Privacy Policy
Last updated: 2026-06-03 · Effective: 2026-06-03
This Privacy Policy describes how FlowForges(operated by AKS Forge Lab, “we”, “us”, “our”) collects, uses, stores, and shares personal data when you visit flow-forges.comor use our Services. We are committed to protecting your privacy in compliance with India's Digital Personal Data Protection Act 2023 (“DPDP Act”), the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the California Consumer Privacy Act (“CCPA”), where applicable.
1. Data We Collect
1A. Information You Provide
- Account Data: name, email address, phone number, company name, job title, and billing address when you register or purchase a plan.
- Communication Data: messages sent through our contact form, chatbot, support email, or booking system.
- Configuration Data: ICP (Ideal Customer Profile) settings, keyword targets, Slack/Telegram credentials, and other setup information you provide to configure our AI agents.
1B. Information Collected Automatically
- Usage Data: pages visited, features used, session duration, click patterns, timestamps, and feature interactions.
- Technical Data: IP address, browser type and version, operating system, device type, screen resolution, and referring URL.
- Log Data: server access logs, error logs, API call logs, and performance metrics.
1C. Payment Data
All payment processing is handled exclusively by Dodo Payments, our PCI-DSS certified Merchant of Record. FlowForges does not store, process, or transmit your card number, CVV, or full payment details. Dodo Payments shares with us only transaction ID, subscription status, and billing email.
1D. Third-Party Integration Data
If you connect Slack, Telegram, CRM platforms, or calendar services, we receive access tokens and the metadata required to deliver the integration. These tokens are encrypted at rest.
2. Cookies & Tracking
We use the following types of cookies and similar technologies:
- Strictly Necessary: Session management, authentication tokens, and CSRF protection. Required for the Services to function. Cannot be disabled.
- Functional: Remember your preferences (theme, language, dashboard layout). Disabled by default for EU/UK visitors; consent required.
- Analytics: Aggregate, anonymised usage data to improve the Services. No individual profiling. We do not use Google Analytics; we use privacy-preserving analytics only.
You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will impair the functionality of the Services.
3. Legal Bases for Processing (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we process your data under the following legal bases:
- Contract: Processing necessary to provide the Services you have purchased (account management, feature delivery, billing).
- Legitimate Interests: Fraud prevention, security monitoring, service improvement, and business communications. We balance these interests against your rights.
- Legal Obligation: Tax records, compliance with court orders, and regulatory requirements.
- Consent: Marketing emails and optional cookies. You may withdraw consent at any time without affecting prior processing.
4. How We Use Your Data
- Provide, operate, maintain, and improve the Services.
- Process transactions, issue invoices, and manage your subscription.
- Send transactional emails (receipts, onboarding, feature updates, service alerts).
- Send marketing communications — only with your explicit consent, with an unsubscribe link in every email.
- Detect, prevent, and respond to fraud, abuse, or security incidents.
- Comply with legal obligations (tax, accounting, law enforcement).
- Aggregate and anonymise data for product analytics and improvement.
We do not sell your personal data to third parties. We do not use your data for automated decision-making that produces significant legal effects on you without human review.
5. Data Sharing & Processors
We share data only with trusted processors under contractual data-protection obligations:
- Dodo Payments (US) — payment processing and tax compliance as Merchant of Record.
- Supabase (AWS ap-south-1, India) — database and authentication hosting.
- Vercel (US) — web application hosting and edge delivery.
- Resend (US) — transactional email delivery.
- Apify (Czech Republic) — public web data sourcing for Prospecting OS.
- Twilio (US) — SMS communications for Remi.
- Google (US) — AI model API (Gemini) for chat features.
- Anthropic (US) — AI model API (Claude) for message generation features.
We may also disclose data if required by law, court order, or to protect the rights, property, or safety of FlowForges, our users, or the public.
6. International Data Transfers
FlowForges is based in India. Some processors are located in the US, EU, or other jurisdictions. For transfers from the EEA/UK to third countries, we rely on Standard Contractual Clauses (SCCs) or the processor's adequacy certification. For transfers from India, we comply with the DPDP Act's cross-border transfer requirements. By using our Services, you acknowledge that your data may be processed in these jurisdictions.
7. Data Retention
- Account Data: retained for the duration of your subscription plus 3 years for legal and tax purposes.
- Transaction Records: retained for 7 years per Indian tax law (GST Act requirements).
- Lead Data (Prospecting OS): retained for the duration of your subscription. Exported data is your responsibility.
- SMS Conversation Logs (Remi): retained for 90 days, then automatically purged unless you request longer retention.
- Support Communications: retained for 2 years.
- Server Logs: retained for 90 days.
8. Your Rights
Depending on your jurisdiction, you have the following rights:
- Access: Request a copy of personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data, subject to legal retention requirements.
- Portability: Receive your data in a structured, machine-readable format (GDPR/UK GDPR).
- Objection: Object to processing based on legitimate interests.
- Restriction: Request that we limit how we process your data in certain circumstances.
- Opt-out of Marketing: Unsubscribe from marketing emails at any time via the unsubscribe link or by emailing us.
- CCPA (California): Right to know, delete, and opt out of sale (we do not sell data). Verified requests will be honoured within 45 days.
- DPDP Act (India): Right to information, correction, erasure, and grievance redressal per the Digital Personal Data Protection Act 2023.
To exercise any right, email privacy@flow-forges.com. We will respond within 30 days (GDPR) or 45 days (CCPA). We may request identity verification before processing sensitive requests.
9. Security
We implement industry-standard technical and organisational measures including:
- TLS 1.3 encryption in transit on all endpoints.
- AES-256 encryption at rest for sensitive data fields.
- Row-Level Security (RLS) policies on our Supabase database.
- Access controls and role-based permissions for staff.
- Regular security reviews and dependency audits.
No method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you without undue delay (and in any event within 72 hours for GDPR-covered breaches) if we become aware of a breach that materially affects your personal data.
10. Children's Privacy
Our Services are not directed to or intended for use by individuals under 18. We do not knowingly collect personal data from children. If we discover we have collected data from a person under 18 without parental consent, we will delete it promptly.
11. Changes to This Policy
We will notify you of material changes via email and/or a prominent notice on our website at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.
12. Contact & Grievance Officer
FlowForges (operated by AKS Forge Lab)
Bhilai, Chhattisgarh 490023, India
GSTIN: 22MGSPS6643B1ZY
Privacy enquiries: privacy@flow-forges.com
General support: support@flow-forges.com
Phone: +91 9630755104
EU/UK residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g., ICO in the UK, your national DPA in the EU).