Privacy Policy

Effective Date: May 4, 2026 · Last Updated: May 30, 2026

This Privacy Policy describes how Flowpilot360 LLC ("Flowpilot," "we," "us," or "our") collects, uses, shares, and protects information in connection with the Flowpilot CRM platform, including the website at flowpilot360.com, the application at app.flowpilot360.com, and our agent API (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Scope of This Policy

Flowpilot operates a multi-tenant Software-as-a-Service ("SaaS") customer relationship management platform for small businesses. This Privacy Policy applies to:

• Customers ("Tenants") — small businesses that subscribe to and use the Service to manage their own customer relationships
• End users — individuals (such as Tenants' customers, leads, or contacts) whose information is processed by Flowpilot on behalf of a Tenant
• Visitors to our marketing website at flowpilot360.com

When Flowpilot processes information about a Tenant's end users, the Tenant is the "data controller" and Flowpilot acts as a "data processor" under most applicable privacy laws. End users with questions about their information should contact the Tenant directly.

2. Information We Collect

2.1 Information You Provide as a Tenant

When you sign up for or use the Service, we collect:

• Account information: name, email address, password (hashed), phone number, business name, business address, EIN or tax ID, role within your business
• Business profile information: services offered, target customers, brand voice samples, pricing positioning, website URL, business hours, team size, and other context you provide to personalize AI features
• Billing information: when paid subscriptions are active, billing details are processed by our payment provider (Stripe). We do not store full credit card numbers; we store only billing metadata such as last four digits and expiration date
• Communications with us: support requests, feedback, and other correspondence

2.2 Information You Provide About Your Customers

As a Tenant, you upload, import, or generate information about your own customers, leads, and contacts ("Customer Data"). This may include:

• Names, phone numbers, email addresses, mailing addresses
• Communications history (SMS, email, phone call records)
• Service history, appointments, deals, notes
• Custom fields you define
• Content of messages exchanged through the Service

You are the owner and controller of your Customer Data. Flowpilot processes Customer Data only as your service provider, in accordance with our agreement with you.

2.3 Information Collected Automatically

When you use the Service, we automatically collect:

• Usage data: features used, pages visited, automation runs, message volumes, click events
• Device and connection information: IP address, browser type, operating system, device identifiers, time zone
• Log data: server logs, error logs, audit trails of agent and user actions
• Cookies and similar technologies: session cookies for authentication, preference cookies, analytics cookies (see Section 11)

2.4 Information from Third Parties

When you connect external services to your Flowpilot account (Twilio, Stripe, Google Calendar, Gmail, etc.), we receive information from those services as authorized by you, such as connection tokens, account identifiers, and data necessary to operate the integration.

When you use the website extraction feature in our Company Profile, we fetch and analyze content from a website URL you provide.

2.5 Information from AI Agents (Bring-Your-Own-Agent / BYOA)

If you enable an external AI agent (e.g., Claude, ChatGPT, or a custom agent) to interact with your Flowpilot account via our agent API, that agent will exchange information with the Service on your behalf, scoped to permissions you grant. Information passed by the agent may include profile updates, automation configurations, and customer data within your tenant.

3. How We Use Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Service
• Authenticate users and authorize actions
• Process subscriptions, billing, and payments
• Send transactional communications (account verifications, billing notices, security alerts)
• Send service-related communications about new features, updates, and changes
• Operate AI features, including generating personalized messages, suggestions, and workflow recommendations
• Operate SMS and email communications on your behalf to your end users (subject to your consent and instructions)
• Detect, prevent, and address fraud, abuse, security issues, and policy violations
• Comply with legal obligations, enforce our terms, and protect rights and safety
• Conduct internal analytics, research, and product development (using aggregated or de-identified data where possible)

We do not sell personal information.

We do not use Customer Data (information about your end users) to train any general-purpose AI model. Customer Data is used only to operate the Service for you.

4. How We Share Information

4.1 Service Providers (Subprocessors)

We share information with third-party service providers who help us operate the Service. Each provider is bound by contractual obligations to protect your information and use it only as we direct. Our subprocessors include:

We may add or change subprocessors as our service evolves. Material changes will be reflected in updates to this Privacy Policy.

4.2 As Directed by Tenants

When you (as a Tenant) instruct us to share Customer Data with a third party (e.g., by configuring an integration or authorizing an agent token), we will share that data as directed.

4.3 Legal Requirements and Safety

We may disclose information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Enforce our Terms of Service or other agreements
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or safety of Flowpilot, our users, or the public

4.4 Business Transfers

If Flowpilot is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

4.5 Aggregated or De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you (e.g., aggregate usage statistics, benchmarks, industry trends).

5. Data Retention

We retain information for as long as your account is active or as needed to provide you the Service. After account closure, we retain information as follows:

• Account and billing records: retained for up to 7 years to comply with tax and accounting obligations
• Customer Data uploaded by Tenants: deleted within 90 days after account closure, unless retention is required by law or by your written request
• Anonymized usage analytics: retained indefinitely
• Audit logs: retained for a minimum of 1 year and up to 7 years for security, compliance, and dispute resolution

You may request earlier deletion of specific information by contacting us at hello@flowpilot360.com.

6. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: request a copy of personal information we hold about you
• Correction: request that we correct inaccurate or incomplete information
• Deletion: request that we delete your personal information, subject to legal retention obligations
• Portability: request that we provide your information in a structured, machine-readable format
• Objection / Restriction: object to or restrict certain processing
• Withdrawal of consent: withdraw consent where processing is based on consent
• Complaint: lodge a complaint with a data protection authority

To exercise these rights, contact us at hello@flowpilot360.com. We will respond within the timeframes required by applicable law.

California residents: under the California Consumer Privacy Act (CCPA), you have specific rights including the right to know what categories of personal information we collect, the right to deletion, and the right to non-discrimination for exercising your rights. We do not sell personal information.

SMS opt-out: if you receive SMS messages from a Tenant via the Service, you may opt out at any time by replying STOP, STOPALL, UNSUBSCRIBE, END, QUIT, or CANCEL to the message. Opt-out requests are processed within 24 hours. You may reply HELP at any time for opt-out instructions and contact information.

7. International Users and Data Transfers

The Service is hosted in the United States and is operated for users in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

By using the Service, you consent to the transfer and processing of your information in the United States.

8. Security

We implement reasonable technical and organizational measures designed to protect your information, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Multi-tenant data isolation enforced at the application database layer
• Role-based access controls
• Audit logging of administrative and agent actions
• Regular security reviews and dependency updates
• Authenticated access via verified email accounts

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If we become aware of a security incident affecting your information, we will notify you as required by applicable law.

9. Children's Privacy

The Service is not directed to or intended for children under 13 (or 16 in jurisdictions that apply higher thresholds). We do not knowingly collect personal information from children. If we become aware that we have collected information from a child without verified parental consent, we will delete that information.

10. SMS Messaging Privacy

No mobile information — including mobile phone numbers, SMS opt-in data, or SMS consent — is shared with, sold to, or rented to any third parties or affiliates for marketing or promotional purposes. Mobile opt-in information and consent are never shared with any third parties for any purpose other than delivering the messages you asked to receive: such information is disclosed only to the SMS infrastructure provider (Twilio) and the mobile carriers strictly necessary to transmit those messages, and to no one else.

When you (as a Tenant) use the Service to send SMS messages to your end users:

• You are responsible for obtaining all necessary consent from end users before sending messages
• Phone numbers, message content, delivery status, and reply content are processed through Twilio
• We retain SMS records to provide you with messaging history and audit trails
• End users can opt out at any time by replying STOP (or other recognized opt-out keywords)
• We honor opt-out requests by adding the phone number to a tenant-scoped suppression list
• We do not share end-user phone numbers or message content with third parties for marketing purposes

When you receive SMS messages via the Service from a Flowpilot Tenant, message data is processed by Twilio (the underlying carrier infrastructure provider) and Flowpilot. Carriers (e.g., AT&T, Verizon, T-Mobile) also process message metadata for delivery.

Messaging from Flowpilot360 directly. Flowpilot360 also uses its own platform to run its business. If you opt in on a form at flowpilot360.com by checking the SMS consent box, you may receive SMS from Flowpilot360 about appointments, confirmations, reminders, follow-ups, and review requests — the same standardized message types and opt-in flow every business on the platform uses, with "Flowpilot360" as the business name. This consent is optional, is never pre-checked, and is not a condition of purchase. Message frequency varies and message and data rates may apply. We record the consent (the wording you agreed to, the date and time, and the originating IP address) solely as proof of opt-in. Reply STOP to opt out at any time, or HELP for help. We do not sell these phone numbers and do not share them with third parties except the SMS infrastructure provider (Twilio) and carriers needed to deliver the messages.

11. Cookies and Similar Technologies

We use cookies and similar technologies to:

• Authenticate users and maintain session state
• Remember preferences (e.g., theme, language)
• Analyze usage to improve the Service
• Detect and prevent fraud

You can control cookies through your browser settings. Disabling cookies may limit functionality of the Service.

We do not use cookies for cross-site behavioral advertising.

12. Third-Party Links

The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date at the top. For material changes, we will provide more prominent notice (e.g., email notification or in-app banner).

Your continued use of the Service after a Privacy Policy update constitutes your acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us:

Flowpilot360 LLC 3629 Estacado Ln Plano, TX 75025 Email: hello@flowpilot360.com

To exercise your privacy rights, please email hello@flowpilot360.com with the subject line "Privacy Rights Request."