Legal Document

Privacy Policy

Effective: April 26, 2026  ·  Last updated: April 26, 2026

GDPR & Meta Compliance: This Privacy Policy describes how Fazinflo collects, uses, and protects your personal data. It is designed to comply with the EU General Data Protection Regulation (GDPR), Meta's Platform Terms Section 3.9, and applicable data protection laws.

1. Overview & Data Controller

This Privacy Policy applies to FLOWDESK (https://flowdesk-app.com), an AI-powered marketing automation platform operated by Fazinflo.

Data Controller: Fazinflo

Representative: Ronnii K

Controller Email: ronnii.k721@gmail.com

Privacy Enquiries: privacy@flowdesk-app.com

Product: FLOWDESKhttps://flowdesk-app.com

As the data controller, Fazinflo determines the purposes and means of processing your personal data. By using FLOWDESK, you acknowledge that your data will be processed as described in this policy.

2. Data We Collect

We collect the following categories of personal and operational data:

2.1 Personal Identification Data

  • Full name
  • Email address
  • Company name and industry
  • Profile picture (where provided or synced from OAuth)
  • Billing information (processed by our payment provider; we do not store card details)

2.2 Instagram & Meta Account Data

This data is collected only when you connect your Instagram account to FLOWDESK. You can revoke access at any time.
  • Instagram username and user ID
  • Instagram profile information (name, bio, profile picture, follower/following count)
  • Instagram access tokens and refresh tokens (encrypted at rest)
  • Direct message content (conversations you manage through FLOWDESK)
  • Follower and following lists (for lead targeting, where authorised)
  • Post and story engagement data (impressions, reach, interactions)
  • Instagram business/creator account insights

2.3 Campaign & Lead Data

  • Campaign configurations, target audiences, and message sequences
  • Lead profiles (Instagram handles, names, bio, follower count, lead scores, tags, notes)
  • Scraped lead sets — profiles collected via hashtag scraper, competitor scraper, comment scraper, and profile scraper
  • AI lead scores (0–100) and score explanations generated by Anthropic Claude API
  • AI-generated outreach scripts (Script Generator output)
  • Conversation histories between your account and prospects
  • Content Deck items (posts, captions, creative assets)
  • Campaign performance metrics and analytics

2.4 Authentication Data

  • Email and password credentials (hashed and stored securely via Supabase Auth)
  • Google OAuth tokens (when signing in with Google)
  • Authentication session tokens and refresh tokens

2.5 Usage & Technical Data

  • IP address and approximate geolocation
  • Browser type, version, and device information
  • Pages visited, features used, and time spent in the application
  • Error logs and crash reports
  • API request logs (anonymised after 90 days)

3. How We Collect Data

We collect data through the following means:

  • Direct Provision: Information you enter when registering, configuring your account, or creating campaigns.
  • OAuth Authorisation: Data shared by Google or Meta/Instagram when you connect these accounts using OAuth.
  • Platform APIs: Data retrieved from the Instagram Graph API on your behalf when you authorise the integration.
  • Automated Collection: Usage data, logs, and technical information collected automatically when you use the Service.
  • Cookies & Local Storage: Authentication state and user preferences stored in your browser (see Section 12).

4. Purpose & Legal Basis for Processing

We process your personal data for the following purposes, each supported by a legal basis under GDPR Article 6:

PurposeLegal Basis (GDPR Art. 6)
Provide the Service (account management, campaigns, AI features)Art. 6(1)(b) — Performance of a contract
Process subscription paymentsArt. 6(1)(b) — Performance of a contract
Instagram DM automation and lead managementArt. 6(1)(b) — Performance of a contract; Art. 6(1)(a) — Consent
AI processing of conversation data to generate responsesArt. 6(1)(b) — Performance of a contract; Art. 6(1)(a) — Consent
Security, fraud prevention, and legal complianceArt. 6(1)(c) — Legal obligation; Art. 6(1)(f) — Legitimate interests
Analytics and service improvementArt. 6(1)(f) — Legitimate interests
Sending transactional emails (account notices, receipts)Art. 6(1)(b) — Performance of a contract
Sending marketing communications (newsletters, product updates)Art. 6(1)(a) — Consent (opt-in required)

5. Instagram & Meta Data — Specific Disclosures

This section satisfies Meta Platform Terms Section 3.9 (Privacy Policy requirements for apps accessing Instagram data).

What Instagram Data We Access

When you connect your Instagram account, FLOWDESK requests permission to access:

  • Your Instagram profile (username, profile picture, bio, follower/following counts)
  • Your direct messages (read and send on your behalf)
  • Your post and story data (for scheduling and analytics)
  • Your Instagram Insights (engagement metrics for business/creator accounts)

How We Use Instagram Data

Instagram data is used exclusively to provide the features you request within FLOWDESK:

  • To send and receive DMs on your behalf as part of your outreach campaigns
  • To display conversation histories and lead profiles in the FLOWDESK inbox
  • To generate analytics and performance metrics for your campaigns
  • To train AI agents with conversation context (processed by Anthropic Claude API)

We do not sell, share, or use your Instagram data for advertising, profiling unrelated to your campaigns, or any purpose beyond providing the Service.

Data Deletion — Instagram Callback

Meta requires that apps provide a mechanism for users to request deletion of their Instagram data. You may request deletion by:

Upon receiving a valid deletion request, we will delete your Instagram access tokens and associated conversation data within 30 days and send confirmation to your registered email.

6. FlowDesk Chrome Extension

This section specifically discloses data collection practices of the FlowDesk Chrome Extension, which operates on Instagram pages in your browser.

What the Extension Does

The FlowDesk Chrome Extension runs on Instagram pages you visit while logged in to Instagram in your browser. It enables the following lead scraping features:

  • Hashtag Scraper: Navigates to Instagram hashtag pages, opens individual posts, and reads the post author's username and profile metadata from the page DOM and HTML meta tags.
  • Competitor/Profile Scraper: Visits a target Instagram profile's followers or following page and reads usernames, display names, and bio snippets from the DOM.
  • Comment Scraper: Opens Instagram posts and reads the usernames and comment text of users who commented, using DOM selectors and Instagram's internal API responses intercepted from the page.
  • DM Automation (Hunter Mode): Sends pre-configured direct message sequences to leads on your behalf using your active Instagram session.

Data the Extension Accesses

  • Instagram session cookies: The extension uses your existing Instagram login session to navigate and interact with Instagram. It does not read, copy, or transmit your Instagram password or session tokens to our servers.
  • Page DOM content: The extension reads publicly visible text content from Instagram pages — specifically usernames, display names, and bio text of profiles you choose to scrape.
  • Meta tags: Author metadata from HTML meta tags on Instagram post pages.

How Scraped Data Is Transmitted

Scraped lead data (usernames, names, bios) is sent from the extension to the FlowDesk web app via postMessage and stored in your FlowDesk account database. The data is only collected when you actively start a scraping job and belongs to your account.

What the Extension Does Not Do

  • It does not read or transmit your Instagram password or private account credentials.
  • It does not access your personal Instagram DM inbox unless you have explicitly enabled Hunter Mode for that account.
  • It does not run in the background or collect data when you are not actively using a FlowDesk scraping feature.
  • It does not inject ads, track your browsing outside Instagram, or share data with any third party other than the FlowDesk platform.

Instagram Terms Compliance

Use of the extension must comply with Instagram's Terms of Use. You are solely responsible for ensuring your scraping and DM activities comply with Instagram's platform rules and applicable law. Aggressive or automated use in violation of Instagram's policies may result in your Instagram account being restricted.

7. Third-Party Services & Data Sharing

We engage the following third-party service providers, each of whom processes data on our behalf or under their own terms:

SupabasePrivacy Policy ↗

Role: Database, authentication, and file storage

Data shared: All user data, campaign data, conversation histories, Instagram tokens

Location: US/EU (AWS infrastructure)

Google (OAuth)Privacy Policy ↗

Role: Authentication via Google Sign-In

Data shared: Name, email address, Google profile picture

Location: Global

Meta / InstagramPrivacy Policy ↗

Role: Instagram integration via Graph API

Data shared: Instagram profile, messages, insights, access tokens

Location: Global

Anthropic (Claude API)Privacy Policy ↗

Role: AI processing for automated responses and agent training

Data shared: Conversation text, AI agent configurations, outreach templates

Location: US

RazorpayPrivacy Policy ↗

Role: Payment processing for subscriptions and credit top-ups (India)

Data shared: Name, email, billing amount, order ID — no card data is stored by FlowDesk

Location: India

VercelPrivacy Policy ↗

Role: Web hosting and content delivery

Data shared: IP addresses, request logs (anonymised)

Location: Global edge network

We do not sell your personal data to third parties. We do not share your data with advertising networks, data brokers, or any entity not listed above.

8. Data Storage & Security

Storage Infrastructure

Your data is stored on Supabase, hosted on Amazon Web Services (AWS) infrastructure. Supabase provides:

  • AES-256 encryption at rest for all stored data
  • TLS 1.2+ encryption in transit for all API communications
  • ISO 27001-compliant data centres
  • SOC 2 Type II compliance

Our Security Measures

  • Row-Level Security (RLS): Database-level access controls ensure users can only access their own data
  • Token Encryption: Instagram and OAuth access tokens are encrypted before storage
  • Secure Authentication: Passwords are hashed using bcrypt; we never store plaintext credentials
  • API Security: All API endpoints require authentication; rate limiting is applied to prevent abuse
  • Access Controls: Internal access to production data is limited to authorised personnel only

Despite these measures, no system is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Article 33.

9. Data Retention

Data TypeRetention Period
Active account data (profile, campaigns, leads)Retained for the duration of your active account
Instagram access tokensUntil you disconnect Instagram or delete your account
Conversation historiesRetained while your account is active; deleted 30 days after account deletion
Billing records7 years (legal/tax compliance requirement)
Deleted account dataPurged within 30 days of account deletion request
API request logsAnonymised after 90 days; deleted after 1 year
Marketing communications consent recordsRetained until you withdraw consent + 3 years

10. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with comparable data protection laws, you have the following rights regarding your personal data:

Right to Access (Art. 15)

Request a copy of all personal data we hold about you. We will provide this within 30 days in a machine-readable format.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data. You can update most data directly in your account settings.

Right to Erasure / "Right to be Forgotten" (Art. 17)

Request deletion of your personal data. Upon a valid request, we will delete your data within 30 days, except where retention is required by law.

Right to Data Portability (Art. 20)

Request your data in a structured, commonly used, machine-readable format (JSON or CSV) to transfer to another provider.

Right to Restrict Processing (Art. 18)

Request that we limit processing of your data in certain circumstances, such as while disputing accuracy.

Right to Withdraw Consent (Art. 7)

Where processing is based on consent, withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing.

Right to Object (Art. 21)

Object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to Lodge a Complaint

Lodge a complaint with your national data protection authority. In the UK: the ICO (ico.org.uk). In the EU: your local supervisory authority.

To exercise any of these rights, contact us at privacy@flowdesk-app.com. We will respond within 30 days. We may request identity verification before processing your request.

11. Data Deletion

Meta/Instagram Requirement: This section satisfies Meta's requirement for apps to provide clear data deletion instructions.

How to Delete Your Data

You may request deletion of your FLOWDESK data at any time using any of the following methods:

Option 1: Delete via Account Settings

  1. Log in to your FLOWDESK account at https://flowdesk-app.com
  2. Navigate to Settings → Account
  3. Scroll to "Delete Account" and click "Request Deletion"
  4. Confirm your decision — this action is irreversible

Option 2: Email Request

Send an email to privacy@flowdesk-app.com with the subject line "Data Deletion Request" and include your registered email address. We will process your request within 30 days and send confirmation.

Option 3: Instagram Data Only

To delete only your Instagram data without deleting your FLOWDESK account:

  1. Go to Settings → Social Accounts in FLOWDESK
  2. Click "Disconnect" next to your Instagram account
  3. Your Instagram access tokens will be deleted within 24 hours
  4. Historical conversation data will be deleted within 30 days

Alternatively, revoke FLOWDESK's permissions at Facebook Apps Settings. Upon revoking permissions, we will receive a data deletion callback and purge your Instagram data within 30 days.

12. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our infrastructure providers operate. When transferring data from the EEA or UK to third countries, we rely on:

  • Standard Contractual Clauses (SCCs): EU Commission-approved contract terms that impose GDPR-equivalent obligations on data processors in third countries (applicable to Supabase, Anthropic, and Vercel).
  • Adequacy Decisions: Where the European Commission has determined that a third country provides adequate protection.
  • Legitimate Interests / Necessity: For Meta data, transfers are necessary for the performance of your Instagram integration contract.

For details of the safeguards in place for specific transfers, contact privacy@flowdesk-app.com.

13. Cookies & Tracking

FLOWDESK uses a minimal cookie and local storage policy, focused on essential functionality only:

Name / TypePurposeDurationType
supabase-auth-tokenAuthentication session tokenSession / 1 hourEssential
flowdesk_user (localStorage)Current user session dataUntil logoutEssential
theme (localStorage)UI theme preference (light/dark)PersistentFunctional
flowdesk_onboarding (localStorage)Onboarding completion statePersistentFunctional

We do not use advertising cookies, third-party tracking pixels, or analytics cookies that profile your browsing behaviour. Essential cookies cannot be disabled as they are required for the Service to function.

14. Children's Privacy

FLOWDESK is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@flowdesk-app.com and we will delete such information promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Send an email notification to your registered email address at least 14 days before the changes take effect.
  • Display a prominent notice within the FLOWDESK application.
  • Update the "Last updated" date at the top of this page.

For material changes that require your consent (e.g., new uses of Instagram data), we will request your explicit consent before the changes apply. Continued use of the Service after the effective date of non-consent-required changes constitutes acceptance of the updated policy.

16. Contact & Data Protection Officer

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

General Privacy Enquiries

Email: privacy@flowdesk-app.com

Response time: Within 30 days (GDPR standard)

Language: English

Data Controller

Name: Ronnii K

Company: Fazinflo

Email: ronnii.k721@gmail.com

Data Deletion Requests: To request deletion of your data or Instagram integration data, email privacy@flowdesk-app.com with subject "Data Deletion Request". See Section 10 for detailed instructions.

If you believe we have not addressed your privacy concern adequately, you have the right to lodge a complaint with your local data protection authority. In the UK: Information Commissioner's Office (ico.org.uk).

© 2026 Fazinflo. All rights reserved.

Privacy PolicyTerms of Serviceprivacy@flowdesk-app.com