Privacy Policy

This policy applies to personal data processed by FLO LABS (UEN 53523572X) in connection with the Flo service at itjustflos.com. It covers:

• Business customers who subscribe to Flo
• End-customers who message businesses using Flo

Singapore’s Personal Data Protection Act 2012 (PDPA) applies to this policy.

From business customers

• Name, email address, and business details provided at signup
• Payment information (processed by Stripe; we do not store card numbers)
• Knowledge base content you upload (product info, policies, FAQs, etc.)
• Channel credentials (WhatsApp and Instagram account bindings via Zernio; Telegram bot tokens)

From end-customers (your business’s customers)

• Messaging handle or phone number (e.g. WhatsApp number, Telegram username, Instagram handle)
• Message content sent to your business via Flo
• Conversation history generated during interactions

Purpose / Lawful basis:

• Delivering the AI front desk service / Contract performance
• Storing and retrieving business knowledge / Contract performance
• Routing inbound messages to the correct business account / Contract performance
• Processing payments / Contract performance
• Improving the service and troubleshooting / Legitimate interest
• Complying with legal obligations / Legal obligation

We do not use end-customer message content to train AI models beyond what is necessary to respond in the current conversation.

We share data with third-party service providers for cloud infrastructure, payment processing, messaging channel management, and AI model inference. Some providers are located outside Singapore; we ensure comparable data protection through contractual arrangements. We do not sell personal data.

• Conversation history is retained for as long as your subscription is active, plus 30 days after termination.
• Your knowledge base is deleted on account termination.
• Payment records are retained as required by law (typically 5 years for accounting purposes).
• You may request deletion of your data at any time; see the Contact section below.

When you use Flo to communicate with your customers, you remain the organisation responsible for their personal data under Singapore’s PDPA. Flo acts as your data intermediary, processing that data on your behalf and only for the purposes you have authorised. You are responsible for:

• Having a valid basis under the PDPA (such as consent or an applicable exception) to process your customers’ messages
• Informing your customers that AI may handle their inquiries (e.g. in your business’s own data protection notice or at the start of conversations)
• Complying with applicable data protection laws in your jurisdiction

Personal data is stored in Convex, which encrypts data at rest. Channel credentials are stored server-side and never exposed in browser-facing queries. We apply access controls to limit who on our team can access customer data.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you without undue delay.

Under Singapore’s PDPA, you have the right to:

• Access personal data we hold about you
• Correct inaccurate personal data
• Withdraw consent where consent is the lawful basis
• Request deletion, subject to legal retention requirements

To exercise any of these rights, see the Contact section below.

The Flo dashboard uses essential cookies for authentication. We do not use advertising or tracking cookies.

The Flo service is not directed at individuals under 18. We do not knowingly collect personal data from minors.

We may update this policy. We will notify you by email or in-app notice at least 14 days before material changes take effect.

FLO LABS · rae@itjustflos.com