Privacy Policy
FlowXIQ (“we”, “our”, or “us”) is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform.
Last updated: July 1, 2025 · Effective: July 1, 2025📋1. Information We Collect
We collect only what is necessary to provide and improve the FlowXIQ service. This includes:
Full name, email address, business/company name, and role (owner, manager, or worker) provided during registration or access request.
Items captured during vendor visits, quantities, prices, vendor names, product photos, order statuses, approval history, worker commissions, and any notes attached to orders.
API keys and tokens for connected Point-of-Sale systems (e.g., Square, Shopify, Clover). These are stored encrypted at rest using AES-256 encryption and are never logged in plaintext.
Pages visited, features used, timestamps of actions, browser/device type, and IP address. These logs are used solely for debugging, security monitoring, and improving the platform.
If you contact us via email, we retain those communications to respond to your inquiry and improve our support.
⚙️2. How We Use Your Information
Your information is used exclusively to operate and improve FlowXIQ:
- ›Provide, maintain, and secure your FlowXIQ workspace
- ›Authenticate users and protect against unauthorized access
- ›Send transactional emails (e.g., invite links, password resets) via Resend
- ›Push approved purchasing data to connected POS systems on your behalf
- ›Calculate and display worker commission reports
- ›Monitor for errors, security incidents, and performance issues
- ›Respond to support requests and legal inquiries
We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising or behavioral profiling.
🔗3. Third-Party Services & Sub-Processors
FlowXIQ uses the following infrastructure providers. Each is bound by their own privacy and data processing agreements:
Our application is deployed on Vercel's infrastructure. Vercel processes request metadata and serves the FlowXIQ web application globally. Privacy Policy: vercel.com/legal/privacy-policy
All application data (accounts, orders, items, credentials) is stored in Turso's distributed SQLite database. Data is encrypted at rest and in transit. Privacy Policy: turso.tech/privacy-policy
We use Resend to send system emails such as worker invite links and account notifications. Resend receives the recipient email address and message content for delivery purposes only. Privacy Policy: resend.com/legal/privacy-policy
We do not integrate any advertising networks, social media trackers, or analytics platforms that collect personal data.
🍪4. Cookies & Session Storage
FlowXIQ uses a single, encrypted session cookie to maintain your authenticated session. This cookie:
- ›Is set only when you log in and is cleared when you log out or your session expires
- ›Contains no personally identifiable information — it holds only a signed, encrypted session identifier
- ›Is marked
HttpOnly,Secure, andSameSite=Lax - ›Is transmitted only over HTTPS
We do not use tracking cookies, analytics cookies, advertising cookies, or third-party cookies of any kind. No cookie consent banner is required for this reason.
📅5. Data Retention
We retain your data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations or resolve disputes.
- ›Account data: Retained while your account is active and up to 30 days after account deletion for backup purposes
- ›Order data: Retained for the duration of your subscription plus 90 days after cancellation
- ›Usage logs: Retained for up to 90 days for debugging and security purposes, then automatically purged
- ›Deletion requests: Processed within 30 days of receipt
⚖️6. Your Rights — GDPR & CCPA
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Request a copy of the personal data we hold about you.
Correct inaccurate or incomplete data we hold.
Request deletion of your personal data ("right to be forgotten").
Receive your data in a machine-readable format.
Request we limit how we process your data.
Object to processing based on legitimate interests.
To exercise any of these rights, email us at privacy@flowxiq.com. We will respond within 30 days. For deletion requests, include your registered email address and business name. California residents may additionally contact us under CCPA rights.
🔒7. How We Protect Your Data
We implement industry-standard security measures. See our dedicated Security page for full details. In summary:
- ›AES-256 encryption for all stored POS API credentials
- ›bcrypt (12 rounds) for all password hashes
- ›HTTPS-only access enforced via Vercel TLS
- ›Database encryption at rest via Turso
- ›No plaintext storage of sensitive credentials anywhere in the system
👶8. Children's Privacy
FlowXIQ is a business-to-business SaaS platform intended for use by business owners, managers, and retail workers who are at least 18 years old. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such data, please contact us immediately at privacy@flowxiq.com.
📢9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes, we will notify account owners via email at least 14 days before the changes take effect. Continued use of FlowXIQ after the effective date constitutes acceptance of the revised policy.
Privacy Questions?
If you have any questions about this Privacy Policy or want to exercise your data rights, please reach out to our privacy team.
privacy@flowxiq.com