Privacy Policy

Flowify (“Flowify,” “we,” “us,” or “our”) provides a financial autopilot platform that helps small businesses automatically allocate revenue across smart accounts (“Smart Nodes”) for taxes, payroll, vendors, and operating expenses. To do this, we connect to your bank accounts and point‑of‑sale systems on your behalf.

This Privacy Policy explains what information we collect, how we use it, who we share it with, how long we keep it, and the rights and choices you have. By using Flowify you agree to the practices described here.

Flowify is operated by Scielo Guerra, the data controller for information processed through this service. You can reach us at ceo@flowifyos.com.

We collect three categories of information:

a) Account information

When you create an account, we collect your name, email address, business name, currency, time zone, and authentication identifiers. If you sign in with Google, we receive your email and basic profile from Google.

b) Business & financial data

We collect data needed to operate the service: bank account balances and transactions (via Plaid), point‑of‑sale sales and product data (via Lightspeed Retail and Lightspeed eCom), allocation rules you configure, vendor names, recurring bills, tax filing schedules, and the resulting allocation history.

c) Technical & usage data

We log device information, IP address, browser, pages visited, actions taken in the app, and error reports. This is used to keep the service secure, debug issues, and improve usability.

Flowify uses Plaid Inc. to securely connect to your financial institutions. By using Flowify, you also agree to Plaid’s End User Privacy Policy.

Through Plaid we receive: account identifiers, account and routing numbers (when needed for transfers), account balances, and transaction history. We do not receive or store your bank login username or password — those credentials are entered directly into Plaid and never touch our servers.

We use this data only to: (i) display your balances and transactions inside Flowify, (ii) compute and execute allocations across your Smart Nodes, (iii) reconcile point‑of‑ sale activity against bank deposits, and (iv) send you alerts you have configured. We do not sell consumer banking data, use it for advertising, or share it with data brokers.

All consumer data we receive from the Plaid API is encrypted at rest using AES‑256 in our managed Postgres database, and encrypted in transit using TLS 1.2 or higher.

• To provide, operate, and maintain the Flowify service.
• To run automatic allocations and move funds between your accounts according to rules you configure.
• To reconcile point‑of‑sale sales against bank deposits and surface variances.
• To send transactional emails (allocation summaries, low‑balance alerts, tax filing reminders, password resets, and similar).
• To respond to support requests and prevent abuse.
• To improve product reliability via aggregated analytics and error reports.
• To comply with legal obligations.

We do not use your bank or POS data to train AI models. AI features (e.g., the in‑app assistant) only see the data needed to answer your specific request and are processed under the terms of our AI providers.

Where applicable (e.g., for users in the EEA or UK), we rely on the following legal bases: (i) contract — to provide the service you signed up for; (ii) legitimate interests — to keep the service secure, prevent fraud, and improve it; (iii) consent — for optional features such as marketing emails; and (iv) legal obligation — when we must retain or disclose data to comply with the law.

We do not sell your personal information. We share data only with the third‑party processors required to run the service, each under a contract that limits how they may use it:

• Plaid — secure bank connectivity, account balances, and transactions.
• Lightspeed Retail & eCom — point‑of‑sale sales, products, and inventory data (only when you connect your store).
• Lovable Cloud (Supabase) — managed Postgres database, authentication, file storage, and edge functions.
• Cloudflare — application hosting, DNS, and DDoS / web‑application‑firewall protection.
• Google — optional Google sign‑in and transactional email delivery.
• AI model providers (e.g., Google Gemini, OpenAI) — only when you explicitly use AI features inside the app.

We may also disclose data when required by law, to enforce our terms, to protect the rights, property, or safety of Flowify or others, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you).

Data is stored in a managed Postgres database with row‑level security policies that scope every record to the owning business. Data at rest is encrypted with AES‑256; data in transit is encrypted with TLS 1.2 or higher (TLS 1.3 in practice). HTTP Strict Transport Security is enforced for one year on all flowifyos.com subdomains.

Administrative access to our infrastructure is protected by phishing‑resistant multi‑factor authentication (FIDO2 passkeys) on a single Google identity. Secrets such as API keys and integration tokens are stored in an encrypted secrets vault, not in source code.

No system can be guaranteed 100% secure, but we work continuously to protect your information and will notify affected users promptly if a breach materially affects their data, in line with applicable law.

We retain your account data for as long as your account is active. Transaction, allocation, and reconciliation history is retained while your account is active so that you have access to your full financial record.

When you delete your account, we delete or de‑identify your personal data within 30 days, except where we are required to retain it for legal, tax, accounting, or fraud‑prevention reasons. Backups are purged on a rolling 30‑day schedule.

You can request deletion at any time by emailing ceo@flowifyos.com.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data (“right to erasure”).
• Export your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent at any time, where consent is the basis.
• Disconnect Plaid, Lightspeed, or any other integration.
• Opt out of non‑essential emails using the unsubscribe link in any message.
• Lodge a complaint with your local data‑protection authority.

To exercise any of these rights, email ceo@flowifyos.com. We will respond within 30 days.

Flowify is built for businesses and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with data, contact us and we will delete it.

Flowify is operated from the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S. and other countries where our processors operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for cross‑border transfers.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above. Material changes will be communicated by email or in‑app notice before they take effect. Continued use of Flowify after the effective date constitutes acceptance of the updated policy.

Questions, requests, or concerns about this Privacy Policy or your data?

Email: ceo@flowifyos.com
Web: flowifyos.com