Privacy Policy
This Privacy Policy describes how Joana Technologies Limited (trading as flowstate) and its affiliated companies (collectively, “flowstate”, “we”, “our” or “us”) collects, processes and manages the following categories of personal data:
Customer Data: personal data (as defined in Section 1) that we collect, process and manage on behalf of our business customers (each, a “Customer”; collectively, “Customers”), as part of the Flowstate products and services described on one or more applicable order forms (“Platform”). We process such Customer Data on behalf of and under the instruction of the respective Customer, in accordance with our Data Processing Addendum with them. Accordingly, this Privacy Policy (which describes Flowstate’s privacy and data processing practices) does not apply to the privacy and data processing practices of our Customers. To learn about the privacy policy and practices of our Customers, please contact them directly.
User Data: personal data concerning individuals acting on behalf of our Customers in respect of their engagement with Flowstate, and users of the Platform on behalf of such Customers, e.g., the account administrators and users, billing contacts and authorised signatories on behalf of the Customer (collectively, “Users”); as well as the Customer’s business needs and preferences, as identified to us or recognised through our engagement with them.
Prospect Data: personal data relating to visitors of our website, participants at our events, and any other prospective customer, user or partner (collectively, “Prospects”) who visits or otherwise interacts with our website, online ads and content, emails, integrations or communications under our control (the “Sites”, and collectively with the Platform, the “Services”).
Specifically, this Privacy Policy describes our practices regarding:
Data Collection & Processing
Data Uses
Data Location & Residency
Data Retention
Data Disclosure
Sub-Processors
Cookies & Analytics
Artificial Intelligence
Communications
Data Security
Data Subject Rights
Data Controller/Processor
Opt-Out of Sale/Sharing
Additional Notice & Contact Details
Our Services are designed for businesses and are not intended for personal or household use. Accordingly, we treat all personal data covered by this Privacy Policy, including information about any visitors to our Sites, as pertaining to individuals acting as business representatives, rather than in their personal capacity.You are not legally required to provide us with any personal data. If you do not wish to provide us with your personal data, or to have it processed by us or any of our Service Providers (as defined below), please do not provide it to us and avoid any interaction with us or with our Sites, or use our Services.
1. Data Collection & Processing
When we use the terms “personal data” or “personal information” in this Privacy Policy, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. It does not include aggregated or deidentified information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual.
Sometimes we collect personal data automatically when an individual interacts with our Services or Sites and sometimes we collect personal data directly from an individual. At times, we may collect personal data about an individual from other sources and third parties (such as our Customers and Service Providers), even before our first direct interaction. Flowstate does not collect, use, or disclose sensitive personal data.
We may collect or generate the following types of personal data about individuals through the Services:
Usage, login credentials and device information concerning Users and Prospects, including connectivity, technical and aggregated usage data such as user agent, IP addresses and approximate location based upon such IP addresses, device data (such as type, operating system, device identifier, browser version, locale and language settings), activity logs, session recordings, login credentials to the Services, the cookies and pixels installed or utilised on their device, and inferred or presumed data generated from their use of the Services.
Contact and business details concerning our Customers, Users and Prospects, such as name, email address, phone number, job title, position, workplace and related business insights, our communications with such individuals (correspondences, sensory information including call and video recordings, and transcriptions and analyses thereof), feedback and testimonials received, contractual and billing details, as well as any expressed, presumed or identified needs, preferences, attributes and insights relevant to our potential or existing engagement.
Customer Data which is provided by our Customers or processed on their behalf and under their instruction. This may include any of the types of personal data described above (with respect to Users or other individuals whose data is contained in the Customer Data), including workforce planning data such as employee names, job titles, compensation information, organisational structures, project assignments and related workforce data. Customer Data is processed in accordance with our Data Processing Addendum.
2. Data Uses
We use personal data as necessary for the performance of our Services (“Performance of Contract”); to comply with our legal and contractual obligations (“Legal Obligation”); and to support our legitimate interests in maintaining and improving our Services, e.g., in understanding how our Services are used and how our campaigns are performing, and gaining insights which help us dedicate our resources and efforts more efficiently; in marketing, advertising and selling our Services; providing customer service and technical support; and protecting and securing our Customers, Users, Prospects, ourselves and our Services (“Legitimate Interests”).
If you reside or are using the Services in a territory governed by privacy laws under which “consent” is the only or most appropriate legal basis for the processing of personal data as described herein, your acceptance of our Terms and Conditions and this Privacy Policy will be deemed as your consent to the processing of your personal data for all purposes detailed in this Policy, unless applicable law requires a different form of consent. If you wish to revoke such consent, please contact us at security@flowstate.inc.
Flowstate does not use Customer Data to train our AI or machine learning models.
Customer Data is only used to provide and maintain the Services and is never commingled across customers.
Specifically, we use personal data for the following purposes:
Customer and User personal data
• To facilitate, operate, enhance and provide our Services (Performance of Contract; Legitimate Interests)
• To provide our Customers and Users with assistance and support, to test and monitor the Services, diagnose or fix technology problems, and to train our Customers and customer-facing staff (Performance of Contract; Legitimate Interests)
• To personalise our Services, including by recognising an individual and remembering their information when they return to our Services (Performance of Contract; Legitimate Interests)
• To facilitate and optimise our marketing campaigns, ad management and sales operations, and to manage and deliver advertisements for our products and services more effectively (Legitimate Interests; Consent)
• To facilitate, sponsor and offer certain events, contests and promotions (Legitimate Interests)
Customer, User and Prospect personal data
• To gain a better understanding of how individuals use and interact with our Services, so we could continue improving our products, offerings and the overall performance of our Services, including through the utilisation and optimisation of artificial intelligence and machine learning capabilities (Legitimate Interests)
• To contact our Customers, Users and Prospects with general or personalised service-related messages, as well as promotional messages that may be of specific interest to them (Performance of Contract; Legitimate Interests; Consent)
• To support and enhance our data security measures, including for the purposes of preventing and mitigating the risks of fraud, error or any illegal, criminal or prohibited activity (Performance of Contract; Legitimate Interests; Legal Obligation)
• To create aggregated statistical data, inferred non-personal data, or anonymised or pseudonymised data, which we or our business partners may use to provide and improve our respective services (Legitimate Interests)
• To enforce our Terms and Conditions, to resolve disputes, to carry out our obligations and enforce our rights, and to protect our business interests and the interests and rights of third parties (Legitimate Interests)
• To comply with our contractual and legal obligations and requirements (Performance of Contract; Legitimate Interests; Legal Obligation)
3. Data Location & Residency
3.1 Customer Data Residency
Flowstate is committed to ensuring that Customer Data is stored and processed in the region selected by the Customer. Upon onboarding, each Customer selects their preferred data region. All Customer Data, including relational data, cached data, analytical data and object storage, is provisioned and retained exclusively within the Customer’s selected region. No cross-region replication of Customer Data occurs.
The following production regions are currently available:
Region
Location
Country
Europe
London
United Kingdom
Europe
Belgium
Belgium
Europe
Stockholm
Sweden
Europe
Zurich
Switzerland
North America
North Virginia
United States
North America
Salt Lake City
United States
Asia-Pacific
Sydney
Australia
Asia-Pacific
Melbourne
Australia
Asia-Pacific
Mumbai
India
Middle East
Tel Aviv
Israel
Asia-Pacific
Singapore
Singapore
Application compute resources are provisioned in the same region as the Customer’s data, ensuring that data processing occurs within the selected region and that Customer Data does not traverse regional boundaries during normal platform operations.
3.2 General Data Location
We and our authorised Service Providers maintain, store and process personal data (other than Customer Data, which is subject to the residency commitments above) in the United States of America, Europe and other locations as reasonably necessary for the proper performance and delivery of our Services, or as may be required by law.
For data transfers from the EEA, Switzerland or the UK to countries which are not considered to be offering an adequate level of data protection, we and the relevant data exporters and importers have entered into Standard Contractual Clauses as approved by the European Commission, FDPIC and UK Information Commissioner’s Office (ICO). You can obtain a copy of these clauses by contacting us as indicated in Section 14 below.
4. Data Retention
We retain personal data for as long as reasonably necessary in order to maintain and expand our relationship and provide you with our Services and offerings; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes, all in accordance with our data retention policy.
The following specific retention periods apply:
• Customer platform data: retained for the duration of the Customer’s active subscription and for a 30-day wind-down period following termination or expiry of the subscription, during which the Customer may export their data. Upon expiry of the wind-down period, Customer Data is permanently deleted from all production systems, backups and secondary storage.
• Account and User data: retained for the duration of the active account relationship and for a reasonable period thereafter to comply with legal and contractual obligations.
• Audit and security logs: retained for a minimum of 12 months from the date of creation.
• Analytics data: retained in accordance with the retention settings of each analytics provider and anonymised or deleted when no longer required.
• Prospect data: retained for as long as reasonably necessary for marketing and relationship purposes, unless you request deletion.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it and the applicable legal requirements.
If you have any questions about our data retention practices, please contact us at security@flowstate.inc.
5. Data Disclosure
We disclose personal data in the following ways:
Service Providers: We engage selected third-party companies and individuals to perform services on our behalf or complementary to our own. Such service providers may include hosting and server co-location services, communications and content delivery networks, data security services, billing and payment processing services, web and product analytics, email distribution and monitoring services, session or activity recording services, performance measurement, data optimisation and marketing services, and our legal, financial and compliance advisors (collectively, “Service Providers”). Our Service Providers may have access to personal information, depending on each of their specific roles and purposes in facilitating and enhancing our Services, and may only use the data as determined in our agreements with them.
Service Integrations: You may choose to use a third-party service to integrate with our Services, for example in order to upload or retrieve personal data to or from the Services, or to enrich the data you have processed on either service. The provider of this integrated third-party service may receive certain relevant data about or from your account on the Services, depending on the nature and purpose of such integration. Note that we do not receive or store your passwords for any of these third-party services.
Business Customers: Our Customers have access to any personal data we process on their behalf in our capacity as a “processor” or a “service provider.”
Legal Compliance: We may disclose or allow government and law enforcement officials access to your personal data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations, if we believe in good faith that we are legally compelled to do so, that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud or other wrongdoing, or that such disclosure is required to protect our legitimate business interests.
Protecting Rights and Safety: We may share personal data with others if we believe in good faith that this will help protect the rights, property or personal safety of Flowstate, any of our Users or Customers, or any members of the general public.
Business Transfers: Should Flowstate or any of its subsidiaries or affiliates undergo any change in control or ownership, including by means of merger, acquisition or purchase of substantially all or part of its assets, personal data may be shared with or transferred to the parties involved in such an event. We will notify affected individuals of any such transfer. Personal data may also be disclosed in the event of insolvency, bankruptcy or receivership.
Flowstate does not sell personal data. We do not share personal data with third parties for their own independent marketing or advertising purposes. We may transfer, share or otherwise use non-personal and non-identifiable data at our sole discretion and without the need for further approval.
6. Sub-Processors
Flowstate engages a limited number of sub-processors to provide and support the Services. The following sub-processors process Customer Data or personal data on our behalf:
Sub-Processor
Purpose
Data Location
Customer Control
Google Cloud Platform
Infrastructure, compute, database, storage and AI/ML processing
Customer’s selected region
Region selected at onboarding
Mailgun (Sinch)
Transactional email delivery
Regional (aligned to customer region where available)
BYO SMTP available
PostHog
Product analytics
United Kingdom
—
Sentry
Error monitoring and alerting
European Union
—
Hotjar (Contentsquare)
Session analytics (optional)
Ireland (EU)
Can be disabled per customer request
We maintain a register of all sub-processors that process Customer Data. The register is updated whenever a new sub-processor is engaged or an existing sub-processor is replaced, and is made available to Customers upon request. Where a Customer requires it, Flowstate will provide prior notice of any changes to its sub-processor list.
7. Cookies and Analytics
We and our Service Providers use cookies, pixels and other technologies to enable and improve the Services we provide, to track the performance of our Sites, perform analytics and gain insights on the use of our Services and the performance of our activities.
Cookies are packets of information sent to your web browser and then sent back by the browser each time it accesses the server that sent the cookie. Some cookies are removed when you close your browser session (“Session Cookies”). Some last for longer periods (“Persistent Cookies”). We use both types.
The following analytics and monitoring services are used on our platform:
Service
Purpose
Data Location
Your Control
PostHog
Product analytics: understanding feature usage and user journeys
United Kingdom
Can be disabled on request
Sentry
Error monitoring: detecting and diagnosing technical issues
European Union
Essential for service reliability
Hotjar (Contentsquare)
Session analytics: understanding user interactions (optional)
Ireland (EU)
Can be disabled per customer request
We do not use advertising cookies or third-party advertising tracking technologies. We do not sell your personal data or share it with third parties for their own marketing purposes.
Some cookies are necessary for the Services to function properly and cannot be declined or disabled unless you delete and block them through your web browser settings. Other cookies, which are used for functional, performance and analytics purposes, are optional. You can manage your cookie preferences and accept, remove or entirely block cookies through your browser settings.
8. Artificial Intelligence
Flowstate utilises artificial intelligence and machine learning capabilities (powered by Google Cloud Vertex AI) to provide enhanced platform features, including predictive analytics, scenario modelling and workforce planning optimisation.
When AI features are used, the following commitments apply:
• Processing occurs within the Customer’s broader geographic area, using a Vertex AI endpoint within the same continent as the Customer’s selected data region.
• No Customer Data is persisted by the AI processing service. Data is retained only for the duration of the individual request and is discarded upon completion.
• Customer Data is not used to train Flowstate’s AI or machine learning models. This commitment is reflected in our Data Processing Addendum.
• Input validation and output sanitisation controls are applied to AI service interactions to prevent prompt injection, data leakage and other AI-specific attack vectors.
• AI and machine learning services are subject to the same security controls as all other platform components, including encryption in transit and at rest, access control, logging and monitoring.
9. Communications
We engage in service and promotional communications through email, phone, SMS and notifications.
Service Communications: We may contact you with important information regarding our Services, such as notifications of changes or updates to our Services, billing issues, login attempts or password reset notices. If you are registered as a User, you can typically control your communications and notifications settings from your profile settings. Please note that you will not be able to opt out of receiving certain service communications which are integral to your use.
Promotional Communications: We may also notify you about new features, additional offerings, events, special opportunities or any other information we think you will find valuable. If you do not wish to receive such promotional communications, you may notify Flowstate at any time by sending an email to security@flowstate.inc, changing your communications preferences in your profile settings, or by following the “unsubscribe” or “opt-out” instructions contained in the promotional communications you receive.
10. Data Security
We implement systems, applications and procedures designed to secure your personal data, to minimise the risks of theft, damage, loss of information, or unauthorised access or use of information. These measures include:
• Encryption in transit (TLS 1.2 or higher, with TLS 1.3 preferred) and at rest (AES-256)
• Strict access controls based on the principle of least privilege, with mandatory multi-factor authentication for all platform and staff access
• Privileged access management through designated jump hosts, with all privileged sessions logged and recorded
• Network segmentation and Virtual Private Cloud (VPC) isolation for all databases and caching infrastructure
• Continuous monitoring, logging and alerting across all platform layers
• Regular vulnerability assessments and annual penetration testing by qualified third-party firms
• Endpoint detection and response (EDR) on all employee devices, with full-disk encryption
• Employee security awareness training programme
Flowstate’s security controls are aligned with ISO/IEC 27001:2022 and SOC 2 Type II (Trust Services Criteria), with formal certification planned for 2026. Full details of our security controls are set out in our Information Security Policy, which is available to Customers and prospective Customers under NDA.
Flowstate maintains appropriate cyber liability and professional indemnity insurance coverage commensurate with the nature and scale of its operations. Coverage levels are reviewed annually.
However, we cannot guarantee that our Sites or Services will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.
11. Data Subject Rights
Individuals have rights concerning their personal data. Please contact us at security@flowstate.inc if you wish to exercise your privacy rights under any applicable law, including the EU or UK General Data Protection Regulation (GDPR), the Brazilian Data Protection Act (LGPD), the California Consumer Privacy Act (CCPA), or the Swiss Federal Act on Data Protection (FADP).
Such rights may include, to the extent applicable:
• The right to know and request access to specific pieces of personal data collected, categories of personal data collected, categories of sources, purpose of collection, and categories of third parties with whom we have shared personal data
• The right to request rectification or erasure of your personal data held by Flowstate
• The right to restrict or object to processing of your personal data, including the right to direct us not to sell or share your personal data
• The right to data portability
• Rights related to automated decision-making and profiling
• The right to equal services and prices (freedom from discrimination)
You may also designate an authorised agent, in writing or through a power of attorney, to request to exercise your privacy rights on your behalf.
Please note that we may need to verify your identity before processing your request, to avoid disclosure of personal data to unauthorised parties.
If your personal data has been uploaded to Flowstate by your employer as part of their workforce planning activities, please direct your request to your employer in the first instance, as they are the data controller for that data.
12. Data Controller/Processor
Certain data protection laws typically distinguish between two main roles for parties processing personal data: the “data controller”, who determines the purposes and means of processing; and the “data processor”, who processes the data on behalf of the data controller.
Flowstate is the data controller of Prospect Data and processes such data in accordance with this Privacy Policy.
Flowstate is the data processor of Customer Data, which we process on behalf of our Customer (who is the data controller of such data), in accordance with our Data Processing Addendum.
Flowstate is both a data controller and data processor of User Data, processing such data for its own purposes as described in this Privacy Policy, while certain portions included in Customer Data are processed on our Customer’s behalf.
13. Opt-Out of Sale/Sharing
Flowstate does not sell personal data. We do not share personal data with third parties for their own independent marketing, advertising or commercial purposes. Accordingly, there is no need to opt out of any sale or sharing of personal data.
If the law in your jurisdiction requires us to provide a “Do Not Sell or Share My Personal Information” mechanism, please contact us at security@flowstate.inc and we will process your request in accordance with applicable law.
14. Additional Notices & Contact Details
Updates and Amendments: We may update and amend this Privacy Policy from time to time by posting an amended version on our Services. The amended version will be effective as of the date it is published. We will provide prior notice if we believe that the changes involved materially alter your rights, via any of the communication means available to us or via the Services. After such notice period, all amendments shall be deemed accepted by you.
External Links: While our Services may contain links to other websites or services, we are not responsible for their privacy practices. We encourage you to pay attention when you leave our Services for the website or application of such third parties, and to read the privacy policies of each and every website and service you visit. This Privacy Policy applies only to our Services.
Children: Our Services are not designed to attract children under the age of 16. We do not knowingly collect personal data from children and do not wish to do so. If we learn that a person under the age of 16 is using the Services, we will attempt to prohibit and block such use and will make our best efforts to promptly delete any personal data stored with us with regard to such child. If you believe that we might have any such data, please contact us at security@flowstate.inc.
Complaints: If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with a supervisory authority. In the United Kingdom, the relevant authority is the Information Commissioner’s Office (ICO) at ico.org.uk. If you are located in the European Economic Area, you may also contact your local data protection authority.
Contact: If you have any comments or questions regarding this Privacy Policy, or if you have any concerns regarding your privacy, please contact us at security@flowstate.inc.
Email: security@flowstate.inc
Legal Entity: Joana Technologies Limited
Website: flowstate.inc
