Effective Date: 27 March 2026
Last Reviewed: 27 March 2026
Below is a high‑level overview. For full details, read the complete Policy that follows.
| Key Point | What it means |
|---|---|
| No sale or share | We never sell or share your personal information for cross‑context behavioural advertising. |
| Why we collect data | To run the platform, process payments, secure our systems, improve the product and - only with your consent - send you marketing. |
| Your controls | Download, correct, delete or restrict your data; opt‑out of marketing; manage cookies; withdraw consent at any time. |
| Not a HIPAA BAA service | Flowdara is for non–covered-entity practitioners; we do not offer Business Associate Agreements. You may still submit wellness- or health-related information (e.g. intake forms) - see the full Policy. |
| Security first | Data encrypted in transit & at rest, SOC‑2‑aligned controls, annual pen‑tests, 72‑hour breach notice. Commercial safeguards - not a HIPAA compliance program. |
| Regional compliance | GDPR (EU/UK), CPRA & other U.S. state comprehensive privacy laws, PIPEDA (Canada). International transfers use Standard Contractual Clauses with vendors; see Section 10 for how we describe the Data Privacy Framework. |
| Sub‑processors | Representative list: Stripe, Supabase, Vercel, Microsoft Azure Blob Storage, Twilio, Resend. Full sub-processor page (updates, notices, and how to contact us). |
| Changes | 30 days' advance e‑mail / in‑app notice before any material change. |
Effective Date: 27 March 2026
Last Reviewed: 27 March 2026
Flowdara, Inc. and its subsidiaries ("Flowdara", "we", "our" or "us") respect your privacy. This Privacy & Data Protection Policy ("Policy") describes how we collect, use, disclose, and protect your personal information when you interact with our booking platform, websites, mobile applications, application‑programming interfaces (APIs) and related services (collectively, the "Services").
Layered approach. This Policy is our comprehensive disclosure. Where required, we also provide contextual "just‑in‑time" notices (e.g., cookie banner, OAuth consent screens). If a regional law offers you stronger rights or imposes stricter duties, we comply with that law.
| Term | Meaning |
|---|---|
| Controller | The entity that determines the purposes and means of processing personal information. Flowdara acts as Controller for End‑Users who create accounts directly with us. When you interact with a Flowdara Subscriber (e.g., a practitioner using our SaaS), that Subscriber is the Controller and Flowdara acts as Processor. |
| End‑User | Any natural person who uses the Services, including Subscriber staff and consumer clients who book, pay for, or attend an appointment. |
| Personal Information / Personal Data | Information that identifies, relates to, describes, or can reasonably be linked - directly or indirectly - to a natural person, as defined by applicable law (GDPR, CPRA, PIPEDA, etc.). |
| Sensitive Personal Information | A special category of data subject to additional protections (e.g., health data, precise geolocation, biometric identifiers). |
| Other Information | Data that cannot reasonably be used to identify an individual (e.g., aggregated statistics). We commit not to re‑identify de‑identified data. |
This Policy applies to all users in North America and the United Kingdom (preparatory compliance) and governs every point of collection - websites, mobile apps, emails, APIs, support channels, and marketing touch‑points.
The Services are not directed to children under 16. We do not knowingly collect data from children under 13. See Section 12.
Flowdara provides software for independent wellness and holistic practitioners. The Services are not intended for use by HIPAA covered entities (for example, clinics, health plans, or clearinghouses acting in that capacity) in connection with protected health information subject to the U.S. Health Insurance Portability and Accountability Act and its regulations (HIPAA). Flowdara does not enter into Business Associate Agreements (BAAs) with subscribers or their clients.
Wellness- and health-related information. Subscribers may configure features that collect identifying and health- or wellness-related information - such as intake questionnaires, liability waivers, session notes, messages, and similar content- that clients or subscribers submit voluntarily. That information may be sensitive and is processed as described in this Policy (including Section 3 and Section 8). Whether any specific information is PHI under HIPAA depends on the subscriber's role and use case; Flowdara does not assess your regulatory status.
Security is not a HIPAA program. Descriptions of encryption, access controls, and monitoring in this Policy describe general commercial safeguards. They do not mean Flowdara is your HIPAA business associate, that we implement HIPAA Security Rule controls for your practice, or that the Services are a HIPAA-compliant electronic health record or clinical system.
For contractual terms (including eligibility and prohibited use), see our Terms of Service.
| Category | Examples | Purpose | Legal Basis* | Retention |
|---|---|---|---|---|
| Account & Contact | Name, email, postal address, telephone | Account creation, authentication, support | Contract; Legitimate Interest | Duration of account + 3 yrs |
| Credentials | Encrypted passwords, OAuth tokens | Secure log‑in, SSO | Contract; Legitimate Interest | Until deletion; rotated < 90 days |
| Payment & Billing | Last 4 digits card, billing address, Stripe ID, transaction history | Process payments, refunds, fraud prevention | Contract; Legal Obligation (tax) | 7 yrs (tax/PCI) |
| Booking Data | Appointment date/time, location, service type | Provide and manage Services | Contract | Duration of account + 1 yr |
| Usage & Device | IP, browser, OS, device ID, clickstream, cookies, crash logs | Service performance, analytics, security | Legitimate Interest | 26 months (Google Analytics default) |
| Marketing Preferences | Opt‑in status, communication channels | Send offers & newsletters | Consent | Until opt‑out + 30 days |
| Support Records | Chat / email transcripts, call recordings | Troubleshooting, quality assurance | Legitimate Interest | 2 yrs |
| Sensitive Data † | Intake & waiver responses; session or progress notes; other health- or wellness-related content subscribers or clients submit; precise geo (optional, if enabled) | Features subscribers configure (e.g. pre-session intake, notes); service delivery you request | Explicit consent / contract / Art 9 GDPR where applicable | Per subscriber settings and legal requirements (see Section 9) |
* Legal basis references GDPR Articles 6 & 9 and comparable concepts under U.S. state laws (including CPRA) and PIPEDA. For special category / health-related data under EU/UK GDPR, we typically rely on explicit consent (Art. 9(2)(a)), contract or provisions relating to health care where applicable (e.g. Art. 9(2)(h)), or another permitted Article 9 basis. Subscribers who configure intake or waiver forms are responsible for obtaining any client consent required in their jurisdiction. When multiple bases apply, we use the strongest lawful option.
† Subscribers choose whether to use intake forms, waivers, notes, and similar features. Clients submit answers voluntarily. Flowdara does not market the Services as a HIPAA compliance product. We apply the protections described in Section 8; they are commercial safeguards, not a substitute for a HIPAA compliance program. See Terms of Service (HIPAA; no BAA).
We never use Stripe payment data or sensitive health information for marketing or profiling.
We use first‑ and third‑party cookies, web beacons, local storage, and similar technologies to:
Full details appear in our Cookie Policy.
| Recipient | Purpose | Safeguard |
|---|---|---|
| Stripe | Payment processing | DPA + SCCs + PCI‑DSS certification |
| Supabase | Managed Postgres DB, file storage | AES‑256 at rest; TLS 1.2; DPA + SCCs |
| Microsoft Azure Blob Storage | Media uploads & backups | Encryption at rest; separate encryption keys; DPA + SCCs |
| Vercel | Hosting & edge caching | ISO 27001; DPA + SCCs |
| Twilio / Resend | SMS & email delivery | SOC 2 (where applicable); DPA + SCCs |
| Authorized Subscriber | Provide requested service | Controller–Processor contract |
| Government / Law enforcement | Legal compliance | Legal obligation + minimisation |
| Corporate successors | M&A, financing, reorg | Confidentiality; SCCs and contractual safeguards |
A dedicated list of sub-processors, how we update it, and how to reach us about changes is published at flowdara.com/subprocessors.
Residents of California and other states with comprehensive privacy laws may have rights regarding sensitive personal information, which can include certain health-related or wellness-related details submitted through intake forms, waivers, or similar features. Depending on your state, you may have the right to limit use or disclosure of sensitive information, to access or delete it, or to exercise other rights described in applicable law. Use the request channels below (for example Account → Privacy Dashboard or privacy@flowdara.com). We do not use sensitive personal information for cross-context behavioral advertising. We do not sell personal information as that term is commonly defined under U.S. state privacy laws (see also the Privacy Snapshot above).
Submit requests via Account → Privacy Dashboard or email privacy@flowdara.com with subject "Data Subject Request". We will verify identity (two‑factor challenge or signed request via logged‑in session) and respond within:
If you believe we have not resolved your concern, you may lodge a complaint with your local supervisory authority (contact links provided in the Privacy Dashboard).
We keep Personal Information only as long as necessary for the purposes described or as required by law:
When retention expires, data is securely erased or anonymised within 60 days.
Personal data may be processed in the United States and Canada; backups may be stored in United Kingdom Azure regions. When we transfer personal data from the EEA, UK, or Switzerland to the United States or other countries, we use appropriate safeguards, including Standard Contractual Clauses (SCCs) and vendor data-processing agreements.
Data Privacy Framework (DPF). If Flowdara self-certifies to the EU-U.S. Data Privacy Framework, the UK Extension, and/or the Swiss-U.S. Data Privacy Framework, we will state that clearly on this Policy and link to our listing on the official Data Privacy Framework program site. Unless and until such certification is published in this Section, do not rely on the DPF as your transfer mechanism- SCCs and vendor DPAs apply. Supplementary measures include encryption, access logging, and sub-processor vetting.
If you connect Flowdara to Google Calendar™ or other OAuth providers, we will access calendar metadata solely to display availability and create events you ask us to create. Flowdara's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Humans do not read calendar content except with your explicit consent for support or security reasons.
We do not knowingly collect data from children under 13 (COPPA). Parents who believe a child has provided us data may contact privacy@flowdara.com for immediate deletion. Minors aged 13–15 may use the Services only with verifiable parental consent; UK/EU users aged 13–16 require guardian consent per GDPR Article 8.
Minor updates are posted at https://flowdara.com/privacy. Material changes (those that reduce your rights or expand processing) will be announced 30 days in advance via email and in‑app notices. Continued use after the effective date constitutes acceptance.
Data Controller: Flowdara, Inc.
Privacy Office:
210 SW Century Dr., Bend, OR 97702, USA
✉︎ privacy@flowdara.com (preferred for all privacy and data-rights requests)
EU/UK representative details will be added prior to UK launch and will appear here.
For unresolved GDPR complaints you may contact the Irish Data Protection Commission or your local supervisory authority. If Flowdara participates in the Data Privacy Framework, we will link to the applicable DPF dispute-resolution and arbitration procedures from this Section when certification is published (see Section 10).
© 2026 Flowdara, Inc. All rights reserved.