Privacy Policy

Flomatik.ai — Last updated: June 9, 2026

Who We Are

Flomatik (“we,” “us,” or “our”) operates Flomatik.ai, an AI-powered chat and voice agent platform for businesses. This policy applies to two groups of people:

  • Clients — businesses and individuals who create accounts on Flomatik.ai and deploy AI agents.
  • End Users — individuals who interact with Flomatik-powered agents on our clients' websites or other channels.

When we process End User data on behalf of a Client, the Client is the data controller and Flomatik acts as a data processor. Our processing of End User data is governed by a Data Processing Agreement (DPA) between Flomatik and the Client.

If you have questions about this policy, contact us at andrew@flomatik.ai.

What We Collect

From Clients

  • Account information — your name and email address, provided via Google OAuth sign-in
  • Usage data — basic platform activity such as login timestamps and feature usage
  • Authentication cookies — session tokens used to keep you logged in
  • Agent configurations — the settings, prompts, and workflows you create

From End Users (on behalf of Clients)

  • Conversation logs — chat and voice interactions processed through deployed agents
  • Lead data — information captured by agents from end users (names, emails, phone numbers, etc.)
  • Voice call data — recordings or transcripts from voice agent interactions, where applicable
  • Technical metadata — IP addresses, browser type, and device information collected during interactions

How We Collect It

  • Google OAuth — when you sign in, Google provides your name and email. We do not receive your Google password.
  • Supabase — we use Supabase for authentication and database services. Your data is stored in Supabase's secure cloud infrastructure.
  • AI model providers — conversation data is sent to third-party AI model providers (such as OpenAI or Anthropic) to generate agent responses. These providers process the data solely to return a response and do not use it for their own model training under their API terms of service.
  • Cookies — we use cookies strictly for maintaining your authenticated session. We do not use tracking or advertising cookies.

How We Use Your Data

We use your information to:

  • Authenticate your account and maintain your session
  • Operate and deliver the Flomatik platform features
  • Store and retrieve your agent configurations and conversation logs
  • Process End User interactions through AI model providers to generate agent responses
  • Improve platform performance and reliability
  • Respond to support requests

Lawful Basis for Processing (GDPR)

Where the General Data Protection Regulation (GDPR) applies, we rely on the following lawful bases:

  • Performance of a contract — processing necessary to provide the Flomatik platform to Clients who have agreed to our terms of service.
  • Legitimate interest — processing necessary for platform operation, security, and improvement, where those interests are not overridden by the data subject's rights.
  • Consent — where required by applicable law, such as for certain cookie usage or marketing communications.
  • Data processing on behalf of Clients — when processing End User data, we act as a data processor on the Client's instructions. The Client is responsible for establishing a lawful basis for the collection of End User data.

US State Privacy Laws

Flomatik complies with applicable US state privacy laws, including the California Consumer Privacy Act (CCPA) and the Minnesota Consumer Data Privacy Act (MCDPA). The rights described in this policy meet or exceed the requirements of these laws.

How We Store and Protect It

Your data is stored in secure cloud infrastructure via Supabase, with encryption at rest and in transit. We apply industry-standard security practices to protect against unauthorized access, disclosure, or loss. Access to production data is strictly limited to authorized personnel.

In the event of a data breach, we will notify affected parties as required by applicable law.

What We Don't Do

  • We do not sell your data to third parties
  • We do not use your data for advertising
  • We do not use your data to train AI models
  • We do not share your data with third parties except as required to operate the service (e.g., our infrastructure and AI model providers as described in this policy)

Data Retention

We retain Client account data for as long as the account is active. Conversation logs and lead data are retained according to the Client's account settings or as agreed in the applicable Data Processing Agreement. Upon termination of a Client's account, we will delete or return all associated data within 30 days, unless retention is required by law.

You may request deletion of your data at any time by contacting andrew@flomatik.ai.

International Data Transfers

Flomatik is based in the United States and data is stored on US-based infrastructure. If you are located outside the United States, including in the European Economic Area (EEA) or United Kingdom, your data will be transferred to and processed in the United States.

For transfers of personal data from the EEA or UK, we rely on appropriate safeguards as required by GDPR, which may include Standard Contractual Clauses (SCCs) with our sub-processors or other approved transfer mechanisms.

Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request restriction of processing
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent for data processing at any time
  • Object to processing based on legitimate interest
  • Lodge a complaint with your local data protection authority (for EEA and UK residents)

To exercise any of these rights, email us at andrew@flomatik.ai. We will respond within 30 days.

If you are an End User and wish to exercise your rights regarding data collected through a Flomatik-powered agent, please contact the business whose website you interacted with (the data controller). They will coordinate with us to fulfill your request.

Sub-processors and Third-Party Services

Flomatik uses the following categories of third-party service providers to operate the platform:

  • Authentication: Google (OAuth)
  • Database and infrastructure: Supabase
  • AI model providers: used to generate agent responses from conversation data (e.g., OpenAI, Anthropic)
  • Voice services: Retell AI, used for voice agent functionality

Each sub-processor is bound by data protection obligations consistent with this policy and applicable law. A current list of sub-processors is available upon request by emailing andrew@flomatik.ai.

Google User Data

When a Client connects their Google account, Flomatik requests access to Google Calendar using the calendar.readonly and calendar.events scopes. We use this access only to:

  • Read calendar free/busy availability, so our AI agents can offer appointment times when the Client is actually free; and
  • Create new calendar events for appointments booked through Flomatik.

We do not read the contents of events created by others, and we do not modify or delete events we did not create, change calendar sharing settings, or create or delete calendars. Google access tokens are stored server-side with restricted access, and a Client can revoke Flomatik's access at any time from the Integrations page or via their Google Account security settings.

Flomatik's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Changes to This Policy

We may update this policy as the platform evolves. We will update the “Last updated” date and, for material changes, notify Clients via email or in-app notice.

Contact

Flomatik — andrew@flomatik.aiflomatik.ai