Privacy Policy

1. Introduction

This Privacy Policy explains how Solentis Ltd (“Solentis”, “we”, “us”, “our”) processes personal information when you use SupportFlow (our “Services”), including:

• Our website at support-flow.io;
• Our iOS application;
• Features that connect to WhatsApp and other Meta platforms to provide customer messaging, automation, and related tools.

Solentis is the data controller for personal information described in this policy (except where we act as a processor on behalf of a business customer—see section 3).

We respect your privacy and process personal information in line with applicable law, including the UK GDPR, the EU GDPR (where applicable), and US state privacy laws (where applicable).

2. Who we are

Privacy contact: privacy@support-flow.io

For questions about this policy or your personal information, use the email above.

3. Roles: controller and processor

• When you use our Services as an individual (for example, you contact us, use a demo, or your data is processed in connection with our public website or app), Solentis is generally the controller of your personal information.
• When a business uses SupportFlow to message its customers via WhatsApp, that business often decides why and how end-customer data is processed for its own purposes. In those cases the business may be the controller and Solentis may act as a processor, following the business’s instructions and our agreement with them. That business’s privacy notice should also apply to the end-customer.

This policy focuses on processing for which Solentis is the controller. Where we are a processor, our customer’s terms and data processing terms govern our obligations to them.

4. Information we collect

We may collect the following categories of information, depending on how you use the Services.

4.1 Account and identity

• Name, email address, phone number
• Business name and role (where relevant)
• Login credentials (we do not store passwords in plain text)

4.2 Service and communications data

• Messages and content you send to us (including support enquiries)
• Records of your use of the Services (for example, configuration, preferences, and integration settings you choose)

4.3 Meta / WhatsApp “Platform Data”

When you connect WhatsApp or other Meta products, we may receive Platform Data from Meta, which can include:

• WhatsApp business phone identifiers, message delivery metadata (for example timestamps, message IDs), and message content as needed to provide the Services you configure
• Technical tokens and identifiers required to operate the integration securely (handled under strict access controls)

We use this information only to provide the Services and as described in this policy, in line with Meta’s applicable terms and policies.

4.4 Technical and usage data

• IP address, device type, operating system, app version, browser type
• Log data (for example access times, error diagnostics, security events)
• Aggregated or de-identified usage statistics where appropriate

4.5 Payment data

Payments may be processed by payment service providers. We do not store full payment card numbers on our servers; our provider handles card data according to their terms and PCI standards.

4.6 Cookies and similar technologies

Our website may use cookies and similar technologies for essential operation, security, preferences, and analytics (where enabled). You can control non-essential cookies through your browser settings and any cookie banner we provide.

5. Legal bases (UK and EEA)

Where UK GDPR / EU GDPR applies, we rely on one or more of the following legal bases:

Special category data: We do not intend to collect special category data. If you voluntarily send us such information, we will process it only where the law allows and as needed to handle your request.

6. How we use personal information

We use personal information to:

• Provide, operate, maintain, and secure the Services
• Connect and maintain WhatsApp / Meta integrations you enable
• Process payments and fulfil contractual obligations
• Communicate with you about service updates, security, and support
• Improve and develop features (including quality and reliability), using data minimisation where possible
• Comply with law and enforce our terms
• Respond to lawful requests from public authorities in accordance with section 12

We do not sell your personal information in the conventional sense of selling lists for money.

7. Sharing and disclosure

We may share personal information with:

7.1 Service providers (processors)

We use trusted service providers who process information on our instructions, for example:

• Cloud hosting and infrastructure (for example, storage and databases)
• Payment processing
• AI and machine-learning providers (where features you use involve AI), subject to contractual and technical controls
• Email and operational tooling
• Security and monitoring tools

We require these providers to protect information and use it only for the services they provide to us.

7.2 Meta / WhatsApp

Operation of WhatsApp features involves data flows through Meta’s systems as defined by Meta’s terms. We process Platform Data in accordance with Meta’s applicable platform terms and this policy.

7.3 Professional advisers

We may share information with lawyers, accountants, or insurers where necessary and subject to confidentiality.

7.4 Business transfers

If we are involved in a merger, acquisition, or asset sale, personal information may be transferred as part of that transaction. We will provide notice where required by law.

7.5 Legal and safety

We may disclose information if we believe in good faith that disclosure is necessary to: comply with the law; respond to valid legal process; protect the rights, safety, or property of Solentis, our users, or others; or detect and prevent fraud or abuse.

8. International transfers

Solentis is based in the United Kingdom. Our service providers may process data in the UK, the EEA, the United States, and other countries where they operate.

Where personal information is transferred from the UK or EEA to countries that have not been recognised as providing an adequate level of protection, we implement appropriate safeguards, such as:

• Standard contractual clauses approved by the relevant authorities (including UK Addendum or international data transfer agreement where applicable), or
• Other lawful transfer mechanisms recognised under applicable law.

You may contact us for more information about transfers and safeguards.

9. Retention

We retain personal information only for as long as necessary for the purposes described in this policy, including:

• Account data: for the life of the account and a reasonable period afterwards (for example, to resolve disputes or meet legal requirements)
• Logs and security records: typically for a limited period required for security and troubleshooting
• Messaging-related data: according to service functionality, your settings (where available), and legal obligations

When retention is no longer needed, we delete or anonymise information where feasible.

10. Security

We implement appropriate technical and organisational measures designed to protect personal information against unauthorised access, loss, or alteration. No method of transmission or storage is completely secure; we encourage you to use strong passwords and protect your account credentials.

11. Your rights

Depending on your location, you may have rights including:

• Access to your personal information
• Correction of inaccurate information
• Erasure in certain circumstances
• Restriction or objection to certain processing
• Data portability where applicable
• Withdrawal of consent where processing is consent-based
• Complaint to a supervisory authority

11.1 UK and EEA

• UK: You may lodge a complaint with the Information Commissioner’s Office (ICO) — ico.org.uk.
• EEA: You may contact your local data protection authority.

To exercise your rights, email privacy@support-flow.io. We may need to verify your identity before responding.

11.2 United States (see also Schedule A)

Residents of certain US states (including California) may have additional rights as described in Schedule A below.

12. Requests from public authorities

Where we receive requests from public authorities for personal information, we:

• Review requests for legal validity and scope before disclosure where practicable
• Challenge requests we reasonably consider unlawful or overbroad
• Apply data minimisation, disclosing only what is necessary and proportionate
• Document requests and our responses, including the basis for disclosure and responsible internal roles, where appropriate and consistent with law

Nothing in this section is intended to conflict with applicable law.

13. Automated processing and AI

Some features may use automated processing or AI to assist with routing, drafting, or analysis. We do not use solely automated decisions that produce legal or similarly significant effects about you without appropriate human oversight and rights as required by law. If that changes, we will update this policy and provide further information as required.

14. Children

Our Services are not directed at children under 13 (or the higher age required in your jurisdiction for valid consent). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take appropriate steps to delete it.

15. Third-party links

Our Services may link to third-party websites or services. We are not responsible for their privacy practices. Please read their privacy policies.

16. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “Last updated” date. For material changes, we will provide additional notice where required by law (for example, by email or in-app notice).

17. Contact

Solentis Ltd (SupportFlow)
Email: privacy@support-flow.io