Contents
1. Overview
This Privacy Policy explains how Flowbriq Technologies Private Limited ("Flowbriq", "we", "us", or "our") collects, uses, stores, and shares personal information when you use the Flowbriq mobile application and related services (the "Service").
By using the Service, you consent to the data practices described in this Policy. If you are providing personal data about third parties (such as employees, workers, or vendors) through the Service, you are responsible for ensuring you have the right to do so.
2. Who We Are
- Data Controller
- Flowbriq Technologies Private Limited
- Registered in
- India
- Contact
- privacy@flowbriq.com
This Policy applies to all users of the Flowbriq mobile application, including company owners, team members, and any person whose data is stored in the Service by a company using Flowbriq.
3. Data We Collect
We collect the following categories of data:
3.1 Account & Identity Data
| Data Field | Required? | Purpose |
|---|---|---|
| Mobile phone number | Required | Primary identifier; OTP-based authentication |
| First name | Required (onboarding) | Display name within the app; team communications |
| Last name | Optional | Full name display |
| Email address | Optional | Account notifications and support |
| Profile avatar URL | Optional | Profile picture in-app |
| Home / personal address | Optional | Business correspondence; optional profile detail |
3.2 Company Data
| Data Field | Required? | Purpose |
|---|---|---|
| Company name | Required | Company identification within the platform |
| Company phone & email | Optional | Business contact info displayed to team members |
| Company address | Optional | Office / registered address for records |
| GSTIN (GST number) | Optional | Tax compliance records; stored at company and address level |
| PAN (company) | Optional | Tax compliance records |
| Average business size | Optional | Service plan recommendation; analytics |
| Average team size | Optional | Service plan recommendation; analytics |
| Company logo | Optional | Branding within the app |
3.3 Project Data
| Data Field | Required? | Purpose |
|---|---|---|
| Project name, dates, status | Required | Core project management functionality |
| Project address (line1, city, state, pincode) | Required | Project location and correspondence |
| GPS coordinates (latitude & longitude) | Required | Location-based attendance radius enforcement |
| Attendance radius (meters) | Optional (default 100 m) | Define geofence for attendance check-ins |
| Project image | Optional | Visual identification of the project |
3.4 Party (CRM) Data
Parties are the people and organisations in your business network - clients, staff, workers, vendors, and investors. Data stored for parties includes:
| Data Field | Required? | Purpose |
|---|---|---|
| Name, phone, email | Name required | Directory and communications |
| Party type & subtype | Required | Categorisation (STAFF, CLIENT, WORKER, INVESTOR, VENDOR) |
| Date of joining | Optional | HR / payroll records |
| Address | Optional | Correspondence and delivery records |
| Aadhaar number | Optional | KYC / identity verification for workers and staff |
| PAN number | Optional | Tax compliance and TDS records |
| PF number (Provident Fund) | Optional | Payroll and statutory compliance |
| UAN (Universal Account Number) | Optional | Provident fund management |
| ESI number | Optional | Employee State Insurance compliance |
| Aadhaar document (uploaded image/PDF) | Optional | KYC document storage |
| PAN document (uploaded image/PDF) | Optional | KYC document storage |
3.5 Authentication & Session Data
| Data | Details |
|---|---|
| OTP session | Phone number + OTP ID stored temporarily (expires in 10 minutes); OTP itself is never logged in production |
| Access tokens | Short-lived JWT (15 minutes); identifies authenticated session |
| Refresh tokens | Opaque token (30 days); stored securely; single-use (rotated on each refresh) |
3.6 Usage & Diagnostic Data
We may collect anonymised usage data - such as which screens are visited and how often features are used - to understand how the Service is being used and to improve it. This data does not identify you personally.
We may also collect crash reports and error logs that contain technical information about device type, OS version, and the state of the app at the time of an error.
4. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Authentication and account management | Phone number, OTP, access and refresh tokens |
| Providing core app features (projects, CRM, team) | All data you enter into the Service |
| Location-based attendance | Project GPS coordinates; device location (if attendant checks in) |
| Customer support | Account data, email, support communications |
| Service improvement & analytics | Anonymised usage data; crash reports |
| Legal compliance | Identity data, GST/PAN data, KYC documents as required by applicable law |
| Fraud prevention and security | Session data, IP addresses, device identifiers |
| Billing and subscription management | Company name, contact email, payment method details (processed by third-party payment gateway) |
We do not use your data to build advertising profiles or sell access to your data to any third party.
5. Legal Basis for Processing
We process personal data on the following grounds under applicable Indian law (including the Digital Personal Data Protection Act, 2023, to the extent in force):
- Consent - You provide consent when you register and use the Service, particularly for optional data fields.
- Contractual necessity - Processing required to provide the Service you have signed up for.
- Legal obligation - Processing required to comply with applicable Indian laws (e.g., GST, TDS, labour law compliance).
- Legitimate interests - Processing for fraud prevention, security, and product improvement, where such interests are not overridden by your rights.
7. Data Storage & Security
Location. Your data is stored on servers located in India (or in regions with adequate data protection, where required for performance). We do not transfer personal data outside India without appropriate safeguards.
Security measures. We implement industry-standard technical and organisational measures to protect your data, including:
- Encryption in transit using TLS 1.2 or higher for all API communications.
- Encryption at rest for database storage and uploaded documents.
- Short-lived access tokens (15 minutes) to minimise exposure from token compromise.
- Token rotation - refresh tokens are single-use and immediately revoked after each use.
- Role-based access controls limiting which employees can access production data.
- Regular security audits and vulnerability assessments.
No absolute guarantee. No system is completely secure. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant authorities as required by law.
8. Data Retention
| Data Category | Retention Period |
|---|---|
| OTP sessions | 10 minutes from creation (auto-expired) |
| Access tokens | 15 minutes (stateless JWT; not stored server-side) |
| Refresh tokens | 30 days from issuance, or until revoked on logout |
| Active account data (user profile, company, projects, parties) | Retained for the duration of your account |
| Data after account deletion | Deleted or anonymised within 90 days, except where retention is required by law |
| Financial / tax records (GSTIN, PAN, invoices) | Retained for 7 years as required under Indian tax laws |
| Audit logs and security records | Retained for up to 1 year |
| Uploaded KYC documents (Aadhaar, PAN) | Retained as long as the party record exists; deleted within 90 days of party deletion |
When you delete your account, we begin the data deletion process within 30 days. Some data may be retained longer where required by applicable law or to resolve pending disputes.
9. Sensitive Personal Information
Flowbriq may store the following SPDI on behalf of your company, for the third parties (parties) you add to the system:
- Aadhaar number - a unique identity number issued by UIDAI to Indian residents.
- PAN number - a tax identification number issued by the Income Tax Department.
- PF number / UAN / ESI number - payroll and statutory compliance identifiers.
- Copies of identity documents - uploaded Aadhaar card and PAN card images or PDFs.
Your obligations as the data fiduciary for parties. When you store SPDI of your employees, workers, or vendors through Flowbriq, you (the company owner) become the party responsible for:
- Obtaining free, prior, and informed consent from each individual before uploading their SPDI.
- Ensuring the information is used only for lawful HR, payroll, and KYC purposes.
- Complying with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and rules made thereunder regarding use of Aadhaar data.
How we protect SPDI.
- SPDI fields are stored in encrypted database columns.
- Uploaded documents (Aadhaar, PAN PDFs) are stored in access-controlled, encrypted object storage.
- Access to SPDI in production is restricted to authorised personnel on a need-to-know basis.
- We do not use SPDI for any purpose other than storing and displaying it to authorised users of your company.
We do not use Aadhaar data for authentication or identity verification on the Flowbriq platform itself. The Aadhaar field is a record-keeping field for your HR and KYC workflows only.
10. Your Rights
You have the following rights with respect to your personal data:
Access
Request a copy of the personal data we hold about you.
Correction
Update or correct inaccurate personal data directly in-app (profile and company settings) or by contacting us.
Deletion
Request deletion of your account and associated personal data, subject to legal retention obligations.
Withdraw Consent
Withdraw consent for optional data fields at any time; this will not affect the lawfulness of prior processing.
Data Portability
Request an export of your data in a machine-readable format.
Grievance Redressal
Lodge a complaint with our Grievance Officer (see Section 14).
To exercise any of these rights, contact us at privacy@flowbriq.com. We will respond within 30 days.
11. Children's Privacy
The Service is intended for business use only and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data about a minor, please contact us at privacy@flowbriq.com and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification or email and update the "Last Updated" date at the top of this page. Your continued use of the Service after the effective date constitutes your acceptance of the revised Policy.
We encourage you to review this page periodically to stay informed about how we protect your data.
14. Grievance Officer
In accordance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer to address concerns regarding the processing of personal data.
- Name
- [Grievance Officer Name] - to be appointed
- Response SLA
- Acknowledgement within 24 hours; resolution within 15 days of receipt
15. Contact Us
For any privacy-related questions, data requests, or concerns, please reach out:
- Company
- Flowbriq Technologies Private Limited
- Privacy email
- privacy@flowbriq.com
- General support
- support@flowbriq.com