Floa Logo

Privacy Policy

Last updated: January 9, 2026

1) Who We Are

Floa Software Solutions Ltd ("Floa," "we," "us," or "our") is a company registered in England and Wales (Company No. 16376075) with registered offices at 167–169 Great Portland Street, London, England, W1W 5PF.
Email: privacy@getfloa.com

For most activities described in this policy, Floa is the data controller. When we process personal data on behalf of our customers inside the Floa platform (e.g., their end-user lists, campaign data, course participants), we act as a data processor under our Data Processing Addendum (DPA) with those customers.

  • UK law: Data Protection Act 2018 and UK GDPR
  • EEA law (where applicable): EU GDPR
  • California (where applicable): CCPA/CPRA

2) Scope & Definitions

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you:

  • Visit our websites, apps, or dashboards,
  • Create an account and use our AI services and software (the "Services"),
  • Communicate with us (support, sales, marketing).

Key Definitions

  • Creator: A user who creates, publishes, and sells educational content, courses, or digital products through the Platform.
  • Student (or Learner): A user who purchases, accesses, and consumes Creator Content through the Platform.
  • Creator Content: Courses, lessons, educational materials, or digital products created and offered by Creators.
  • Platform: The Floa marketplace and technology that connects Creators with Students.

3) Personal Data We Collect

A. Data You Provide

  • Contact details: name, email, phone.
  • Account credentials: password and authentication details (hashed/salted where applicable).
  • Account type: whether you register as a Creator or Student.
  • Billing & payments: invoicing details, VAT/tax IDs, payment method (processed by our payment processors).
  • Support & communications: messages, tickets, feedback, survey responses.
  • Content & AI inputs/outputs: prompts, files, course assets, scripts, generated outputs, and related metadata.

B. Data Collected Automatically

  • Technical/usage data: IP address, device and browser type, OS, referral URLs, session IDs, pages/views, actions, timestamps.
  • Device identifiers: cookies, local storage IDs, SDK identifiers. See Cookies & Tracking.
  • Learning activity: For Students, we collect course progress, completion status, quiz scores, and engagement metrics to enable progress tracking and provide insights to Creators.

C. Data from Third Parties

  • Login/auth providers (where used): name, email, profile info.
  • Payments: transaction confirmations, failed/charged-back status.
  • Analytics/advertising: aggregated performance metrics, campaign attribution.
  • Anti-abuse/fraud: signals used to protect the Services.

4) Why We Use Your Data (Purposes & Legal Bases)

PurposeExamplesLegal Basis (UK/EU)
Provide the ServicesAccount creation, authentication, delivering features, AI processing, connecting Creators with StudentsContract (Art. 6(1)(b))
Facilitate transactionsProcessing payments between Students and Creators, managing payouts, handling refundsContract (Art. 6(1)(b))
Operate & secureDebugging, monitoring, preventing fraud/abuse, incident responseLegitimate interests (Art. 6(1)(f)); Legal obligation (where applicable)
Improve & researchProduct analytics, feature development, quality assurance for AI outputsLegitimate interests (Art. 6(1)(f))
Customer supportResponding to requests, troubleshootingContract; Legitimate interests
Billing & taxationInvoicing, receipts, accounting, audit logs, Creator payoutsContract; Legal obligation (Art. 6(1)(c))
Marketing (opt-in where required)Newsletters, product updates, promotionsConsent (Art. 6(1)(a)) or Legitimate interests
Compliance & enforcementRegulatory requests, T&Cs enforcementLegal obligation; Legitimate interests
AI Model Training: We do not use your prompts or content to train third-party foundation models without your explicit consent. We may use aggregated, de-identified usage analytics to improve our Services.

5) How We Use AI & Model Providers

When you submit content to the Services (e.g., prompts, files), we may process it using AI model providers to generate outputs you request.

  • We implement contractual and technical safeguards with model providers and infrastructure vendors.
  • We restrict provider use of your data to the purpose of delivering the requested output or the contracted service.
  • Where supported, we opt out of provider training on your data by default.
  • We maintain a subprocessors list (see Service Providers & Subprocessors).

6) Creator and Student Data Relationship

How Creators Access Student Data

When Students enroll in or purchase Creator Content, Creators may have access to certain Student information to deliver their services and manage their business:

  • Information shared with Creators: Student name, email address, enrollment/purchase date, course progress, completion status, and engagement metrics.
  • Purpose: To enable Creators to deliver their content, provide support, track progress, issue certificates, and communicate with their Students about purchased content.
  • Creator obligations: Creators who access Student data are responsible for using it only for legitimate purposes related to their content and in compliance with applicable data protection laws.

Floa's Role

  • For Creator data: Floa is the data controller for Creator account information and acts as processor for content Creators upload.
  • For Student data: Floa is the data controller for Student account information. For Student data accessed by Creators (e.g., enrollment data, progress), the Creator is the controller and Floa is a processor facilitating access.

Student Control

Students can:

  • View which Creators have access to their data through their Account settings;
  • Contact Creators directly regarding their data practices;
  • Request data deletion from Floa, though this may affect access to purchased content.

7) Cookies & Tracking

We use cookies, local storage, and similar technologies to:

  • Keep you signed in and secure sessions,
  • Remember preferences,
  • Measure product usage and campaign performance,
  • Improve the Services.

You can manage preferences via your browser settings and (where offered) our Cookie Settings panel. Disabling certain cookies may affect functionality.

For detailed information about how we use cookies, see our Cookie Policy. You can manage your preferences using the Cookie Settings link in our footer.

8) Sharing Your Information

A. Service Providers & Subprocessors

We share personal data with trusted providers who help us operate the Services, such as:

  • Cloud/hosting & infrastructure (e.g., Microsoft Azure),
  • Databases & authentication (e.g., Supabase),
  • AI model providers (e.g., Azure AI Foundry/Anthropic Claude/Google AI),
  • Payments & billing (e.g., Stripe),
  • Email/SMS (e.g., SendGrid/Twilio),
  • Analytics & error monitoring (e.g., PostHog/Sentry),
  • Customer support & CRM (e.g., Help Scout/Attio).

We require providers to process personal data only under our instructions and with appropriate security.

Live list of subprocessors

B. Creators (for Student data)

When Students purchase or enroll in Creator Content, we share necessary Student information with the relevant Creator as described in Section 6 above. This enables Creators to deliver their services and fulfill their obligations to Students.

C. Business & Legal

  • Corporate transactions: in connection with mergers, acquisitions, financing, or sale of assets (subject to confidentiality and continuing protections).
  • Legal/compliance: to comply with laws, lawful requests, or to protect rights, safety, and the integrity of the Services.

We do not sell your personal information.

9) International Data Transfers

We may transfer personal data outside the UK/EEA. Where we do, we rely on:

  • UK IDTA or EU Standard Contractual Clauses (SCCs), as applicable,
  • Adequacy decisions, and
  • Additional safeguards (technical/organizational measures and transfer risk assessments).

10) Security

We implement administrative, technical, and physical safeguards designed to protect personal data (e.g., encryption in transit, access controls, audit logging). No method of transmission or storage is 100% secure.

11) Data Retention

We retain personal data only as long as necessary for the purposes above or as required by law. Typical examples:

  • Account data: for the life of the account and a reasonable period after closure (e.g., 12–24 months) to manage queries and backups.
  • Support tickets: 24 months after resolution.
  • Telemetry/analytics: 12–26 months (aggregated/anonymized may be kept longer).
  • Financial records: 7 years for tax/accounting compliance (UK standard).
  • Student enrollment/progress data: retained while the Student maintains an account or the Creator maintains access, plus a reasonable period after for record-keeping.

Specific retention periods may vary by data category, legal requirements, or customer contract.

12) Your Rights

UK/EEA Residents (GDPR/UK GDPR)

You have the right to:

  • Access your personal data,
  • Rectify inaccurate data,
  • Erase data (in certain cases),
  • Restrict or object to processing,
  • Data portability,
  • Withdraw consent (where processing is based on consent),
  • Not be subject to a decision based solely on automated processing where it produces legal or similarly significant effects.

To exercise rights, email privacy@getfloa.com. We may need to verify your identity.

You may also lodge a complaint with:

  • UK: Information Commissioner's Office (ICO)
  • EEA: Your local supervisory authority

California Residents (CCPA/CPRA)

You may have the right to:

  • Know the categories and specific pieces of personal information collected,
  • Delete personal information (subject to exceptions),
  • Correct inaccurate information,
  • Opt out of "sharing" or certain targeted advertising practices,
  • Not be discriminated against for exercising rights.

To exercise rights, email privacy@getfloa.com.
We do not sell personal information. If we "share" personal information for cross-context behavioral advertising, we will provide opt-out mechanisms where required.

13) Children's Privacy

Our Services are not directed to children. We do not knowingly collect personal data from children under the age required by local law (e.g., 13 in the US, 16 in parts of the EU) without appropriate consent. If you believe a child has provided us data, contact privacy@getfloa.com.

14) Automated Decision-Making & Profiling

We may use automated systems (including AI) to assist with features like content generation, recommendations, fraud detection, and abuse prevention. We do not engage in solely automated decisions that produce legal or similarly significant effects without appropriate human involvement and safeguards.

15) Controller vs Processor; Customer Responsibilities

  • For our website, account, billing, and internal analytics, Floa is the controller.
  • For data Creators upload to the platform about their own end-users (including Student enrollment and progress data shared with Creators), Floa acts as a processor and processes data under Creator instructions and our Data Processing Addendum (DPA).
  • Creators who access Student data are responsible for having a lawful basis to process their Students' data and for providing any required notices to them.

16) Third-Party Links

Our Services may link to third-party sites or services we do not operate. Their privacy practices are governed by their own policies.

17) Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new effective date and, where required, notify you of material changes (e.g., email or in-app notice).

18) Contact Us

Email: privacy@getfloa.com
Postal: Floa Software Solutions Ltd, 167–169 Great Portland Street, London, W1W 5PF, UK

We value your privacy

We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Learn more