This policy explains how we collect, use, and protect your data when you use LocalFlow's automated front desk service.
1. Who We Are
LocalFlow is an AI-powered automated front desk service for UK local businesses. It automatically responds to customer enquiries via WhatsApp and email.
For any privacy-related questions, contact us at: localflow@polsia.app
2. Information We Collect
Business information (from onboarding):
- Business name and type (e.g. barber, salon, personal trainer)
- Services offered and pricing
- Opening hours and booking method
- Business owner name and contact email
- WhatsApp Business phone number (if provided)
Customer enquiry data:
- Messages sent to your business via WhatsApp or email
- Sender contact details (phone number or email address) as provided by the messaging platform
- Message content and timestamps
- Classification of enquiry type (e.g. booking, question, complaint)
Payment information:
- Payment processing is handled entirely by Stripe. We do not store your card number, CVV, or banking details. We receive only confirmation of payment status and a subscription reference ID from Stripe.
Usage data:
- Enquiry volume and response statistics for your dashboard
- Service activity logs for reliability and debugging
3. How We Use Your Information
- Providing the service: Business information is used to train your AI auto-responder to answer questions accurately and in your business's tone.
- Automated replies: Customer enquiry content is processed by our AI (OpenAI) to generate personalised replies on your behalf.
- Billing: We use Stripe to process your £29/month subscription. Stripe's privacy policy applies to payment data.
- Service emails: We send onboarding confirmations, performance summaries, and important service updates to your registered email address.
- Analytics: Aggregated, anonymised usage data helps us improve the service.
4. WhatsApp Messaging
LocalFlow integrates with the Meta Business Platform to send and receive messages via WhatsApp Business. Instagram Direct Message integration is in development.
When a customer messages your business:
- Their message is received through the Meta Webhooks API
- The message content is sent to our AI (OpenAI) to generate a reply
- The reply is sent back through the Meta API on your behalf
- The conversation is logged in our system for your records
We do not use customer messages for any purpose other than generating replies on behalf of your business. We do not sell, share, or use message content for advertising.
Your use of WhatsApp Business through LocalFlow is subject to WhatsApp's Business Policy and Meta's Privacy Policy.
5. Third-Party Services
We work with the following third-party processors:
- OpenAI: Processes message content to generate AI replies. Subject to OpenAI's Privacy Policy.
- Stripe: Handles subscription payment processing. Subject to Stripe's Privacy Policy.
- Meta (WhatsApp): Delivers messages via the Business Platform API. Subject to Meta's Privacy Policy.
- Render: Cloud hosting for our application. Data is stored in the UK/EU region.
- Neon / PostgreSQL: Database provider for storing business and enquiry data.
6. Data Retention
- Business profile data is retained for the duration of your subscription and deleted within 90 days of account closure.
- Customer enquiry logs are retained for 12 months to provide analytics and improve your AI responder.
- Payment records are retained as required by UK financial regulations (typically 7 years).
7. Your Rights (UK GDPR)
As a UK-based service, we comply with the UK GDPR. You have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (subject to legal retention obligations)
- Object to or restrict processing in certain circumstances
- Data portability — receive your data in a machine-readable format
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk
To exercise any of these rights, email localflow@polsia.app.
8. Security
We take data security seriously. All data is transmitted over HTTPS. OAuth tokens and sensitive credentials are encrypted at rest using AES-256 encryption. Access to production data is restricted to authorised personnel only.
9. Cookies
Our website uses minimal, functional cookies only. We do not use advertising or tracking cookies.
10. Changes to This Policy
We may update this policy from time to time. We'll notify you of significant changes by email. The "last updated" date at the top of this page always reflects the current version.