Effective Date: 13 July 2025
Last Reviewed: 13 July 2025
Below is a high‑level overview. For full details, read the complete Policy that follows.
| Key Point | What it means |
|---|---|
| No sale or share | We never sell or share your personal information for cross‑context behavioural advertising. |
| Why we collect data | To run the platform, process payments, secure our systems, improve the product and—only with your consent—send you marketing. |
| Your controls | Download, correct, delete or restrict your data; opt‑out of marketing; manage cookies; withdraw consent at any time. |
| Security first | Data encrypted in transit & at rest, SOC‑2‑aligned controls, annual pen‑tests, 72‑hour breach notice. |
| Regional compliance | GDPR (EU/UK), CPRA & other U.S. state laws, PIPEDA (Canada), Data Privacy Framework certified. |
| Sub‑processors | Stripe, Supabase, Vercel, Microsoft Azure Blob Storage, Twilio, SendGrid (live list & 30‑day objection window). |
| Changes | 30 days' advance e‑mail / in‑app notice before any material change. |
Effective Date: 13 July 2025
Last Reviewed: 13 July 2025
Flowdara, Inc. and its subsidiaries ("Flowdara", "we", "our" or "us") respect your privacy. This Privacy & Data Protection Policy ("Policy") describes how we collect, use, disclose, and protect your personal information when you interact with our booking platform, websites, mobile applications, application‑programming interfaces (APIs) and related services (collectively, the "Services").
Layered approach. This Policy is our comprehensive disclosure. Where required, we also provide contextual "just‑in‑time" notices (e.g., cookie banner, OAuth consent screens). If a regional law offers you stronger rights or imposes stricter duties, we comply with that law.
| Term | Meaning |
|---|---|
| Controller | The entity that determines the purposes and means of processing personal information. Flowdara acts as Controller for End‑Users who create accounts directly with us. When you interact with a Flowdara Subscriber (e.g., a practitioner using our SaaS), that Subscriber is the Controller and Flowdara acts as Processor. |
| End‑User | Any natural person who uses the Services, including Subscriber staff and consumer clients who book, pay for, or attend an appointment. |
| Personal Information / Personal Data | Information that identifies, relates to, describes, or can reasonably be linked—directly or indirectly—to a natural person, as defined by applicable law (GDPR, CPRA, PIPEDA, etc.). |
| Sensitive Personal Information | A special category of data subject to additional protections (e.g., health data, precise geolocation, biometric identifiers). |
| Other Information | Data that cannot reasonably be used to identify an individual (e.g., aggregated statistics). We commit not to re‑identify de‑identified data. |
This Policy applies to all users in North America and the United Kingdom (preparatory compliance) and governs every point of collection—websites, mobile apps, emails, APIs, support channels, and marketing touch‑points.
The Services are not directed to children under 16. We do not knowingly collect data from children under 13. See Section 13.
| Category | Examples | Purpose | Legal Basis* | Retention |
|---|---|---|---|---|
| Account & Contact | Name, email, postal address, telephone | Account creation, authentication, support | Contract; Legitimate Interest | Duration of account + 3 yrs |
| Credentials | Encrypted passwords, OAuth tokens | Secure log‑in, SSO | Contract; Legitimate Interest | Until deletion; rotated < 90 days |
| Payment & Billing | Last 4 digits card, billing address, Stripe ID, transaction history | Process payments, refunds, fraud prevention | Contract; Legal Obligation (tax) | 7 yrs (tax/PCI) |
| Booking Data | Appointment date/time, location, service type | Provide and manage Services | Contract | Duration of account + 1 yr |
| Usage & Device | IP, browser, OS, device ID, clickstream, cookies, crash logs | Service performance, analytics, security | Legitimate Interest | 26 months (Google Analytics default) |
| Marketing Preferences | Opt‑in status, communication channels | Send offers & newsletters | Consent | Until opt‑out + 30 days |
| Support Records | Chat / email transcripts, call recordings | Troubleshooting, quality assurance | Legitimate Interest | 2 yrs |
| Sensitive Data † | Health notes entered by Subscriber; precise geo (optional) | Only when strictly necessary for a booked service | Explicit Consent; Art 9 GDPR | As instructed by Subscriber or 30 days after service |
* Legal basis references GDPR Articles 6 & 9 and equivalent concepts under CPRA & PIPEDA. When multiple bases apply we rely on the strongest lawful option.
† We do not proactively request sensitive data. If you voluntarily provide it, we treat it with heightened protections (encryption, limited access, short retention, audit logging).
We never use Stripe payment data or sensitive health information for marketing or profiling.
We use first‑ and third‑party cookies, web beacons, local storage, and similar technologies to:
Full details appear in our Cookie Policy.
| Recipient | Purpose | Safeguard |
|---|---|---|
| Stripe | Payment processing | DPA + SCCs + PCI‑DSS certification |
| Supabase | Managed Postgres DB, file storage | AES‑256 at rest; TLS 1.2; DPA + SCCs |
| Microsoft Azure Blob Storage | Media uploads & backups | Encryption at rest; separate encryption keys; DPA + SCCs |
| Vercel | Hosting & edge caching | ISO 27001; DPA + SCCs |
| Twilio / SendGrid | SMS & email delivery | SOC 2; DPA + SCCs |
| Authorized Subscriber | Provide requested service | Controller–Processor contract |
| Government / Law enforcement | Legal compliance | Legal obligation + minimisation |
| Corporate successors | M&A, financing, reorg | Confidentiality & DPF/SCCs |
Submit requests via Account → Privacy Dashboard or email privacy@flowdara.com with subject "Data Subject Request". We will verify identity (two‑factor challenge or signed request via logged‑in session) and respond within:
If you believe we have not resolved your concern, you may lodge a complaint with your local supervisory authority (contact links provided in the Privacy Dashboard).
We keep Personal Information only as long as necessary for the purposes described or as required by law:
When retention expires, data is securely erased or anonymised within 60 days.
Servers are located in the United States and Canada; backups in UK South Azure region (for UK rollout). Transfers from EEA/UK/Switzerland rely on Standard Contractual Clauses and (where applicable) our EU‑U.S./UK/Swiss Data Privacy Framework certification. Supplementary measures include encryption, access logging, and strict sub‑processor vetting.
If you connect Flowdara to Google Calendar™ or other OAuth providers, we will access calendar metadata solely to display availability and create events you ask us to create. Flowdara's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Humans do not read calendar content except with your explicit consent for support or security reasons.
We do not knowingly collect data from children under 13 (COPPA). Parents who believe a child has provided us data may contact privacy@flowdara.com for immediate deletion. Minors aged 13–15 may use the Services only with verifiable parental consent; UK/EU users aged 13–16 require guardian consent per GDPR Article 8.
Minor updates are posted at https://flowdara.com/privacy. Material changes (those that reduce your rights or expand processing) will be announced 30 days in advance via email and in‑app notices. Continued use after the effective date constitutes acceptance.
Data Controller: Flowdara, Inc.
DPO & Privacy Office:
210 SW Century Dr., Bend, OR 97702, USA
✉︎ privacy@flowdara.com
☎︎ +1 (541) xxx‑xxxx
EU/UK representative details will be added prior to UK launch and will appear here.
For unresolved GDPR complaints you may contact the Irish Data Protection Commission or your local supervisory authority. For Data Privacy Framework complaints see Section 14 of the DPF Principles.
© 2025 Flowdara, Inc. All rights reserved.