Privacy Policy

What we collect, why we collect it, and the choices you have. We try to keep this honest and short.

Last updated: May 23, 2026  |  Effective date: February 23, 2026

FlowForce ("we," "our," or "us") operates the FlowForce application and related services (the "Service"). FlowForce, Inc. is based in Toronto, Canada. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using the Service, you agree to the practices described in this policy.

For privacy-related questions or requests, contact privacy@flowforce.app. A plain-language overview of security, PIPEDA, and CASL is on our Trust page.

1. Information We Collect

1.1 Information You Provide

  • Account information: name, email address, password (stored in hashed form), and optional profile details (phone, address, city, province, country, postal code, title, company, website) when you register or update your profile.
  • Organization or tenant information: company or workspace name and settings when you create or manage an organization.
  • Contacts and leads: names, email addresses, phone numbers, company details, notes, and other business contact data you add or import into the Service.
  • Communications: email content you send or receive through the Service, SMS messages, call metadata (such as duration and timestamps), and related notes or recordings if you use integrated voice and SMS features.
  • Billing information: billing details are processed by our payment provider (Stripe). We may store billing-related metadata (plan, usage) but not full payment card numbers on our servers.
  • Support and feedback: any information you send when contacting support or submitting feedback.

1.2 Information Collected Automatically

  • Usage data: how you use the Service (such as pages visited, features used, and actions taken) for analytics, security, and improving the product.
  • Device and technical data: IP address, browser type, operating system, device identifiers, and similar technical data, including for security (login attempts, abuse prevention) and session management.
  • Log data: server logs, error reports, and audit logs (who did what and when) for security, compliance, and troubleshooting.

1.3 Cookies and Similar Technologies

  • On our public marketing site, we use cookies and local storage for theme preference, cookie consent, and (only if you accept) Google Analytics 4 and PostHog to understand aggregated traffic, blog engagement, and how to improve the site. This analytics applies to visitors of our website only—not to data accessed through Gmail, Outlook, or other connected Google or Microsoft accounts in the Service. See our Cookie Policy for details and to change your preferences.
  • In the FlowForce application, we use cookies for authentication, session management, security (CAPTCHA), and preferences (trusted device, selected tenant).
  • You can control cookies through your browser settings. Disabling certain cookies may limit some features or require you to sign in again more often.

2. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service (accounts, teams, leads, deals, contacts, email, calls, SMS, calendar, tasks, and related features).
  • Authenticate and secure access (login, two-factor authentication, rate limiting, fraud and abuse prevention).
  • Process communications (sending and receiving email via our infrastructure and partners, and where applicable, voice and SMS).
  • Run AI and automation features such as lead summaries, enrichment, email drafting, and chat-style assistance, using approved third-party AI providers, with data used only as necessary to deliver those features. Google and Microsoft user data is never sent to third-party AI providers (see Section 3).
  • Bill and manage subscriptions (plan limits, usage, invoicing, and payment processing via our billing provider).
  • Support you (respond to inquiries, troubleshoot issues, and send important service-related messages).
  • Improve the Service (product development and performance). Website analytics on our marketing site are separate from Google and Microsoft user data; see Section 3.
  • Comply with law (legal obligations, responding to lawful requests, enforcing our terms).

3. Google and Microsoft User Data (Gmail, Outlook, and Calendar Integrations)

This section applies when you connect a Google account (Gmail, Google Calendar) or a Microsoft account (Outlook, Microsoft 365, Microsoft Calendar) to the Service.

FlowForce's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Our use of information received from Microsoft APIs (including via Microsoft Graph) adheres to the Microsoft API Terms of Use and applicable Microsoft privacy and data-protection requirements for customer data accessed through those APIs.

3.1 What Google and Microsoft User Data We Access

We request only the permissions needed for the features you enable. Depending on your connections, we may access:

Google

  • Gmail: message content, subject lines, headers (such as sender, recipients, and dates), thread and message identifiers, labels, and read/send status needed to sync your inbox and send mail from FlowForce.
  • Google account: your Google account email address and basic profile information required to authenticate the connection.
  • Google Calendar (if connected): event titles, times, attendees, and related metadata needed to sync meetings with your CRM.

Microsoft

  • Outlook / Microsoft 365 mail: message content, subject lines, headers (such as sender, recipients, and dates), conversation and message identifiers, folders, and read/send status needed to sync your inbox and send mail from FlowForce.
  • Microsoft account: your work or personal Microsoft account email address and basic profile information required to authenticate the connection.
  • Outlook / Microsoft Calendar (if connected): event titles, times, attendees, and related metadata needed to sync meetings with your CRM.

3.2 How We Use Google and Microsoft User Data

We use Google and Microsoft user data only to provide and improve user-facing features of the Service, including:

  • Displaying and syncing email in your FlowForce inbox and linking messages to leads, contacts, and deals.
  • Sending email when you compose or send from FlowForce using your connected mailbox.
  • Syncing calendar events with CRM records when a calendar integration is connected.
  • Operating, securing, and troubleshooting the integrations (for example, error logs and abuse prevention tied to the feature).

Google and Microsoft user data is never sent to third-party AI providers(such as OpenAI or similar services). Our AI features may use other data you store in FlowForce, but Gmail, Outlook, calendar data, and other information obtained from Google or Microsoft APIs stay within FlowForce's infrastructure and are not shared with AI vendors.

Google and Microsoft user data is not used for advertising, interest-based or retargeted marketing, selling or licensing data to third parties (except infrastructure providers that host the Service under contract), creditworthiness or lending decisions, building unrelated commercial databases, or training AI or machine learning models.

Analytics on our public marketing website (such as Google Analytics 4, only if you accept cookies there) does not apply to Google or Microsoft user data obtained through connected mailboxes or calendar integrations in the Service.

3.3 How We Share Google and Microsoft User Data

We do not sell Google or Microsoft user data. We do not share Google or Microsoft user data with third-party AI providers. We may share it only with:

  • Infrastructure providers that host or operate the Service under contract, solely to run the Service. These providers do not use Google or Microsoft user data for their own purposes.
  • Your organization, if you use FlowForce as part of a team workspace, in line with your workspace permissions.
  • Legal requirements, when required by applicable law or to protect rights and safety.

We do not transfer Google or Microsoft user data to third parties for advertising, data brokerage, AI processing, or purposes other than providing or improving the user-facing features described in Section 3.2.

3.4 Retention, Deletion, and Your Control

  • We retain Google and Microsoft user data for as long as the relevant account remains connected and as needed to provide the Service, unless a longer period is required by law.
  • You can disconnect Gmail, Google Calendar, Outlook, or Microsoft Calendar at any time in your FlowForce integration settings. When you disconnect, we revoke OAuth access and delete or anonymize cached data from that provider within a reasonable period, except where retention is required for legal, security, or dispute-resolution purposes.
  • You may request deletion of your data by contacting support@flowforce.app.
  • You can revoke FlowForce's access from your Google Account permissions page or from Microsoft account app access settings.

3.5 Protection of Google and Microsoft User Data

Google and Microsoft OAuth tokens are stored encrypted. We use encryption in transit, access controls, and monitoring as described in Section 9. For additional detail on connected mailboxes, see our Security page.

4. Privacy in Canada (PIPEDA)

This section applies to personal information collected, used, or disclosed in Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws, where applicable.

4.1 Accountability

FlowForce, Inc. is accountable for personal information in our custody or control. We assign responsibility for compliance with this policy and can be reached at privacy@flowforce.app.

4.2 Identifying purposes and consent

We identify the purposes for which we collect personal information in this policy and at the point of collection where practical. We rely on consent, contract, or other lawful bases as appropriate—for example, to operate your account, process payments, or respond to support requests.

4.3 Customer data (your leads and contacts)

When you use FlowForce as a team or organization, you decide what contact and lead data to upload and how to use it for sales and marketing. For that data, you are generally responsible for ensuring you have a lawful basis to collect and use it; we process it on your instructions to provide the Service. Your admins control workspace access.

4.4 Safeguards, retention, and openness

We protect personal information with technical and organizational measures described in Section 9 and on our Security page. We retain information as described in Section 8. This policy is our primary openness measure; material changes are posted here with an updated date.

4.5 Access, correction, and complaints

You may request access to or correction of personal information we hold about you, subject to legal exceptions. We respond within a reasonable time and no later than required by applicable law (typically within 30 days for PIPEDA requests). To challenge our compliance, contact us first at privacy@flowforce.app. You may also contact the Office of the Privacy Commissioner of Canada: priv.gc.ca.

4.6 Cross-border transfers

Personal information may be stored or processed in Canada, the United States, or other countries where our service providers operate. Those providers are bound by contract to protect information and use it only to deliver services to us. See Section 11 for more detail.

4.7 Breach notification

If a breach of security safeguards creates a real risk of significant harm to an individual, we will notify affected individuals and organizations as required by PIPEDA and maintain records of breaches as required by law.

5. Commercial Electronic Messages (CASL)

Canada's Anti-Spam Legislation (CASL) regulates commercial electronic messages (CEMs)—including promotional email and SMS. FlowForce does not obtain consent on your behalf for messages you send to your leads, clients, or prospects.

  • Your responsibility: Before sending CEMs through cadences, campaigns, drips, or one-off messages, ensure you have valid consent or another permitted basis under CASL (such as an existing business relationship where the statutory requirements are met), and include required identification and unsubscribe mechanisms in your content where applicable.
  • How we help: The Service supports operational compliance tools, including processing SMS opt-out requests (such as STOP), storing do-not-call flags on lead phone numbers, screening outbound email and SMS content, pausing cadences when recipients reply, and requiring human confirmation before certain AI-assisted sends. These features do not replace your obligation to maintain proper consent records and list practices.
  • Transactional messages: Service-related messages we send you (account, billing, security) are separate from CEMs you send through the CRM.

This section is a summary, not legal advice. See our Trust page for a shared-responsibility overview.

6. Legal Basis (Where Applicable)

  • Contract: processing necessary to provide the Service and perform our contract with you or your organization.
  • Legitimate interests: security, fraud prevention, analytics, and improving the Service, where not overridden by your rights.
  • Consent: where we rely on consent (such as optional product marketing emails to your FlowForce account or non-essential cookies on our marketing site), you may withdraw it at any time. This does not apply to Google or Microsoft user data, which we use only as described in Section 3.
  • Legal obligation: where we must process data to comply with applicable law.

7. Sharing and Disclosure

We do not sell your personal information. We do not sell Google or Microsoft user data. We may share information only in the following circumstances:

  • Service providers: with vendors that help us run the Service (hosting, email delivery, SMS and voice, payment processing, AI, storage, scheduling). These providers are bound by contract to use data only to provide services to us and in line with this policy. Third-party AI providers do not receive Google or Microsoft user data.
  • Your organization: if you use the Service as part of a team or organization, other authorized users and admins in that organization may see data you add or that is shared within the workspace (leads, contacts, deals, activities).
  • Legal and safety: when required by law, to protect rights and safety, to enforce our terms, or to respond to valid legal process (such as subpoenas or court orders).
  • Business transfers: in connection with a merger, sale, or other transfer of assets, subject to the same privacy commitments.

Examples of third-party services we may use: email delivery (Mailgun, Resend), payments (Stripe), AI for non-Google and non-Microsoft connected-account data only (OpenAI), storage (cloud object storage), security (Cloudflare Turnstile), scheduling (QStash), and optional integrations (Gmail, Google Calendar, Microsoft 365 / Outlook). Google and Microsoft user data is never shared with OpenAI or other AI providers and is handled only as described in Section 3.

8. Data Retention

  • We retain your data for as long as your account is active or as needed to provide the Service and comply with legal, tax, or regulatory requirements.
  • After account closure, we may retain certain data for a limited period for legal, security, or dispute-resolution purposes, after which it is deleted or anonymized.
  • You or your organization admin may request deletion of specific data or the account. We will honor such requests where consistent with law and our retention obligations.

9. Security

We implement technical and organizational measures to protect your information, including encryption in transit and at rest where applicable, access controls, secure authentication, and monitoring. No system is completely secure. We encourage you to use strong passwords and keep your login details confidential. For more detail, see our Security page.

10. Your Rights and Choices

Depending on your location, you may have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate or incomplete data.
  • Deletion: request deletion of your personal data, subject to legal and contractual exceptions.
  • Portability: request a portable copy of your data in a structured, machine-readable format.
  • Restriction or objection: request restriction of processing or object to certain processing (such as marketing or profiling where applicable).
  • Withdraw consent: where we rely on consent, withdraw it at any time.
  • Complain: lodge a complaint with a supervisory authority in your country—for Canada, the Office of the Privacy Commissioner of Canada.

To exercise these rights, contact privacy@flowforce.app. We will respond within the time required by applicable law. For organization-level data, we may need to coordinate with your account or workspace administrator.

11. International Transfers

The Service may be provided using resources and partners in different countries, including Canada and the United States. Where we transfer personal data across borders, we use contractual, technical, and organizational safeguards appropriate to the transfer, such as agreements with subprocessors and encryption in transit and at rest. European transfers may rely on standard contractual clauses or other approved mechanisms where required.

12. Children

The Service is not intended for users under the age of 16 (or higher where local law requires). We do not knowingly collect personal data from children. If you believe we have collected such data, please contact us at support@flowforce.app and we will take steps to delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on our website or in the Service and indicate the "Last updated" date. Material changes may be communicated by email or an in-app notice. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

14. Contact Us

For any privacy-related questions, requests, or complaints:

We will respond as required by applicable law.