Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, phone number, and authentication credentials when you create an account.
• Business Information: Business name, industry, address, timezone, and other details you provide during onboarding or profile setup.
• Business Data: Customer records, job details, quotes, invoices, expenses, payments, schedule entries, line items, notes, mileage logs, time entries, and any other data you create through the Service.
• Communications: Messages you send to the Flo AI assistant, feedback, and support requests.
• Files and Attachments: Documents, images, and other files you upload to the Service.
• Payment Information: Payment instructions and billing details you provide for customer invoicing. Payment processing is handled by Stripe; we do not store full credit card numbers.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, interactions with Flo, session duration, and timestamps.
• Device Information: Device type, operating system, browser type, and unique device identifiers.
• Log Data: IP address, access times, and referring URLs.
• Location Data: Approximate location derived from IP address. We do not collect precise GPS location unless you explicitly grant permission for mileage tracking.

1.3 Information from Third Parties

• Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not access your Gmail, Google Drive, or other Google services unless you explicitly authorize a specific integration.
• Google Contacts & Calendar: If you choose to connect Google Contacts or Google Calendar, we import contact records and calendar events solely to help you manage your business. You can disconnect these integrations at any time.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service, including the Flo AI assistant.
• Process and manage your business operations (quoting, invoicing, scheduling, expense tracking, payment processing).
• Send transactional communications (SMS notifications, invoice deliveries, appointment reminders) on your behalf to your customers via Twilio.
• Generate AI-powered insights, recommendations, and business reports.
• Provide customer support and respond to your requests.
• Detect, prevent, and address technical issues, security threats, and fraudulent activity.
• Comply with legal obligations.

We never sell your personal information or business data to third parties. We never use your business data to train AI models.

3. How We Share Your Information

We may share your information in the following circumstances:

• Service Providers: We use third-party service providers to operate the Service, including Amazon Web Services (cloud infrastructure and hosting), Stripe (payment processing), Twilio (SMS messaging), OpenAI (ChatGPT platform for the Flo assistant), and Google Cloud (AI language models). These providers are contractually bound to use your data only to provide services to us and are obligated to protect your information.
• Your Customers: When you use the Service to send quotes, invoices, or messages to your customers, the relevant business information is shared with those recipients.
• Legal Requirements: We may disclose your information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4. Data Security

We implement industry-standard security measures to protect your information:

• Encryption at Rest: All data stored in our databases is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Tenant Isolation: Your business data is logically isolated from other users at the database level using row-level security policies. No other user or business can access your data.
• Access Controls: Access to production systems is restricted to authorized personnel using multi-factor authentication.
• Infrastructure: The Service is hosted on Amazon Web Services in the United States, which maintains SOC 2, ISO 27001, and other industry certifications.

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. If you request account deletion, we will delete or anonymize your personal information and business data within thirty (30) days, except where retention is required by law (e.g., tax records, legal disputes).

Aggregated, anonymized data that cannot identify you may be retained indefinitely for analytics and service improvement purposes.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information and business data.
• Data Portability: Request an export of your data in a machine-readable format.
• Opt-Out: Unsubscribe from marketing communications at any time. Transactional messages (account verification, security alerts) cannot be opted out of.
• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, contact us at privacy@yougsd.com. We will respond within thirty (30) days.

7. Cookies and Tracking Technologies

The Service uses essential cookies and local storage to maintain your authentication session and application preferences. We do not use third-party advertising cookies or cross-site tracking technologies. We do not participate in ad networks or sell data to data brokers.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will delete that information promptly.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt-out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at privacy@yougsd.com.

10. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Effective Date" above. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: