Floa Logo

Privacy Policy

Last updated: October 8, 2025

1) Who We Are

Floa Software Solutions Ltd ("Floa," "we," "us," or "our") is a company registered in England and Wales (Company No. 16376075) with registered offices at 167–169 Great Portland Street, London, England, W1W 5PF.
Email: privacy@getfloa.com

For most activities described in this policy, Floa is the data controller. When we process personal data on behalf of our customers inside the Floa platform (e.g., their end-user lists, campaign data, course participants), we act as a data processor under our Data Processing Addendum (DPA) with those customers.

  • UK law: Data Protection Act 2018 and UK GDPR
  • EEA law (where applicable): EU GDPR
  • California (where applicable): CCPA/CPRA

2) Scope

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you:

  • Visit our websites, apps, or dashboards,
  • Create an account and use our AI services and software (the "Services"),
  • Communicate with us (support, sales, marketing).

3) Personal Data We Collect

A. Data You Provide

  • Contact details: name, email, phone.
  • Account credentials: password and authentication details (hashed/salted where applicable).
  • Billing & payments: invoicing details, VAT/tax IDs, payment method (processed by our payment processors).
  • Support & communications: messages, tickets, feedback, survey responses.
  • Content & AI inputs/outputs: prompts, files, course assets, scripts, generated outputs, and related metadata.

B. Data Collected Automatically

  • Technical/usage data: IP address, device and browser type, OS, referral URLs, session IDs, pages/views, actions, timestamps.
  • Device identifiers: cookies, local storage IDs, SDK identifiers. See Cookies & Tracking.

C. Data from Third Parties

  • Login/auth providers (where used): name, email, profile info.
  • Payments: transaction confirmations, failed/charged-back status.
  • Analytics/advertising: aggregated performance metrics, campaign attribution.
  • Anti-abuse/fraud: signals used to protect the Services.

4) Why We Use Your Data (Purposes & Legal Bases)

PurposeExamplesLegal Basis (UK/EU)
Provide the ServicesAccount creation, authentication, delivering features, AI processingContract (Art. 6(1)(b))
Operate & secureDebugging, monitoring, preventing fraud/abuse, incident responseLegitimate interests (Art. 6(1)(f)); Legal obligation (where applicable)
Improve & researchProduct analytics, feature development, quality assurance for AI outputsLegitimate interests (Art. 6(1)(f))
Customer supportResponding to requests, troubleshootingContract; Legitimate interests
Billing & taxationInvoicing, receipts, accounting, audit logsContract; Legal obligation (Art. 6(1)(c))
Marketing (opt-in where required)Newsletters, product updates, promotionsConsent (Art. 6(1)(a)) or Legitimate interests
Compliance & enforcementRegulatory requests, T&Cs enforcementLegal obligation; Legitimate interests
AI Model Training: We do not use your prompts or content to train third-party foundation models without your explicit consent. We may use aggregated, de-identified usage analytics to improve our Services.

5) How We Use AI & Model Providers

When you submit content to the Services (e.g., prompts, files), we may process it using AI model providers to generate outputs you request.

  • We implement contractual and technical safeguards with model providers and infrastructure vendors.
  • We restrict provider use of your data to the purpose of delivering the requested output or the contracted service.
  • Where supported, we opt out of provider training on your data by default.
  • We maintain a subprocessors list (see Service Providers & Subprocessors).

6) Cookies & Tracking

We use cookies, local storage, and similar technologies to:

  • Keep you signed in and secure sessions,
  • Remember preferences,
  • Measure product usage and campaign performance,
  • Improve the Services.

You can manage preferences via your browser settings and (where offered) our Cookie Settings panel. Disabling certain cookies may affect functionality.

For detailed information about how we use cookies, see our Cookie Policy. You can manage your preferences using the Cookie Settings link in our footer.

7) Sharing Your Information

A. Service Providers & Subprocessors

We share personal data with trusted providers who help us operate the Services, such as:

  • Cloud/hosting & infrastructure (e.g., Microsoft Azure),
  • Databases & authentication (e.g., Supabase),
  • AI model providers (e.g., OpenAI/Azure OpenAI),
  • Payments & billing (e.g., Stripe),
  • Email/SMS (e.g., SendGrid/Twilio),
  • Analytics & error monitoring (e.g., Google Analytics/Sentry),
  • Customer support & CRM (e.g., HubSpot/Attio).

We require providers to process personal data only under our instructions and with appropriate security.

Live list of subprocessors

B. Business & Legal

  • Corporate transactions: in connection with mergers, acquisitions, financing, or sale of assets (subject to confidentiality and continuing protections).
  • Legal/compliance: to comply with laws, lawful requests, or to protect rights, safety, and the integrity of the Services.

We do not sell your personal information.

8) International Data Transfers

We may transfer personal data outside the UK/EEA. Where we do, we rely on:

  • UK IDTA or EU Standard Contractual Clauses (SCCs), as applicable,
  • Adequacy decisions, and
  • Additional safeguards (technical/organizational measures and transfer risk assessments).

9) Security

We implement administrative, technical, and physical safeguards designed to protect personal data (e.g., encryption in transit, access controls, audit logging). No method of transmission or storage is 100% secure.

10) Data Retention

We retain personal data only as long as necessary for the purposes above or as required by law. Typical examples:

  • Account data: for the life of the account and a reasonable period after closure (e.g., 12–24 months) to manage queries and backups.
  • Support tickets: 24 months after resolution.
  • Telemetry/analytics: 12–26 months (aggregated/anonymized may be kept longer).
  • Financial records: 7 years for tax/accounting compliance (UK standard).

Specific retention periods may vary by data category, legal requirements, or customer contract.

11) Your Rights

UK/EEA Residents (GDPR/UK GDPR)

You have the right to:

  • Access your personal data,
  • Rectify inaccurate data,
  • Erase data (in certain cases),
  • Restrict or object to processing,
  • Data portability,
  • Withdraw consent (where processing is based on consent),
  • Not be subject to a decision based solely on automated processing where it produces legal or similarly significant effects.

To exercise rights, email privacy@getfloa.com. We may need to verify your identity.

You may also lodge a complaint with:

  • UK: Information Commissioner's Office (ICO)
  • EEA: Your local supervisory authority

California Residents (CCPA/CPRA)

You may have the right to:

  • Know the categories and specific pieces of personal information collected,
  • Delete personal information (subject to exceptions),
  • Correct inaccurate information,
  • Opt out of "sharing" or certain targeted advertising practices,
  • Not be discriminated against for exercising rights.

To exercise rights, email privacy@getfloa.com.
We do not sell personal information. If we "share" personal information for cross-context behavioral advertising, we will provide opt-out mechanisms where required.

12) Children's Privacy

Our Services are not directed to children. We do not knowingly collect personal data from children under the age required by local law (e.g., 13 in the US, 16 in parts of the EU) without appropriate consent. If you believe a child has provided us data, contact privacy@getfloa.com.

13) Automated Decision-Making & Profiling

We may use automated systems (including AI) to assist with features like content generation, recommendations, fraud detection, and abuse prevention. We do not engage in solely automated decisions that produce legal or similarly significant effects without appropriate human involvement and safeguards.

14) Controller vs Processor; Customer Responsibilities

  • For our website, account, billing, and internal analytics, Floa is the controller.
  • For data you upload to the platform about your own end-users, Floa acts as a processor and processes data under your instructions and our Data Processing Addendum (DPA).
  • You (the customer) are responsible for having a lawful basis to process your end-users' data and for providing any required notices to them.

15) Third-Party Links

Our Services may link to third-party sites or services we do not operate. Their privacy practices are governed by their own policies.

16) Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new effective date and, where required, notify you of material changes (e.g., email or in-app notice).

17) Contact Us

Email: privacy@getfloa.com
Postal: Floa Software Solutions Ltd, 167–169 Great Portland Street, London, W1W 5PF, UK

We value your privacy

We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Learn more