Privacy Policy for Flexoraa

1. General Information and Scope

This Privacy Policy describes how Flexoraa ("Flexoraa," "we," "us," or "our") collects, uses, processes, and discloses information, including personal data, in connection with your access to and use of the Flexoraa Intelligence OS platform and our associated websites (collectively, the "Services"). This policy is intended to help you understand your rights and our obligations regarding your personal data.

2. Data Controller and Data Protection Officer

2.1. Controller for Client and Visitor Data

For the personal data of our Clients and Website Visitors, Flexoraa is the Data Controller.

2.2. Processor for Lead Data

For the personal data of Leads processed through our Services, our Client is the Data Controller and Flexoraa is the Data Processor. Our processing of Lead data is governed by a Data Processing Addendum (DPA) executed with our Clients.

2.3. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee our data protection strategy and implementation. You can contact our DPO at dpo@flexoraa.com.

2.4. Data Processing Agreement (DPA)

We offer a standard Data Processing Agreement (DPA) to clients upon request, outlining our processor obligations under GDPR and India's DPDP Act.

3. Detailed Information on Data Processing

3.1. When You Visit Our Website

• Data Processed: Server log files, including your IP address, browser type and version, operating system, referrer URL, time of the server request, and pages visited.
• Purpose: To ensure the security and stability of our website, to analyze usage for optimization, and to defend against cyberattacks.
• Legal Basis: Our legitimate interest (Art. 6(1)(f) GDPR) in maintaining a secure and functional web presence.

3.2. Use of Cookies and Tracking Technologies

We use essential, analytics, and marketing cookies. When required by law, we request your consent via a cookie banner. You may revoke or change cookie preferences at any time. To learn more, see our Cookie Policy for a breakdown of cookie types, retention periods, and vendors used.

3.3. When You Register as a Client

• Data Processed: Name, business email address, company name, phone number, password, and payment information.
• Purpose: To create and manage your account, provide our Services, process payments, and communicate with you about your account.
• Legal Basis: The performance of a contract to which you are a party (Art. 6(1)(b) GDPR).
• Payment Processing Note: We do not store your payment card details. All payment transactions are handled securely by third-party payment processors such as Stripe and Razorpay.

3.4. When We Process Lead Data for Our Clients

• Data Processed: All data provided by our Client, including but not limited to names, phone numbers, and email addresses of Leads. Additionally, we generate conversation transcripts from WhatsApp interactions and AI-derived lead scores.
• Purpose: To execute the core functions of the Flexoraa Intelligence OS as directed by our Client, namely to verify, qualify, score, and facilitate engagement with Leads.
• Legal Basis: We process this data as a Data Processor under the instruction of our Client (the Data Controller) and pursuant to our DPA.
• Client Responsibility for Lawful Basis: Flexoraa does not verify whether Clients have obtained appropriate consent or legal basis for uploading Lead Data. By using our Services, Clients represent and warrant that they have lawful grounds (e.g., consent or legitimate interest) to collect, upload, and process personal data through our platform.

4. Automated Decision-Making and Profiling

Our Service utilizes AI to perform lead scoring (e.g., "Hot," "Warm," "Cold"), which constitutes a form of automated processing and profiling.

• Purpose and Logic: The purpose is to assist our Clients in efficiently prioritizing engagement efforts. The score is based on factors such as engagement level, responses during conversations, and other metadata. Flexoraa utilizes multiple internal AI models ("Agents") which may securely process lead data based on predefined automation logic. This processing is carried out under our legitimate interest to offer an optimized service, or under our Client's instructions where they are the Data Controller.
• Significance & Consequences: These automated decisions are assistive; they do not have legal or similarly significant effects and are always subject to human oversight. The ultimate decision to contact, nurture, or disregard a Lead rests with our Client's human sales team.
• Opt-Out Rights: If you wish to opt out of automated profiling or request a human review of a decision, please contact privacy@flexoraa.com. We will accommodate your request in accordance with applicable law.

5. Recipients of Personal Data and Third-Party Services

We engage third-party companies and individuals (Sub-processors) to facilitate our Services. We have entered into DPAs with all Sub-processors who handle personal data. A list of our primary sub-processors can be found in Appendix A.

6. Hosting and Data Residency

All lead and client data is stored securely in Supabase's regional servers, currently set to EU (Frankfurt) or AP (Mumbai), depending on project setup and client requirements. Our self-hosted automation processes are hosted on Hetzner servers in Germany, and our web interface runs on Railway’s cloud infrastructure. All data is encrypted in transit via HTTPS/TLS and at rest. Clients may request data residency preference (EU or India) during onboarding, which Flexoraa will accommodate based on availability.

7. International Data Transfers

Our service providers may be located outside of the European Economic Area (EEA) or your country of residence. When we transfer personal data to these countries, we ensure that appropriate safeguards are in place to protect the data, such as by relying on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally-recognized transfer mechanisms.

8. Data Retention

• Client Data: We retain your account information for as long as your account is active and for a reasonable period thereafter as necessary to comply with our legal obligations.
• Lead Data: We retain Lead data processed on behalf of our Clients for the duration specified in our DPA with the Client. Upon termination of the contract or upon instruction from the Client, we will securely delete or return the Lead data.
• Website Data: Server log data is typically retained for a short period (e.g., 14 days) for security purposes.

9. Your Data Protection Rights (Rights of the Data Subject)

Under GDPR and other data protection laws, you have certain rights, including:

• Right of Access (Art. 15 GDPR)
• Right to Rectification (Art. 16 GDPR)
• Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)
• Right to Restriction of Processing (Art. 18 GDPR)
• Right to Data Portability (Art. 20 GDPR): Clients may export their Lead Data in a machine-readable format.
• Right to Object (Art. 21 GDPR)
• Right to Withdraw Consent

To exercise any of these rights, please contact us at privacy@flexoraa.com. We may request identity verification before fulfilling requests.

Important Note for Leads: As we are the Data Processor for your data, please direct any rights requests to the company (our Client) that collected your data. We will assist our Clients in fulfilling these requests.

10. Data Security

We are committed to protecting the security of your data. We use a variety of security technologies and procedures—including encryption, access controls, and network security measures—to help protect your personal information from unauthorized access, use, or disclosure.

10.1. Data Breach Notification

In the event of a data breach involving personal data, we will notify affected Clients without undue delay and within the timeframes required by applicable law. We will cooperate with Clients to fulfill any legal reporting obligations.

11. Changes to this Privacy Policy

We may update this policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new policy on this page, updating the "Last Updated" date, and/or by notifying active Clients via email or through the platform dashboard.

12. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us or our Data Protection Officer at: legal@flexoraa.com or dpo@flexoraa.com.

13. Local Legal Compliance (India)

If you are a resident of India, Flexoraa also complies with the Digital Personal Data Protection (DPDP) Act, 2023. Under DPDP, you have rights including access, correction, grievance redressal, and data deletion. We appoint a Grievance Officer for such requests at: grievance@flexoraa.com. All grievances will be acknowledged within 24 hours and resolved within 7 working days. Flexoraa is committed to supporting India’s Consent Manager ecosystem and processes personal data only for the "specified purpose" for which it was collected, as required by law.

14. Notice for California Residents

If you are a resident of California, USA, you have rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt-out of the sale of personal data. Flexoraa does not sell, rent, or disclose personal information for monetary gain and does not engage in "data sales" as defined under the CCPA. To exercise your rights, please contact us at the address provided in Section 12.