Privacy Policy

1. Information We Collect

We collect the following categories of information:

• Account Information: Name, email address, business name, and phone number provided during registration.
• Payment Information: Payment details processed securely through Stripe. We do not store credit card numbers on our servers.
• Google Account Data: When you connect your Google Calendar, we access your Google account email address, calendar free/busy information, and calendar events solely to provide appointment scheduling features. See Section 4 for details.
• Business Configuration Data: Bot configurations, business hours, service descriptions, and workflow settings you create within the platform.
• Communication Data: Messages processed through your bots, including inbound and outbound text messages.
• Usage Data: Log data, device information, and analytics collected automatically when you interact with the Service.

2. How We Use Your Information

• Provide, maintain, and improve the Service
• Process payments and manage your subscription
• Schedule appointments and check calendar availability on your behalf
• Send transactional communications (booking confirmations, account alerts)
• Respond to support requests
• Comply with legal obligations

3. Data Storage and Security

Your data is stored in secured databases hosted by Supabase (PostgreSQL). Sensitive credentials, including Google OAuth tokens, are encrypted at rest using AES-256-GCM encryption. We use HTTPS/TLS for all data in transit.

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

4. Google User Data

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

What we access:

• Your Google account email address (to identify the connected account)
• Calendar free/busy data (to calculate available appointment slots)
• Calendar events (to create, read, and cancel bookings on your behalf)

How we use Google data:

• Google Calendar data is used exclusively to provide appointment scheduling functionality within the Service
• We do not use Google data for advertising or marketing purposes
• We do not sell, rent, or share Google user data with third parties
• We do not use Google data to build user profiles unrelated to the Service

Data retention and deletion:

• Google OAuth refresh tokens are stored encrypted (AES-256-GCM) and are deleted immediately when you disconnect your Google Calendar from the Service
• Booking records created via the Service are retained for your records but the Google Calendar connection can be revoked at any time
• You may also revoke access at any time via your Google Account permissions page

Limited Use Disclosure:

Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Third-Party Services

We use the following third-party services to operate the platform:

• Supabase — database hosting and authentication
• Stripe — payment processing
• Telnyx — SMS messaging
• OpenAI — AI-powered bot responses
• Google Calendar API — appointment scheduling
• Meta Marketing API — ad creation (when enabled by user)
• Vercel — application hosting

Each third-party service processes data in accordance with their own privacy policies. We only share the minimum data necessary for each service to function.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you close your account, we will delete or anonymize your data within 90 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Withdraw consent for data processing
• Export your data in a portable format
• Disconnect third-party integrations (Google, Meta) at any time

To exercise any of these rights, contact us at the email below.

8. Mobile Application

The Flowly iOS and Android applications collect and process the same categories of data described above, with the following mobile-specific practices:

Device permissions we request:

• Camera — only used when you record a video for an ad creative. Video is uploaded to your own ad account; we do not retain a copy on our servers.
• Photo Library — only used when you upload an image for an ad or your business website. Uploaded media is stored in your tenant-scoped Supabase Storage bucket.
• Microphone — only active during video recording (same use case as Camera).
• Notifications — used exclusively to alert you when a new SMS lead arrives. We collect your Expo push token and associate it with your account for this purpose. No promotional or marketing notifications are sent.

Data stored on your device:

• Your portal access token and short-lived Supabase authentication JWT are stored in the operating system's secure credential store (iOS Keychain / Android Keystore) via Expo SecureStore.
• You can remove both by signing out of the app or uninstalling it.

Crash and diagnostic data:

When crash reporting is enabled, the app may send anonymized crash stack traces and performance metrics to Sentry (sentry.io) to help us diagnose and fix bugs. This data is not linked to your identity or message content. You can disable diagnostics at the operating system level via iOS Settings → Privacy & Security → Analytics & Improvements, or Android Settings → Google → Usage & diagnostics.

Location and tracking:

The mobile apps do not collect precise or coarse location data. We do not use the iOS IDFA or any advertising identifier, and we do not track you across other apps or websites.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Esthetic Edge LLC d/b/a Permanent Profits
7901 4th St N, Ste 300, St Petersburg, FL 33702
Email: isabelle@permanentprofits.co