Privacy Policy

1. Who This Applies To

This Privacy Policy ("Policy") applies to all individuals and entities ("you", "your") who visit the FlowShift website, use the FlowShift client portal, or have automation services managed by FlowShift on their behalf.

By using our services you acknowledge that you have read and understood this Policy. If you do not agree with how we handle data, you should not use our services.

2. Data Controller

FlowShift acts as the data controller for the personal and business information you provide to us directly (such as your name and contact details). For data processed within third-party platforms you connect (Google, Slack, Meta, etc.), you remain the data controller and we act as a data processor on your behalf.

3. What We Collect & Why

We collect only the minimum data necessary to provide the services:

• Business & contact information — your business name, contact name, and communication details provided during onboarding. Used to manage your account and communicate with you.
• OAuth tokens — access tokens and refresh tokens issued by third-party platforms you authorise. These are encrypted at rest using AES-256-GCM and used solely to execute your approved automations.
• Workflow run logs — timestamps, trigger types, execution status (success/error), and duration. Used to display performance data in your dashboard and diagnose issues. Message content or personal data processed within a workflow is not stored by FlowShift unless explicitly required and agreed upon for a specific workflow.
• Portal access logs — login attempts, session activity, and IP addresses for security monitoring and fraud prevention.
• Technical data — browser type and device information collected automatically when you access the portal, used solely for compatibility and security purposes.

We do not collect payment card details. All payments are handled directly between you and FlowShift outside the platform.

4. Legal Basis for Processing

We process your data on the following legal bases:

• Contract performance — processing is necessary to deliver the automation services you have contracted with us.
• Legitimate interests — security monitoring, fraud prevention, and service improvement, where these interests are not overridden by your rights.
• Legal obligation — where we are required to retain or disclose data by applicable law.
• Consent — where you have explicitly authorised specific data access (e.g. connecting a third-party account via OAuth).

5. How We Use Your Data

• To execute and monitor the automation workflows you have approved.
• To display activity, performance, and run statistics in your client dashboard.
• To diagnose workflow errors and improve service reliability.
• To communicate with you about your account, service updates, or issues.
• To detect and prevent unauthorised access or fraudulent activity.
• To comply with applicable legal obligations.

6. Third-Party Services & Data Processors

When you connect a third-party platform (e.g. Google, Slack, Meta, HubSpot), that platform's own privacy policy governs the data held within it. FlowShift only accesses the specific data required to execute your approved automations.

Some of our automation infrastructure runs on the n8n platform, hosted on a private server controlled exclusively by FlowShift. We do not share your credentials or tokens with any sub-processor beyond what is technically required to operate the service.

You can revoke FlowShift's access to any connected third-party service at any time — both from your client portal and directly from the settings of the relevant third-party platform.

FlowShift is not responsible for the privacy practices or data handling of any third-party service you connect.

7. Data Storage & Security

• Your data is stored on a secured private server with restricted access.
• OAuth tokens are encrypted using AES-256-GCM encryption before storage.
• All data in transit is protected by TLS/HTTPS.
• Access to production systems is restricted to authorised FlowShift personnel only.
• We apply rate limiting, authentication controls, and monitoring to protect against unauthorised access.

While we implement industry-standard security measures, no system is completely invulnerable. FlowShift cannot guarantee absolute security. In the event of a data breach that affects your personal or business data, we will notify you as soon as reasonably practicable and take immediate steps to contain and remediate the incident.

8. Data Retention

We retain your data only for as long as necessary to provide the services or as required by law:

• OAuth tokens — deleted immediately upon disconnection of the relevant integration or closure of your account.
• Workflow run logs — retained for up to 90 days, then permanently deleted.
• Account & contact information — retained for up to 12 months after account closure for legal and accounting purposes, then permanently deleted.
• Portal access logs — retained for up to 90 days for security monitoring, then permanently deleted.

You may request earlier deletion of your data at any time (see Section 9 below).

9. Your Rights

You have the following rights regarding your personal data:

• Right of access — request a copy of all personal data we hold about you.
• Right to rectification — request correction of any inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data, subject to any legal retention obligations.
• Right to restrict processing — request that we limit how we use your data in certain circumstances.
• Right to data portability — request your data in a structured, machine-readable format.
• Right to withdraw consent — revoke any previously granted consent (including OAuth connections) at any time, without affecting the lawfulness of processing before withdrawal.
• Right to object — object to processing based on legitimate interests.

To exercise any of these rights, contact us via WhatsApp or our contact page. We will respond within 30 days. We may need to verify your identity before processing your request.

10. Cookies & Tracking

The FlowShift marketing website does not use third-party tracking or advertising cookies. The client portal uses only strictly necessary session cookies for authentication — no persistent tracking, profiling, or analytics cookies are set.

We do not use any third-party analytics services (such as Google Analytics) on the client portal.

11. International Data Transfers

FlowShift operates primarily from Egypt. If you are located outside Egypt, your data may be transferred to and processed in Egypt. By using our services you consent to this transfer. We take appropriate steps to ensure your data receives an adequate level of protection regardless of where it is processed.

12. Children's Privacy

Our services are intended solely for use by businesses and individuals aged 18 or older. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.

13. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via the client portal or by direct contact. The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of the services after the effective date of any change constitutes your acceptance of the updated Policy.

14. Contact

For any privacy-related questions, requests, or concerns, contact us via WhatsApp or our contact page. We aim to respond to all data-related requests within 30 days.