Privacy Policy

1. Data Controller

This Privacy Policy describes how SMFlow Ltd ("SMFlow", "we", "our", "us"), a company registered in England and Wales, collects, uses, and protects your personal data when you use the SMFlow platform at smflow.io ("the Service").

We are registered with the Information Commissioner's Office (ICO) in the United Kingdom under registration reference ZC138179, and are designed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who This Policy Applies To

Business Operators ("Users"): Individuals and businesses who register for and use SMFlow to manage customer communications.

End Customers: Individuals who interact with a business via the SMFlow-powered chat widget or messaging channels. If you are an end customer, the business you are communicating with is the data controller for your messages. SMFlow processes that data on the business's behalf as a data processor.

Business responsibility: Businesses using SMFlow are responsible for ensuring they have a valid legal basis under applicable data protection law for processing their customers' personal data, and for providing any required notice or consent to those customers.

3. Data We Collect

Account & Business Information: Name, email address, password (hashed), business name, business type, description, services, working hours, location, and other business details you provide during onboarding or in settings.

Messaging & Conversation Data: Messages exchanged between your customers and your AI-powered bot across the channels you connect (currently the website widget and Telegram; WhatsApp, Instagram, and Facebook Messenger via Meta Platforms are being added), including message content, timestamps, channel identifiers (such as Telegram user IDs, webchat session identifiers, and the platform-scoped IDs assigned by Meta for WhatsApp/Instagram/Messenger), customer names, phone numbers, and email addresses where provided.

Booking Data: Appointment details including customer name, email, phone number, service type, date and time, and any notes provided during the booking process.

Channel Credentials: Telegram bot tokens, and — for channels provided via Meta Platforms (WhatsApp, Instagram, and Facebook Messenger), as these are added — the access tokens and page/account identifiers you authorise, along with any other API credentials you provide to connect messaging channels. These are stored encrypted and used exclusively to operate the Service on your behalf.

Usage & Technical Data: Log data, IP addresses, browser type, device information, pages visited, features used, and message volume statistics.

Payment Data: Billing information is collected and processed by Stripe, our Merchant of Record. We do not store your full payment card details. We receive transaction confirmations and subscription status from Stripe.

Communications: Any emails or messages you send to us for support or other purposes.

4. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR Article 6:

• Contract performance: Processing necessary to provide the Service you have signed up for, including account management, AI response processing, and booking management.
• Legitimate interests: Improving the Service, ensuring platform security, fraud prevention, and communicating relevant updates. We balance these interests against your rights.
• Legal obligation: Where processing is required to comply with applicable law.
• Consent: Where we have obtained your explicit consent, such as for optional marketing communications.

5. How We Use Your Data

• Providing, operating, and maintaining the SMFlow platform
• Processing customer messages using AI and generating automated responses on your behalf
• Managing appointment bookings and sending confirmation emails to your customers
• Sending you notifications about customer interactions, bookings, and handoff requests
• Managing your subscription and processing payments
• Providing customer support
• Detecting and preventing fraud, abuse, and security incidents
• Improving and developing the Service
• Complying with legal obligations

We do not use your business data or customer conversations to train our own AI models. We do not sell your data to third parties.

6. AI Processing

Customer messages are sent to a third-party AI provider in real-time for response generation. The AI provider acts as a data processor under contractual terms that prohibit using submitted data to train models. We primarily use Google (United States); see Google's Privacy Policy. OpenAI (United States) is configured as an alternate provider used when our primary provider is unavailable; see OpenAI's Privacy Policy. We may change AI providers from time to time, in which case the current provider will be reflected in the subprocessor list below.

Because our AI providers are based in the United States, AI processing may involve the transfer of personal data outside the United Kingdom and European Economic Area (EEA). Such transfers are made under the safeguards described in Section 8 (International Data Transfers).

AI-generated responses may occasionally be inaccurate or incomplete. You and your customers should not rely on AI output for decisions that require professional advice, and important details such as pricing, availability, and bookings should be verified with the business directly.

7. Third-Party Service Providers

We share data with trusted third-party providers solely for the purpose of delivering the Service:

• Google (USA) — Primary AI message processing and Google Calendar integration (where enabled)
• OpenAI (USA) — Alternate AI message processing when the primary provider is unavailable
• Supabase (EU region) — Database hosting and authentication
• Vercel (USA/EU) — Application hosting and delivery
• Resend (USA) — Transactional email delivery
• Meta Platforms, Inc. (USA) — Message delivery for the WhatsApp, Instagram, and Facebook Messenger channels (being added), where you connect them; see Meta's Privacy Policy
• Connected messaging platforms — Message delivery via the other channels you connect (currently Telegram and the website widget)
• Stripe (USA) — Subscription billing and payment processing as Merchant of Record

Each provider operates under their own privacy policy and appropriate data processing agreements where required. This list reflects our current subprocessors. We may update this list from time to time as our service stack evolves. For material changes (for example, introducing a new category of subprocessor) we will, where reasonably possible, provide notice through the platform or by email. Routine changes (such as infrastructure region updates) will be reflected on this page without individual notification.

Note on Stripe: Unlike the other providers above (which act as processors on our behalf), Stripe is our Merchant of Record and the seller of record for your transaction. Stripe acts as a separate data controller for the billing and payment data we share with them (your name, email, billing address, and order details), to operate the checkout, calculate and remit VAT/sales tax, prevent fraud, and meet their own legal and tax obligations. Stripe's handling of that data is governed by Stripe's Privacy Policy.

8. International Data Transfers

Some of our service providers are located outside the UK and European Economic Area (EEA). Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the relevant authority, adequacy decisions, or other lawful transfer mechanisms under UK GDPR.

9. Data Storage & Security

We follow industry-standard security practices to protect personal data. Your data is stored on servers operated by Supabase (hosted on AWS in EU regions). We implement appropriate technical and organisational security measures including:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest for sensitive credentials
• Row-level security controls on our database
• Access controls limiting employee access to personal data
• Regular security reviews

No method of transmission or storage is 100% secure. In the event of a personal data breach, we will notify affected users and the ICO as required by applicable law.

10. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Service. Specifically:

• Account and business data: retained for the duration of your account and deleted within 90 days of account closure (subject to retention required for fraud prevention, billing reconciliation, or legal obligations under Section 11)
• Conversation and message data: retained for the duration of your account, unless you request earlier deletion via Settings → Privacy & Data. Where reasonably necessary for the operation of the Service we periodically remove older messages and may shorten this retention in future updates to this policy
• Billing records: retained for 7 years to comply with financial and tax regulations
• Support communications: retained for up to 2 years

11. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data in certain circumstances
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Rights related to automated decision-making: Not be subject to solely automated decisions that significantly affect you

To exercise any of these rights, contact us at privacy@smflow.io. We will respond within one month of receiving your request, as required by UK GDPR. Where a request is complex or where we receive multiple requests from you, we may extend this period by up to a further two months and will inform you of any such extension within the first month. We may need to verify your identity before processing your request.

Self-service: Account holders can exercise their right of access, data portability, and erasure directly from Settings → Privacy & Data. The Export button downloads a complete JSON snapshot of your account; the Delete button permanently removes your account and all associated data. For step-by-step deletion instructions — including how end customers can request deletion of their messages — see our Data Deletion Instructions.

12. Cookies

We use the following types of cookies:

• Essential / Authentication cookies: Required for you to log in and use the Service. These cannot be disabled without breaking core functionality.
• Preference cookies: Remember your language and display preferences.

We do not currently use tracking or advertising cookies, and we do not use third-party cookies for advertising purposes. If we introduce privacy-friendly analytics in the future (for example, aggregated, non-identifying usage metrics), we will update this policy and, where required, request your consent.

When you use a SMFlow-powered chat widget on a business's website, we store a session identifier in your browser's local storage so we can keep your conversation going across page reloads. You can clear this any time using "Start a new conversation" inside the widget.

13. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly. If you believe we have inadvertently collected data from a child, please contact us at privacy@smflow.io.

14. Links to Third-Party Sites

The Service may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes that significantly affect how we process your personal data, we will provide reasonable advance notice through the platform or by email. Routine updates (such as changes to subprocessors or wording clarifications) will be reflected on this page without individual notification.

16. Complaints

If you have concerns about how we handle your personal data, please contact us first at privacy@smflow.io. If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

17. Contact