PRIVACY POLICY

1. INTRODUCTION

Flodo AI Private Limited ("Flodo", "Company", "we", "us", or "our") respects your privacy and is committed to protecting personal data. This Privacy Policy explains how we collect, use, disclose, store, transfer, and otherwise process personal data when you access or use our websites, applications, integrations, APIs, products, and services (collectively, the "Services").

This Privacy Policy is designed to align with applicable privacy and data protection laws, including the Digital Personal Data Protection Act, 2023 of India ("DPDP Act"), and, where applicable, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable laws.

If you are using the Services on behalf of an organisation, enterprise, or other legal entity ("Customer"), we may process certain personal data on behalf of the Customer as a "processor" or "service provider", while the Customer acts as the "controller" or "business", as applicable.

2. SCOPE

This Privacy Policy applies to:

(a) visitors to our website; (b) individuals who register for or use our Services; (c) personnel of our Customers, vendors, and partners; (d) individuals whose personal data is included in Customer Data processed through our Services; and (e) individuals who contact us for support, demos, marketing, or business enquiries.

This Privacy Policy does not apply to third-party websites, platforms, or services that are not operated by us, even if they are linked to or integrated with our Services.

3. IMPORTANT ROLE CLARIFICATION: WHEN WE ARE A CONTROLLER VS PROCESSOR

3.1. Flodo as Controller

Flodo acts as a data controller (or equivalent concept under applicable law) when we determine the purposes and means of processing personal data for our own business purposes, including:

(a) account creation and administration; (b) billing, invoicing, and subscription management; (c) responding to support or demo requests; (d) security, fraud prevention, and service improvement; (e) marketing communications (subject to applicable law); (f) compliance with legal obligations.

3.2. Flodo as Processor / Service Provider

Flodo acts as a processor (or service provider) when we process personal data on behalf of our Customer through the Services, including data accessed, stored, analysed, or transmitted through integrations such as project management tools, collaboration tools, productivity suites, customer systems, or other third-party applications connected by the Customer ("Customer Data"). In such cases:

(a) the Customer is responsible for providing all necessary notices and obtaining all required consents or authorisations; and (b) the Customer determines the purposes and lawful basis for processing Customer Data.

4. CATEGORIES OF PERSONAL DATA WE COLLECT

We may collect the following categories of personal data, depending on how you interact with the Services:

4.1. Account and Identity Information

(a) full name; (b) business email address; (c) company name; (d) job title or role; (e) username, login credentials, or single sign-on identifiers; (f) profile information you choose to provide.

4.2. Customer Account and Commercial Information

(a) subscription details; (b) billing contact details; (c) invoicing details; (d) transaction records; (e) business communications relating to procurement, onboarding, or account management.

4.3. Customer Data and Integration Data

Where enabled by the Customer, we may process data made available through integrations or APIs, including data from tools such as issue trackers, ticketing systems, messaging platforms, document systems, calendars, productivity suites, CRMs, and similar enterprise software. This may include:

(a) names and work contact details of users; (b) messages, comments, tickets, tasks, issue metadata, project information, and attached content; (c) calendar, document, or workspace metadata; (d) prompts, queries, commands, and outputs generated through the Services; (e) other data the Customer elects to connect, import, upload, or process through the Services.

4.4. Usage, Technical, and Device Information

(a) IP address; (b) browser type and version; (c) device identifiers; (d) operating system; (e) approximate location derived from IP; (f) timestamps, log data, and session data; (g) usage analytics, feature interaction, clickstream, and performance metrics; (h) diagnostic and error data.

4.5. Support and Communications Data

(a) support requests and tickets; (b) emails, chat messages, call notes, and feedback; (c) information you voluntarily provide during troubleshooting, onboarding, or product discussions.

4.6. Marketing and Event Information

(a) preferences for receiving communications; (b) webinar or event registration information; (c) interactions with newsletters, campaigns, or outreach.

4.7. Sensitive Personal Data

We do not intentionally require or seek sensitive personal data unless strictly necessary and legally permitted. Customers should not submit sensitive personal data through the Services unless expressly authorised under contract and supported by appropriate safeguards.

5. HOW WE COLLECT PERSONAL DATA

We collect personal data:

(a) directly from you when you create an account, request a demo, contact us, subscribe, or use the Services; (b) from your employer or organisation where they provision your access; (c) from Customer-authorised integrations, APIs, imports, or uploads; (d) automatically through cookies, logs, SDKs, and similar technologies; (e) from service providers, partners, resellers, and public or professional sources, where permitted by law.

6. PURPOSES OF PROCESSING

We process personal data for the following purposes, as applicable:

(a) to provide, operate, host, maintain, and support the Services; (b) to authenticate users and manage access controls; (c) to enable integrations and process Customer Data in accordance with Customer instructions; (d) to generate outputs, summaries, recommendations, workflows, or automations requested through the Services; (e) to communicate with you regarding account, billing, support, security, or operational matters; (f) to process payments, invoices, renewals, and subscription administration; (g) to monitor performance, troubleshoot issues, improve usability, and develop product features; (h) to detect, prevent, investigate, and address fraud, abuse, misuse, or security incidents; (i) to comply with legal obligations, law enforcement requests, and dispute resolution; (j) to send marketing or promotional communications, where permitted by law and subject to opt-out rights; (k) to enforce our agreements, policies, and acceptable use requirements; (l) to perform internal reporting, analytics, forecasting, and business operations.

7. LEGAL BASES FOR PROCESSING (EEA / UK USERS)

If the GDPR or UK GDPR applies, we rely on one or more of the following legal bases:

7.1. Performance of a Contract

We process personal data where necessary to enter into or perform a contract with you or your organisation, including:

(a) creating and administering accounts; (b) providing the Services; (c) processing subscriptions, renewals, and support; (d) enabling integrations and requested functionality.

7.2. Legitimate Interests

We process personal data where necessary for our legitimate interests, provided such interests are not overridden by your fundamental rights and freedoms, including:

(a) improving and developing the Services; (b) maintaining security, preventing fraud, and enforcing policies; (c) internal analytics, product performance, and business operations; (d) responding to enterprise enquiries and managing customer relationships; (e) limited direct marketing to business contacts, where lawful.

7.3. Consent

We process personal data based on consent where required by law, including for:

(a) certain cookies or tracking technologies; (b) certain marketing communications; (c) any optional processing where consent is the appropriate legal basis.

You may withdraw consent at any time, but withdrawal does not affect processing carried out before withdrawal.

7.4. Legal Obligation

We process personal data where necessary to comply with legal obligations, including tax, accounting, corporate governance, sanctions, lawful requests, and regulatory compliance.

7.5. Vital Interests / Public Task

These bases are generally not expected to apply in the ordinary course of our Services, but may be relied upon where legally applicable in exceptional circumstances.

8. AI / MODEL USE AND CUSTOMER DATA COMMITMENT

8.1. Customer Data Processing

We process Customer Data solely:

(a) to provide and support the Services; (b) to generate outputs requested by the Customer or authorised users; (c) to maintain, secure, and improve the Services in a manner consistent with applicable law and contractual commitments.

8.2. No Training on Customer Data for Shared Models (unless expressly agreed)

Unless expressly agreed in writing with the Customer or the relevant user through a separate opt-in mechanism, Flodo does not use Customer Data, prompts, uploaded files, integration data, or generated outputs to train general-purpose or shared foundation models intended for use across unrelated customers.

8.3. De-identified / Aggregated Data

We may use aggregated, anonymised, or de-identified data that does not identify any individual and cannot reasonably be re-identified, for analytics, benchmarking, service improvement, capacity planning, and lawful business purposes.

9. COOKIES AND SIMILAR TECHNOLOGIES

We may use cookies, pixels, local storage, and similar technologies to:

(a) keep you signed in; (b) remember preferences; (c) secure sessions; (d) understand usage and performance; (e) improve functionality; (f) measure campaign effectiveness, where applicable.

Where required by law, we will obtain consent before placing non-essential cookies. You may manage cookies through browser settings or cookie preference tools, subject to service functionality limitations.

10. DISCLOSURE OF PERSONAL DATA

We may disclose personal data only as necessary and subject to appropriate safeguards, including to:

10.1. Service Providers/Sub-processors

Third-party vendors who provide infrastructure, hosting, cloud storage, authentication, payment processing, customer support, analytics, security, communications, email delivery, monitoring, and related services.

10.2. Customer Organisations

If you use the Services through an employer or enterprise account, certain information may be accessible to the relevant Customer, account administrators, or authorised personnel.

10.3. Business Transfers

In connection with a merger, acquisition, restructuring, financing, asset sale, or similar corporate transaction, subject to confidentiality and lawful processing requirements.

10.4. Legal and Regulatory Disclosures

Where required to comply with law, regulation, court order, legal process, governmental request, or to protect rights, safety, or security.

10.5. Professional Advisors

Lawyers, auditors, accountants, insurers, and consultants bound by confidentiality obligations.

11. SUB-PROCESSORS

We may engage sub-processors to process personal data on our behalf. We maintain and make available, upon request or via a designated webpage, information regarding categories of sub-processors and/or a current list of material sub-processors used to provide the Services.

Where required by law or contract:

(a) we enter into appropriate data processing agreements with sub-processors; (b) we impose confidentiality and security obligations; (c) we remain responsible for sub-processor compliance to the extent required by applicable law and our agreements.

12. INTERNATIONAL DATA TRANSFERS

Flodo is based in India, and personal data may be processed in India and other countries where we or our service providers operate.

12.1. Transfers from EEA / UK / Switzerland

Where personal data subject to the GDPR, UK GDPR, or similar laws is transferred outside the relevant jurisdiction to a country that is not recognised as providing an adequate level of protection, we implement appropriate safeguards, such as:

(a) the European Commission's Standard Contractual Clauses; (b) the UK International Data Transfer Addendum or other UK-approved mechanisms; (c) other valid transfer mechanisms recognised under applicable law.

12.2. Customer DPA

Where Flodo acts as a processor, the applicable DPA may further govern international transfers of Customer Data.

12.3. Cross-Border Transfers under Indian Law

Where applicable under Indian law, we will process and transfer personal data in accordance with the DPDP Act and any rules or restrictions notified thereunder.

13. DATA RETENTION

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including:

(a) for the duration of the relevant account or customer relationship; (b) as required to provide the Services and support obligations; (c) as required by applicable law, tax, accounting, or recordkeeping obligations; (d) as necessary to resolve disputes, enforce agreements, or protect rights.

Retention periods may vary based on the nature of the data, the role in which we process it (controller vs processor), contractual requirements, and legal obligations.

When Flodo acts as a processor, Customer Data will generally be retained and deleted in accordance with Customer instructions, the applicable contract, and technical/operational backup cycles.

14. SECURITY

We implement reasonable and appropriate technical, organisational, and administrative safeguards designed to protect personal data against unauthorised access, loss, misuse, alteration, disclosure, or destruction. Such safeguards may include:

(a) access controls and least-privilege principles; (b) encryption in transit and, where appropriate, at rest; (c) logging and monitoring; (d) vulnerability management and security reviews; (e) backup and recovery processes; (f) employee confidentiality obligations and access restrictions; (g) vendor due diligence and contractual controls.

No system is completely secure. However, we take security seriously and continuously work to maintain safeguards appropriate to the risks involved.

15. YOUR RIGHTS UNDER INDIAN LAW (DPDP ACT)

Where the DPDP Act applies and subject to applicable law, you may have the right to:

(a) obtain information about the personal data we process about you; (b) request correction, completion, updating, or erasure of your personal data; (c) withdraw consent at any time, where processing is based on consent; (d) seek grievance redressal through our designated contact; (e) nominate another individual to exercise rights in accordance with applicable law, where available under law.

We may need to verify your identity before acting on a request. Certain rights may be subject to limitations, exemptions, contractual constraints, or legal obligations.

16. YOUR RIGHTS UNDER GDPR / UK GDPR

If you are located in the EEA, UK, or another jurisdiction with similar rights, and Flodo is acting as a controller with respect to your personal data, you may have the right to:

(a) Right of Access – to obtain confirmation and a copy of your personal data; (b) Right to Rectification – to correct inaccurate or incomplete personal data; (c) Right to Erasure – to request deletion in certain circumstances; (d) Right to Restrict Processing – to limit processing in certain circumstances; (e) Right to Data Portability – to receive certain personal data in a structured, commonly used, machine-readable format; (f) Right to Object – to object to processing based on legitimate interests or for direct marketing; (g) Right to Withdraw Consent – where processing is based on consent; (h) Right to Lodge a Complaint – with your local supervisory authority.

If Flodo acts as a processor, we will assist the relevant Customer in responding to requests to the extent required by law and contract, and you may need to direct your request to the relevant Customer (the controller).

17. CALIFORNIA / U.S. PRIVACY DISCLOSURES

If you do business with California residents or otherwise fall within applicable U.S. state privacy laws, you should include a dedicated U.S. state privacy addendum.

18. CHILDREN'S PRIVACY

Our Services are intended for business and professional use and are not directed to children. We do not knowingly collect personal data from children below the age at which consent is required under applicable law. If you believe a child has provided personal data to us, please contact us so we can take appropriate steps.

19. MARKETING COMMUNICATIONS

Where permitted by law, we may send business-related newsletters, updates, product announcements, invitations, or promotional communications. You may opt out at any time by using the unsubscribe link in the communication or by contacting us.

We will continue to send transactional or service-related communications where necessary for account administration, billing, security, or contractual performance.

20. AUTOMATED DECISION-MAKING

Flodo may use algorithmic or AI-assisted systems to generate summaries, recommendations, classifications, automations, or suggested outputs. These outputs are intended to support users and workflows and may require human review. We do not make solely automated decisions producing legal or similarly significant effects on individuals unless expressly disclosed and supported by a valid legal basis and appropriate safeguards.

21. THIRD-PARTY SERVICES AND INTEGRATIONS

The Services may integrate with or enable access to third-party products, services, APIs, or websites. Your use of those third-party services is governed by their own terms and privacy policies. We are not responsible for the privacy practices of third parties except to the extent we act as a processor or service provider under an applicable agreement.

22. DATA PROCESSING AGREEMENT (DPA)

Where Flodo processes Customer Data on behalf of a Customer, the parties may enter into a DPA governing:

(a) subject matter and duration of processing; (b) nature and purpose of processing; (c) categories of personal data and data subjects; (d) confidentiality and security obligations; (e) sub-processing; (f) assistance with data subject rights, incidents, DPIAs, and audits; (g) deletion or return of Customer Data; (h) international transfer safeguards.

23. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or business practices. Where required by law, we will provide notice of material changes by posting the updated policy, updating the "Last Updated" date, or through other appropriate means.

24. CONTACT DETAILS / GRIEVANCE OFFICER / PRIVACY CONTACT

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact:

Flodo AI Private Limited Email: nilay@flodo.ai Address: SANMATI 965 B/1 Kailashpuri Road, Behind Cristen Ganj, Ajmer Attention: Nilay Jain

For users in the EEA / UK, the above contact may also be used for privacy rights requests and transfer safeguard enquiries.

25. HOW TO EXERCISE YOUR RIGHTS

To exercise your rights, please email us at the address above with:

(a) your name and business contact details; (b) the nature of your request; (c) the relationship you have with Flodo (website visitor, user, customer contact, employee of customer, etc.); (d) any details that help us identify the relevant account or data.

We may request reasonable information to verify identity and authority before processing your request.