Legal

Privacy Policy

FlowXIQ (“we”, “our”, or “us”) is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform.

Last updated: July 1, 2025  ·  Effective: July 1, 2025

📋1. Information We Collect

We collect only what is necessary to provide and improve the FlowXIQ service. This includes:

Account & Identity Information

Full name, email address, business/company name, and role (owner, manager, or worker) provided during registration or access request.

Order & Purchasing Data

Items captured during vendor visits, quantities, prices, vendor names, product photos, order statuses, approval history, worker commissions, and any notes attached to orders.

POS Integration Credentials

API keys and tokens for connected Point-of-Sale systems (e.g., Square, Shopify, Clover). These are stored encrypted at rest using AES-256 encryption and are never logged in plaintext.

Usage & Technical Logs

Pages visited, features used, timestamps of actions, browser/device type, and IP address. These logs are used solely for debugging, security monitoring, and improving the platform.

Communications

If you contact us via email, we retain those communications to respond to your inquiry and improve our support.


⚙️2. How We Use Your Information

Your information is used exclusively to operate and improve FlowXIQ:

  • Provide, maintain, and secure your FlowXIQ workspace
  • Authenticate users and protect against unauthorized access
  • Send transactional emails (e.g., invite links, password resets) via Resend
  • Push approved purchasing data to connected POS systems on your behalf
  • Calculate and display worker commission reports
  • Monitor for errors, security incidents, and performance issues
  • Respond to support requests and legal inquiries

We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising or behavioral profiling.


🔗3. Third-Party Services & Sub-Processors

FlowXIQ uses the following infrastructure providers. Each is bound by their own privacy and data processing agreements:

Vercel — Hosting & Edge Network

Our application is deployed on Vercel's infrastructure. Vercel processes request metadata and serves the FlowXIQ web application globally. Privacy Policy: vercel.com/legal/privacy-policy

Turso / LibSQL — Database

All application data (accounts, orders, items, credentials) is stored in Turso's distributed SQLite database. Data is encrypted at rest and in transit. Privacy Policy: turso.tech/privacy-policy

Resend — Transactional Email

We use Resend to send system emails such as worker invite links and account notifications. Resend receives the recipient email address and message content for delivery purposes only. Privacy Policy: resend.com/legal/privacy-policy

We do not integrate any advertising networks, social media trackers, or analytics platforms that collect personal data.


🍪4. Cookies & Session Storage

FlowXIQ uses a single, encrypted session cookie to maintain your authenticated session. This cookie:

  • Is set only when you log in and is cleared when you log out or your session expires
  • Contains no personally identifiable information — it holds only a signed, encrypted session identifier
  • Is marked HttpOnly, Secure, and SameSite=Lax
  • Is transmitted only over HTTPS

We do not use tracking cookies, analytics cookies, advertising cookies, or third-party cookies of any kind. No cookie consent banner is required for this reason.


📅5. Data Retention

We retain your data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations or resolve disputes.

  • Account data: Retained while your account is active and up to 30 days after account deletion for backup purposes
  • Order data: Retained for the duration of your subscription plus 90 days after cancellation
  • Usage logs: Retained for up to 90 days for debugging and security purposes, then automatically purged
  • Deletion requests: Processed within 30 days of receipt

⚖️6. Your Rights — GDPR & CCPA

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right to Access

Request a copy of the personal data we hold about you.

Right to Rectification

Correct inaccurate or incomplete data we hold.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Portability

Receive your data in a machine-readable format.

Right to Restrict

Request we limit how we process your data.

Right to Object

Object to processing based on legitimate interests.

To exercise any of these rights, email us at privacy@flowxiq.com. We will respond within 30 days. For deletion requests, include your registered email address and business name. California residents may additionally contact us under CCPA rights.


🔒7. How We Protect Your Data

We implement industry-standard security measures. See our dedicated Security page for full details. In summary:

  • AES-256 encryption for all stored POS API credentials
  • bcrypt (12 rounds) for all password hashes
  • HTTPS-only access enforced via Vercel TLS
  • Database encryption at rest via Turso
  • No plaintext storage of sensitive credentials anywhere in the system

👶8. Children's Privacy

FlowXIQ is a business-to-business SaaS platform intended for use by business owners, managers, and retail workers who are at least 18 years old. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such data, please contact us immediately at privacy@flowxiq.com.


📢9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes, we will notify account owners via email at least 14 days before the changes take effect. Continued use of FlowXIQ after the effective date constitutes acceptance of the revised policy.

✉️

Privacy Questions?

If you have any questions about this Privacy Policy or want to exercise your data rights, please reach out to our privacy team.

privacy@flowxiq.com