting & Polishing (OpenAI): When you draft or send a message, the message content and recipient's first name and notes are sent to OpenAI for AI-assisted writing. Phone numbers and email addresses are NOT sent to OpenAI.
  • Voice Agent (ElevenLabs): When you use the Flow AI voice agent, your spoken requests are processed by ElevenLabs in real-time. The voice agent accesses only the data relevant to your current request (e.g., a specific contact's name to draft a message).
  • Coaching Insights (OpenAI): Your aggregated outreach statistics (message counts, channel usage) are sent to OpenAI to generate personalized coaching recommendations. Individual message content is NOT included.
  • Data Retention by AI Providers: Our AI providers process data in real-time and do not use your data for model training, per their respective data processing agreements.

7. SMS & Communication Compliance

Flow AI includes built-in compliance features for messaging:

  • All outbound SMS messages include a mandatory compliance footer: opt-out instructions (reply STOP), help instructions (reply HELP), a link to this privacy policy, and a message and data rates disclaimer
  • The STOP keyword automatically opts contacts out — opted-out contacts are blocked from receiving further messages through the Service
  • The HELP keyword triggers an automated support response with contact information
  • Users must certify that they have obtained proper contact consent before using messaging features
  • All message delivery events, opt-in changes, and opt-out actions are logged for audit purposes
  • Consent certification timestamps are recorded in your account profile

8. CRM Integrations & Data Sharing

When you connect a third-party CRM (such as Follow Up Boss or Lofty) to Flow AI:

  • Your contact data (names, phone numbers, emails) and activity (messages sent, bookings created) may sync bidirectionally between Flow AI and the connected CRM
  • You control which CRM systems are connected and can disconnect at any time from Settings > Integrations
  • CRM API keys are encrypted at rest and are decrypted only during active sync operations
  • All sync operations are logged in an audit trail that you can view in your account
  • Flow AI is not responsible for how third-party CRM providers store, process, or handle your data after it has been synced to their systems
  • By connecting a CRM, you authorize Flow AI to transmit your contact and activity data to that provider

9. Customer Compliance Responsibility

Important: Flow AI provides tools and infrastructure to support regulatory compliance, including opt-in/opt-out tracking, STOP keyword handling, mandatory message footers, consent certification timestamps, audit logging, and CRM sync logs. However, you (the customer) are solely responsible for your own compliance with all applicable laws and regulations.

By using the Service, you represent and warrant that:

  • You have obtained all necessary consents and authorizations from individuals before contacting them via SMS, email, or phone through the Service
  • You are in compliance with all applicable laws and regulations, including but not limited to the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and all applicable state and local regulations
  • All contact lists you import or create within the Service are lawfully obtained and have appropriate consent for the communications you intend to send
  • You are solely responsible for the content of all messages sent through the platform
  • You will maintain accurate opt-in records for your contacts
  • You understand and accept responsibility for data sharing when connecting third-party CRM integrations

Flow AI provides audit trails and compliance infrastructure to assist you but does not guarantee regulatory compliance and shall not be held liable for violations arising from your use of the Service. Any fines, penalties, or legal actions resulting from non-compliance are your sole responsibility.

10. Data Sharing and Disclosure

We do not sell your personal information. We may share your data only in the following circumstances:

  • With your consent: When you explicitly agree to share data (e.g., connecting a CRM integration)
  • Service providers: With the third-party services listed in Section 5, solely for the purpose of operating the Service
  • On your behalf: When you instruct us to send messages, sync contacts, or perform actions that transmit data to recipients or connected services
  • Legal requirements: When required by law, legal process, or government request
  • Business transfers: In connection with a merger, acquisition, or sale of assets
  • Protection: To protect the rights, property, or safety of Flowlytic Inc., our users, or the public

11. Data Retention & Account Deletion

We retain your data for as long as necessary to provide services and comply with legal obligations:

  • Active accounts: Data is retained while your account is active and the Service is in use
  • Message and communication logs: Retained for the duration of your account to support compliance audit trails

When you delete your account, the following happens immediately:

  • Your profile, contacts, contact notes, and important dates are permanently deleted
  • All messages (drafts and sent), bookings, and availability settings are permanently deleted
  • CRM integrations are disconnected (webhooks removed) and all sync mappings are permanently deleted
  • Uploaded CSV files, lead data, and phone number assignments are permanently deleted
  • Your authentication account is permanently deleted

Retained for 90 days after deletion (then automatically purged):

  • Anonymized billing records: Transaction amounts and types are retained with identifying details removed, for tax and billing dispute resolution
  • Anonymized compliance audit logs: CRM sync activity logs are retained with identifying details redacted, to support regulatory compliance inquiries

After the 90-day retention period, all remaining data is automatically and permanently purged. A confirmation email is sent to your registered email address upon account deletion.

12. Your Rights and Choices

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and personal data
  • Export: Download your data in a portable format
  • Opt-out: Unsubscribe from marketing communications
  • Withdraw consent: Revoke permissions granted to the app
  • Disconnect integrations: Remove connected CRM systems and stop data syncing at any time

To exercise these rights, contact us at the email address below.

13. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete such information.

14. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable laws.

15. Changes to This Privacy Policy

We may update Our Privacy Policy from time to time to reflect changes in our practices, features, or legal requirements. We will notify You of any material changes by:

  • Updating the "Last updated" date at the top of this policy
  • Sending an email notification to your registered email address
  • Displaying a prominent notice in the app

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

16. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of the sale of personal information (we do not sell data)
  • Right to deletion of personal information
  • Right to non-discrimination for exercising your rights

17. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time

18. Collecting and Using Your Mobile Number

We respect your privacy. Mobile numbers collected through opt-in will only be used for the intended purpose, and will never be shared with third parties for marketing purposes.

Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about how we handle your data, please contact us:

Email: support@flowlytic.ai
Company: Flowlytic Inc.
Address: 455 Market St Ste 1940 PMB 615892, San Francisco, California 94105-2448 US
App Name: Flow AI by Flowlytic Inc.

We will respond to your inquiry within 30 days.

All trademarks, service marks, logos, and copyrights displayed on flowlytic.ai remain the property of their respective owners. Any references to third-party trademarks, logos, or brands are solely for identification purposes and do not represent sponsorship, endorsement, partnership, or affiliation with Flowlytic AI unless explicitly stated otherwise.