Privacy Policy

1. Information We Collect

Flowstate Mortgage, LLC ("FlowState," "we," "our," or "us") collects information you provide directly to us, such as when you:

• Create an account or use our CRM platform
• Request a demo or contact us
• Use our ROI calculator or other tools
• Participate in our referral program
• Subscribe to our newsletter or marketing communications
• Process payments or billing information

Types of Information:

• Contact Information: Name, email address, phone number, company name, job title
• Business Information: Loan volumes, team size, company details, mortgage processing data
• Account Information: Username, password, preferences, subscription details
• Payment Information: Billing address, payment method details (processed securely through third-party providers)
• Usage Data: How you interact with our platform, features used, time spent
• Technical Data: IP address, browser type, device information, cookies

Connected Account Data:

When you choose to connect a third-party account to FlowState (a "Connected Account"), we access and may store additional data from that service. Connecting a third-party account is entirely voluntary and user-initiated. The categories of Connected Account data we access depend on the integration and may include:

• Email Data: Email messages and associated metadata, including sender and recipient information, subject lines, message content, timestamps, and attachments
• Calendar Data: Calendar events, meeting details, attendees, scheduling information, and event metadata
• Contact Data: Contact information associated with your Connected Account that relates to your use of the Service

We apply the principle of minimum necessary access: FlowState requests only the permissions required to deliver the specific features you use. We store the data elements necessary to provide Service features. The specific data elements stored may evolve as we develop and improve the Service. Currently supported Connected Accounts include Microsoft Outlook (email and calendar). Additional integrations (including Google Workspace) may be added over time.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our CRM platform and services
• Process transactions and send related information
• Send technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and customer service requests
• Communicate about products, services, offers, and events
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent transactions and other illegal activities
• Personalize and improve your experience
• Facilitate referrals and reward programs

Connected Account Data Uses:

In addition to the general purposes above, we use data from Connected Accounts for purposes including:

• Surfacing relevant client communications within the CRM
• Sending emails on your behalf when you compose messages in FlowState
• Syncing and managing calendar events related to your lending workflow
• Automating workflows and reducing manual data entry
• Generating insights, recommendations, and intelligence about your pipeline
• Improving product performance, features, and user experience
• Building aggregate analytics and product intelligence

3. What We Do Not Do With Your Data

FlowState commits to the following prohibitions with respect to your data, including all data obtained through Connected Accounts:

• No sale of data: We will never sell, rent, lease, or trade your personal information or Connected Account data to any third party, for any purpose, under any circumstances
• No advertising use: We will not use your email content, calendar data, or any Connected Account data to serve, target, or personalize advertisements — either within FlowState or on any third-party platform
• No third-party AI/ML training: We will not provide, license, or otherwise make available your data to any third party for the purpose of training artificial intelligence or machine learning models
• No data broker sharing: We will not share your data with data brokers, information resellers, or any entity whose primary business is the aggregation and sale of personal information
• No undisclosed profiling: We will not create behavioral profiles about you using Connected Account data for purposes unrelated to providing the Service
• No cross-customer data exposure: Your Connected Account data is logically isolated from other customers' data. One customer's data is never accessible to or shared with another customer

These commitments apply regardless of whether you are a free trial user, a paid subscriber, or a former customer. They survive termination of your account.

4. Automated Processing and AI Features

FlowState uses automated processing, including machine learning and artificial intelligence technologies, to provide certain Service features. This section describes how these technologies interact with your data.

How We Use AI/ML:

• Pipeline intelligence: Analyzing communication patterns and calendar activity to generate insights about your lending pipeline, such as deal likelihood and recommended follow-up actions
• Workflow automation: Automatically categorizing, tagging, or routing information within your CRM to reduce manual data entry
• Smart suggestions: Providing contextual recommendations for client communications and scheduling based on historical patterns

Scope and Limitations:

• AI/ML features operate only on your own data within your FlowState account. Your individual Connected Account data is never combined with another customer's data for AI/ML processing
• We may use aggregated, de-identified data (which cannot identify any individual) to improve our AI/ML models and overall product performance
• We do not use Connected Account data to train general-purpose AI models or any models intended for use outside of the FlowState Service
• Automated processing does not replace human decision-making for any consequential actions — FlowState provides recommendations and insights, but you retain full control over all decisions and actions taken through the Service

Third-Party AI Providers:

Where FlowState uses third-party AI service providers to deliver features, those providers process data solely on our behalf and under contractual obligations that prohibit them from using your data for their own purposes, including training their own models. These providers are listed in our sub-processor directory (see Section 5).

5. Information Sharing and Disclosure

We may share your information in the following circumstances:

• Service Providers: Third-party vendors who perform services on our behalf, bound by contractual obligations to protect your data and use it only as directed by us
• Business Transfers: In connection with mergers, acquisitions, or asset sales, provided the acquiring entity agrees to be bound by this Privacy Policy with respect to data collected prior to the transfer
• Legal Requirements: When required by law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request
• Consent: With your explicit consent for specific purposes
• Connected Accounts: When you connect a third-party account, data flows bidirectionally — FlowState reads data from your Connected Account and may write data (such as sending emails or creating calendar events) on your behalf. This data sharing is initiated and controlled by you through the permissions you grant

Sub-Processors:

We work with the following sub-processors who may process your data on our behalf:

• Microsoft Corporation (Redmond, WA): Connected Account provider for email and calendar integration via Microsoft Graph API
• Auth0 / Okta, Inc. (San Francisco, CA): Identity verification and access management
• Vercel Inc. (San Francisco, CA): Application hosting and content delivery
• PostHog Inc. (San Francisco, CA): Product analytics and performance monitoring
• Datadog, Inc. (New York, NY): Application performance monitoring and error tracking

We will notify customers at least thirty (30) days in advance before adding a new sub-processor that will process Connected Account data, via email to the account administrator. If you object to a new sub-processor, you may disconnect the affected Connected Account before the sub-processor begins processing your data. A current, complete list of sub-processors and a Data Processing Agreement are available upon request at privacy@flowstate.mortgage.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• 256-bit TLS encryption for all data in transit
• AES-256 encryption for data at rest
• Security practices built on SOC 2 frameworks, with formal certification in progress
• Regular security audits and penetration testing
• Role-based access controls and principle of least privilege
• Employee security training and background checks
• Secure data centers with physical security measures and redundancy
• Automated vulnerability scanning and dependency monitoring
• OAuth 2.0 token management with encrypted token storage and automatic refresh

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.

7. Data Breach Notification

In the event of a confirmed security breach that results in unauthorized access to, or acquisition of, your personal information or Connected Account data, FlowState will:

• Notify affected users within seventy-two (72) hours of confirming the breach, via email to the address associated with your account
• Describe the nature of the breach, including the categories and approximate number of records affected
• Identify the data involved, including whether Connected Account data (email, calendar, or contact data) was affected
• Describe the measures taken to address the breach and mitigate its effects, including steps to prevent recurrence
• Provide a point of contact for additional information and assistance
• Recommend protective steps you can take, such as changing passwords, revoking Connected Account access, or monitoring for suspicious activity

We will also notify applicable regulatory authorities as required by GDPR, CCPA, and other applicable data protection laws within the timeframes those laws require. Where a breach involves Connected Account data accessed via a third-party API (such as Microsoft Graph), we will coordinate notification with the relevant platform provider.

8. Data Retention

We retain your information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. Account data is typically retained for the duration of your subscription plus 7 years for business records.

Connected Account Data Retention:

Data from Connected Accounts is retained according to the following schedule:

• While connected: Data is retained for as long as the Connected Account remains linked to your FlowState account
• On disconnect: Stored data from the Connected Account is deleted within thirty (30) calendar days of disconnection
• On account termination: All Connected Accounts are automatically disconnected and the same thirty (30) day deletion timeline applies
• Aggregated and de-identified data: Retained indefinitely, as it cannot reasonably be used to identify any individual
• Backup copies: May persist for up to ninety (90) days following deletion
• Legal and compliance holds: Data may be retained beyond these periods as required by applicable law or regulation

Deletion Confirmation:

Upon request, FlowState will provide written confirmation that Connected Account data has been deleted in accordance with this policy. Confirmation requests may be sent to privacy@flowstate.mortgage.

9. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request access to your personal information
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your information
• Portability: Request a copy of your data in a portable, machine-readable format (such as JSON or CSV)
• Opt-out: Unsubscribe from marketing communications
• Restrict Processing: Request limitation of processing in certain circumstances
• Object to Automated Processing: Request human review of decisions made solely by automated means that significantly affect you
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing

Connected Account Rights:

In addition to the rights above, you have the following rights specific to Connected Accounts:

• Disconnect: You may disconnect any Connected Account at any time through your FlowState account settings. Disconnection immediately stops new data access from that account
• Export Before Deletion: Before disconnecting a Connected Account, you may request an export of the data FlowState has stored from that Connected Account. Export requests will be fulfilled within fifteen (15) business days in a machine-readable format
• Connected Account Data Deletion: Upon disconnection, stored data from that Connected Account will be deleted within thirty (30) calendar days. You may also request deletion of Connected Account data independently of disconnecting or deleting your full FlowState account
• Revoke at Source: You may also revoke FlowState's access directly through the third-party provider (e.g., through your Microsoft account security settings at account.microsoft.com/privacy), which will prevent further data access

Please note that aggregated and de-identified data derived from Connected Account data is not subject to deletion requests, as it cannot reasonably be used to identify any individual.

Response Timelines:

We will acknowledge receipt of any data subject request within five (5) business days and provide a substantive response within thirty (30) calendar days. If we require additional time due to the complexity or volume of the request, we will notify you within the initial thirty-day period and may extend the response period by an additional sixty (60) calendar days, for a maximum of ninety (90) calendar days total.

To exercise any of these rights, contact our Privacy Team at privacy@flowstate.mortgage.

10. Cookies and Tracking

We use cookies and similar technologies to enhance your experience. See our Cookie Policy for detailed information about our use of cookies and your choices.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses approved by relevant authorities. FlowState's primary data processing occurs in the United States. Where data is transferred outside the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognized transfer mechanisms.

12. Aggregated and De-Identified Data

We may create aggregated, de-identified data derived from your use of the Service, including from Connected Account data. "De-identified" means data that has been processed such that it cannot reasonably be used — alone or in combination with other data — to identify you or any individual. We apply technical safeguards (such as data aggregation thresholds and k-anonymity techniques) to prevent re-identification.

We may use de-identified data for any lawful business purpose, including product improvement, analytics, benchmarking, research, developing new features, and building product intelligence. This data is not considered personal information and is not subject to access, correction, or deletion requests. We may retain aggregated and de-identified data indefinitely, including after you disconnect a Connected Account or terminate your FlowState account.

13. Platform-Specific Disclosures

Certain Connected Account providers impose additional requirements on how their users' data may be accessed and used. This section provides platform-specific disclosures to meet those requirements.

Microsoft Outlook (Microsoft Graph API):

FlowState's use of Microsoft user data, accessed via the Microsoft Graph API, complies with the Microsoft Identity Platform Terms of Use and Microsoft's Publisher Verification requirements. Specifically:

• FlowState requests only the Microsoft Graph permissions necessary to deliver the features you use (Mail.Read, Mail.Send, Calendars.ReadWrite)
• Microsoft user data is used solely to provide FlowState CRM features to you and is not used for any independent purpose
• Microsoft user data is not used to serve advertisements or for any advertising-related purpose
• Microsoft user data is not sold, leased, or provided to any data broker
• Microsoft user data is not used to train artificial intelligence or machine learning models that are made available to third parties
• You may revoke FlowState's access to your Microsoft account at any time through your FlowState account settings or directly through your Microsoft account at account.microsoft.com/privacy

Google Workspace (Google API Services):

When Google Workspace integration becomes available, FlowState's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• FlowState will only use access to Google user data to provide and improve user-facing features that are prominent in the FlowState application's user interface
• FlowState will not transfer Google user data to third parties unless necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or asset sale with notice to users
• FlowState will not use Google user data for serving advertisements
• FlowState will not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes or to comply with applicable law, or the data is aggregated and de-identified for internal operations

14. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — particularly those affecting how we use Connected Account data — we will notify you by email at least thirty (30) days before the changes take effect, in addition to posting the updated policy on this page. If you do not agree with the revised policy, you may disconnect your Connected Accounts and close your account before the changes take effect.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights:

If you are located in the European Economic Area and believe we have not adequately resolved your data protection concern, you have the right to lodge a complaint with your local data protection supervisory authority.