Privacy Policy

We believe your data belongs to you. Here is exactly what we collect, why, and how we protect it.

Effective Date: June 15, 2026 · Last Updated: June 15, 2026

Contents

  1. Overview
  2. Who We Are
  3. Data We Collect
  4. How We Use Your Data
  5. Legal Basis for Processing
  6. How We Share Your Data
  7. Data Storage & Security
  8. Data Retention
  9. Sensitive Personal Information
  10. Your Rights
  11. Children's Privacy
  12. Cookies & Analytics
  13. Changes to This Policy
  14. Grievance Officer
  15. Contact Us

1. Overview

This Privacy Policy explains how Flowbriq Technologies Private Limited ("Flowbriq", "we", "us", or "our") collects, uses, stores, and shares personal information when you use the Flowbriq mobile application and related services (the "Service").

By using the Service, you consent to the data practices described in this Policy. If you are providing personal data about third parties (such as employees, workers, or vendors) through the Service, you are responsible for ensuring you have the right to do so.

We do not sell your personal data to third parties. We do not use your data for advertising profiling. Your data is used only to operate and improve the Flowbriq Service.

2. Who We Are

Data Controller
Flowbriq Technologies Private Limited
Registered in
India

This Policy applies to all users of the Flowbriq mobile application, including company owners, team members, and any person whose data is stored in the Service by a company using Flowbriq.

3. Data We Collect

We collect the following categories of data:

3.1 Account & Identity Data

Data FieldRequired?Purpose
Mobile phone numberRequiredPrimary identifier; OTP-based authentication
First nameRequired (onboarding)Display name within the app; team communications
Last nameOptionalFull name display
Email addressOptionalAccount notifications and support
Profile avatar URLOptionalProfile picture in-app
Home / personal addressOptionalBusiness correspondence; optional profile detail

3.2 Company Data

Data FieldRequired?Purpose
Company nameRequiredCompany identification within the platform
Company phone & emailOptionalBusiness contact info displayed to team members
Company addressOptionalOffice / registered address for records
GSTIN (GST number)OptionalTax compliance records; stored at company and address level
PAN (company)OptionalTax compliance records
Average business sizeOptionalService plan recommendation; analytics
Average team sizeOptionalService plan recommendation; analytics
Company logoOptionalBranding within the app

3.3 Project Data

Data FieldRequired?Purpose
Project name, dates, statusRequiredCore project management functionality
Project address (line1, city, state, pincode)RequiredProject location and correspondence
GPS coordinates (latitude & longitude)RequiredLocation-based attendance radius enforcement
Attendance radius (meters)Optional (default 100 m)Define geofence for attendance check-ins
Project imageOptionalVisual identification of the project

3.4 Party (CRM) Data

Parties are the people and organisations in your business network - clients, staff, workers, vendors, and investors. Data stored for parties includes:

Data FieldRequired?Purpose
Name, phone, emailName requiredDirectory and communications
Party type & subtypeRequiredCategorisation (STAFF, CLIENT, WORKER, INVESTOR, VENDOR)
Date of joiningOptionalHR / payroll records
AddressOptionalCorrespondence and delivery records
Aadhaar numberOptionalKYC / identity verification for workers and staff
PAN numberOptionalTax compliance and TDS records
PF number (Provident Fund)OptionalPayroll and statutory compliance
UAN (Universal Account Number)OptionalProvident fund management
ESI numberOptionalEmployee State Insurance compliance
Aadhaar document (uploaded image/PDF)OptionalKYC document storage
PAN document (uploaded image/PDF)OptionalKYC document storage
Aadhaar numbers, PAN numbers, and associated documents are classified as Sensitive Personal Data or Information (SPDI) under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. See Section 9 for how we handle SPDI.

3.5 Authentication & Session Data

DataDetails
OTP sessionPhone number + OTP ID stored temporarily (expires in 10 minutes); OTP itself is never logged in production
Access tokensShort-lived JWT (15 minutes); identifies authenticated session
Refresh tokensOpaque token (30 days); stored securely; single-use (rotated on each refresh)

3.6 Usage & Diagnostic Data

We may collect anonymised usage data - such as which screens are visited and how often features are used - to understand how the Service is being used and to improve it. This data does not identify you personally.

We may also collect crash reports and error logs that contain technical information about device type, OS version, and the state of the app at the time of an error.

4. How We Use Your Data

PurposeData Used
Authentication and account managementPhone number, OTP, access and refresh tokens
Providing core app features (projects, CRM, team)All data you enter into the Service
Location-based attendanceProject GPS coordinates; device location (if attendant checks in)
Customer supportAccount data, email, support communications
Service improvement & analyticsAnonymised usage data; crash reports
Legal complianceIdentity data, GST/PAN data, KYC documents as required by applicable law
Fraud prevention and securitySession data, IP addresses, device identifiers
Billing and subscription managementCompany name, contact email, payment method details (processed by third-party payment gateway)

We do not use your data to build advertising profiles or sell access to your data to any third party.

6. How We Share Your Data

We share your data only in the following limited circumstances:

RecipientWhat is sharedWhy
Cloud infrastructure providers (e.g., database, file storage, CDN)All data stored in the ServiceHosting and operating the Service
SMS / OTP gateway providersPhone numberDelivering OTP messages
Payment gateway providersBilling name, email, payment detailsProcessing subscription payments
Error tracking / monitoring toolsAnonymised crash reports; device/OS metadataDetecting and fixing bugs
Law enforcement or regulatorsData required by valid legal orderCompliance with legal obligations
Successor entity in merger/acquisitionAll dataBusiness continuity; subject to notice to users

All third-party service providers are bound by contractual obligations to process your data only for the stated purpose and to maintain appropriate security standards.

Within a company account, data entered by the company owner or any team member is visible to other authorised members of the same company. Access is scoped to your company - no other company can see your data.

7. Data Storage & Security

Location. Your data is stored on servers located in India (or in regions with adequate data protection, where required for performance). We do not transfer personal data outside India without appropriate safeguards.

Security measures. We implement industry-standard technical and organisational measures to protect your data, including:

  • Encryption in transit using TLS 1.2 or higher for all API communications.
  • Encryption at rest for database storage and uploaded documents.
  • Short-lived access tokens (15 minutes) to minimise exposure from token compromise.
  • Token rotation - refresh tokens are single-use and immediately revoked after each use.
  • Role-based access controls limiting which employees can access production data.
  • Regular security audits and vulnerability assessments.

No absolute guarantee. No system is completely secure. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant authorities as required by law.

8. Data Retention

Data CategoryRetention Period
OTP sessions10 minutes from creation (auto-expired)
Access tokens15 minutes (stateless JWT; not stored server-side)
Refresh tokens30 days from issuance, or until revoked on logout
Active account data (user profile, company, projects, parties)Retained for the duration of your account
Data after account deletionDeleted or anonymised within 90 days, except where retention is required by law
Financial / tax records (GSTIN, PAN, invoices)Retained for 7 years as required under Indian tax laws
Audit logs and security recordsRetained for up to 1 year
Uploaded KYC documents (Aadhaar, PAN)Retained as long as the party record exists; deleted within 90 days of party deletion

When you delete your account, we begin the data deletion process within 30 days. Some data may be retained longer where required by applicable law or to resolve pending disputes.

9. Sensitive Personal Information

The following categories of information constitute Sensitive Personal Data or Information (SPDI) under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and are handled with additional care.

Flowbriq may store the following SPDI on behalf of your company, for the third parties (parties) you add to the system:

  • Aadhaar number - a unique identity number issued by UIDAI to Indian residents.
  • PAN number - a tax identification number issued by the Income Tax Department.
  • PF number / UAN / ESI number - payroll and statutory compliance identifiers.
  • Copies of identity documents - uploaded Aadhaar card and PAN card images or PDFs.

Your obligations as the data fiduciary for parties. When you store SPDI of your employees, workers, or vendors through Flowbriq, you (the company owner) become the party responsible for:

  • Obtaining free, prior, and informed consent from each individual before uploading their SPDI.
  • Ensuring the information is used only for lawful HR, payroll, and KYC purposes.
  • Complying with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and rules made thereunder regarding use of Aadhaar data.

How we protect SPDI.

  • SPDI fields are stored in encrypted database columns.
  • Uploaded documents (Aadhaar, PAN PDFs) are stored in access-controlled, encrypted object storage.
  • Access to SPDI in production is restricted to authorised personnel on a need-to-know basis.
  • We do not use SPDI for any purpose other than storing and displaying it to authorised users of your company.

We do not use Aadhaar data for authentication or identity verification on the Flowbriq platform itself. The Aadhaar field is a record-keeping field for your HR and KYC workflows only.

10. Your Rights

You have the following rights with respect to your personal data:

Access

Request a copy of the personal data we hold about you.

Correction

Update or correct inaccurate personal data directly in-app (profile and company settings) or by contacting us.

Deletion

Request deletion of your account and associated personal data, subject to legal retention obligations.

Withdraw Consent

Withdraw consent for optional data fields at any time; this will not affect the lawfulness of prior processing.

Data Portability

Request an export of your data in a machine-readable format.

Grievance Redressal

Lodge a complaint with our Grievance Officer (see Section 14).

To exercise any of these rights, contact us at privacy@flowbriq.com. We will respond within 30 days.

If you are a party (employee, worker, vendor) whose data has been stored in Flowbriq by a company, please contact that company directly to exercise your rights. We will assist where we are the appropriate point of contact.

11. Children's Privacy

The Service is intended for business use only and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data about a minor, please contact us at privacy@flowbriq.com and we will delete it promptly.

12. Cookies & Analytics

The Flowbriq mobile application does not use browser cookies. We may use lightweight analytics tools to collect anonymised, aggregated usage statistics. These tools do not track you across other apps or websites, and they do not use the data for advertising.

Any device identifiers used (e.g., for crash reporting) are handled in accordance with the relevant platform privacy guidelines (Apple App Store / Google Play).

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification or email and update the "Last Updated" date at the top of this page. Your continued use of the Service after the effective date constitutes your acceptance of the revised Policy.

We encourage you to review this page periodically to stay informed about how we protect your data.

14. Grievance Officer

In accordance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer to address concerns regarding the processing of personal data.

Name
[Grievance Officer Name] - to be appointed
Response SLA
Acknowledgement within 24 hours; resolution within 15 days of receipt

15. Contact Us

For any privacy-related questions, data requests, or concerns, please reach out:

Company
Flowbriq Technologies Private Limited
General support
support@flowbriq.com