Privacy Policy

Flo∞ (“Flo8”, “we”, “us”) is a salon, spa, and clinic management platform operated by a company established in the United Arab Emirates, serving businesses across the MENA region. You can contact us at info@flo8.io.

TODO (owner): registered legal entity name, trade-licence number, and registered address to be inserted here by counsel.

Flo∞ serves two kinds of people, and our role differs for each:

• Business accounts (our customers). When a business signs up, configures its workspace, and pays for a subscription, we act as the controller of that account’s own data (e.g. the owner’s login, billing, and team accounts).
• End-customer data (the business’s clients). When a business stores its own clients’ appointments and contact details in Flo∞, that business is the controller of that data and Flo∞ acts as a processor, handling it only on the business’s instructions and to provide the service.

If you are an end customer and want your data corrected or deleted, please contact the business you booked with — they control that record. We will assist that business in responding to your request.

Depending on how Flo∞ is used, we process:

• Account & profile data: name, email address, phone number, business name, role, and login credentials.
• Billing data: subscription plan, billing contact, and payment status. Card details are entered directly with our payment processor (Stripe); we do not store full card numbers.
• End-customer records (on behalf of businesses): client names, contact details, appointment history, notes a business chooses to record, and stock/operations data.
• Communications: the content and metadata of calls, SMS, WhatsApp, web chat, and email handled through the platform — including AI-assisted replies and call transcripts.
• Usage & technical data: log data, device and browser information, IP address, and diagnostic/error data used to operate and secure the service.

• To provide, operate, and maintain the Flo∞ platform and its features.
• To power AI-assisted booking, messaging, reordering, and the phone receptionist.
• To process subscriptions and payments and to manage your account.
• To send service and transactional messages (e.g. confirmations, alerts, support).
• To monitor, secure, debug, and improve the service.
• To comply with legal obligations and enforce our terms.

We do not sell personal data. We do not use end-customer data to train our own models, and we do not use it for advertising.

We rely on the following third-party service providers to operate Flo∞. Each processes personal data only as needed to provide its part of the service, under its own terms and security commitments:

Some of these providers process data outside the UAE/MENA region (for example in the EU or US). TODO (owner): confirm with counsel the appropriate safeguards and cross-border transfer disclosures for your jurisdiction(s).

We keep personal data for as long as a business account is active and for as long as needed to provide the service. When a business closes its account, we delete or anonymise its data within a reasonable period, except where we must retain certain records to meet legal, tax, accounting, or security obligations.

TODO (owner): set and state specific retention periods (e.g. days to delete after account closure, billing-record retention) once confirmed.

We use technical and organisational measures to protect personal data — including encryption in transit, access controls, tenant isolation, and error monitoring. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to notify affected parties of a material breach as required by applicable law.

Flo∞ uses a small number of strictly necessary cookies — primarily to keep you signed in (Supabase authentication) and to keep the app secure. These are essential to provide the service and cannot be switched off through the app.

We do not currently set advertising, analytics, or other non-essential tracking cookies, so no cookie-consent banner is shown. If that changes, we will update this policy and add a consent mechanism where required.

Subject to applicable law, you may have the right to access, correct, delete, or export your personal data, to object to or restrict certain processing, and to withdraw consent where processing is based on consent. To exercise these rights:

• Business accounts: contact us at info@flo8.io.
• End customers: contact the business you booked with (the controller of your record). We will support that business in fulfilling your request.

TODO (owner): confirm with counsel which data-protection regime(s) apply (e.g. UAE PDPL, DIFC DPL, or others by customer location) and add any region-specific rights and complaint/contact details.

Flo∞ is a business tool and is not directed to children. We do not knowingly collect personal data directly from children. Businesses that record minors’ details (e.g. for appointments) are responsible for having a lawful basis to do so.

We may update this policy from time to time. When we make material changes, we will update the “last updated” date above and, where appropriate, notify account holders. Continued use of Flo∞ after an update means you accept the revised policy.