Legal

Privacy Policy

Last updated: March 2026

1. Who We Are

Flohly ("we", "us", "our") is a UK-based software-as-a-service (SaaS) business providing AI-powered automation services to small and medium-sized businesses. For the purposes of UK data protection law, Flohly is the data controller in respect of personal data we collect about our customers and their contacts.

You can contact us at: hello@flohly.com

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you:

  • Visit our website at flohly.com
  • Sign up for or use any Flohly service
  • Contact us for support or information

This Policy applies to personal data about:

  • Our customers and prospective customers (business contacts)
  • Third-party callers whose voicemail messages are processed as part of the Flohly Voice service

If you are a customer using Flohly Voice to process voicemails, please also read Section 9 (Third-Party Caller Data), which sets out your own data protection responsibilities.

3. What Personal Data We Collect

3.1 Customer and Contact Data

When you register for or use our services, we may collect:

  • Your name and business name
  • Your email address and phone number
  • Billing and payment information (processed by Stripe, our payment processor — we do not store card details directly)
  • Service configuration details, including your defined service remit and geographic coverage
  • Support and communication records

3.2 Website and Usage Data

When you visit our website, we may collect:

  • IP address and browser type
  • Pages visited and time spent on site
  • Referral source

We do not currently use cookies for tracking or advertising purposes. If this changes, we will update this Policy and, where required, obtain your consent.

3.3 Voicemail and Processing Data (Flohly Voice)

In the course of providing Flohly Voice, we process:

  • Voicemail audio recordings (received from your telephony provider)
  • AI-generated transcriptions of those recordings
  • AI-generated analysis, including category, urgency level, and action summary
  • The phone number of the caller (where provided by the telephony provider)

This data is processed on your behalf as your data processor. It is retained only until the next daily digest email has been produced and delivered, after which it is deleted from our systems.

4. How We Use Your Personal Data

We use personal data for the following purposes:

  • To provide and operate the Flohly services you have subscribed to
  • To send you service notifications, including urgent voicemail alerts and daily digest emails
  • To manage your account and billing
  • To provide customer support
  • To respond to enquiries from prospective customers
  • To improve and develop our services (using anonymised or aggregated data where possible)
  • To comply with our legal obligations

5. Legal Basis for Processing

We rely on the following legal bases under UK GDPR:

  • Contract performance: to provide the services you have agreed to purchase from us
  • Legitimate interests: to manage and improve our services, communicate with you about your account, and protect our business — where these interests are not overridden by your rights
  • Legal obligation: to comply with applicable laws and regulations
  • Consent: where we rely on consent (for example, for optional marketing communications), you may withdraw consent at any time

6. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy:

  • Voicemail recordings and transcripts: deleted after the next daily digest email is produced (typically within 24 hours of receipt)
  • Customer account data: retained for the duration of your subscription and for up to 6 years after termination, to comply with our legal and tax obligations
  • Support and communication records: retained for up to 3 years
  • Website enquiry data: retained for up to 12 months

7. Sharing Your Data

7.1 Subprocessors

We use a small number of trusted third-party subprocessors to help us deliver our services. Each subprocessor is bound by contractual obligations to protect your data.

Subprocessor Purpose Data Processed Location
Stripe, Inc. Payment processing and recurring subscription billing Customer name, email address, payment card details, billing address USA/EU — transfer covered by processor's standard DPA and SCCs
OpenAI, LLC AI transcription (Whisper) and message analysis (GPT-4o-mini) Voicemail audio, transcribed text USA — transfer covered by processor's standard DPA and SCCs
Supabase Inc. Database — temporary storage of transcripts and customer account data Transcripts, customer account data EU West (Ireland) — no international transfer
Resend Inc. Transactional email delivery Email address, voicemail summary content USA — transfer covered by processor's standard DPA and SCCs
Railway Corp. Cloud infrastructure and application hosting Application data processed in the course of running the Flohly backend service USA — transfer covered by processor's standard DPA and SCCs

Where subprocessors are based outside the UK or EEA, we rely on the data transfer safeguards incorporated into each processor's standard terms of service and Data Processing Agreement (DPA). In practice, this means we rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as included in the standard terms of each provider.

Please note that Flohly Voice also requires you to hold your own account with Twilio Inc., a telephony provider through which your voicemail recordings are received and delivered to us for processing. Twilio is your service provider, not ours — you contract with Twilio directly and are responsible for your own Twilio account.

7.2 Other Disclosures

We may also share personal data:

  • With professional advisers (such as lawyers or accountants) where necessary
  • With law enforcement or regulatory authorities if required by law
  • In the context of a business sale, merger, or acquisition — you will be notified in advance where practicable

We do not sell, rent, or share personal data with third parties for their own marketing purposes.

8. International Transfers

Some of our subprocessors are based in the United States. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place to protect that data, in accordance with UK GDPR requirements. This currently includes reliance on Standard Contractual Clauses (UK SCCs or the International Data Transfer Agreement, as applicable).

9. Third-Party Caller Data — Customer Responsibilities

Where you use Flohly Voice, the voicemails you receive will contain personal data about third-party callers (such as their name, phone number, and the content of their message). You are the data controller in respect of this data.

As a data controller, it is your responsibility to:

  • Have a lawful basis for recording and processing your callers' voicemails
  • Inform callers that their messages may be recorded and processed by AI (for example, via a recorded message at the start of your voicemail or in your business privacy notice)
  • Ensure your own privacy notice accurately describes how caller data is handled
  • Comply with all applicable data protection obligations

Flohly processes Third-Party Caller Data solely on your instructions and as your data processor, in accordance with these obligations and the terms of our Data Processing Agreement. If you require a Data Processing Agreement, please contact us at hello@flohly.com.

We strongly recommend you seek independent legal advice if you are unsure of your obligations in this area.

10. Data Security

We take the security of personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, or disclosure. These include:

  • Encryption of data in transit (TLS)
  • Access controls limiting who can access personal data within our systems
  • Use of reputable cloud infrastructure providers
  • Prompt deletion of voicemail data after processing

No system is completely secure. If you become aware of a potential security incident relating to our services, please contact us immediately at hello@flohly.com.

11. Your Rights

Under UK data protection law, you have the following rights in relation to your personal data:

  • Right of access: to request a copy of the personal data we hold about you
  • Right to rectification: to ask us to correct inaccurate or incomplete data
  • Right to erasure: to request deletion of your data in certain circumstances
  • Right to restrict processing: to ask us to limit how we use your data in certain circumstances
  • Right to data portability: to receive your data in a structured, machine-readable format
  • Right to object: to object to processing based on legitimate interests
  • Rights related to automated decision-making: we do not make solely automated decisions with legal or significant effects about you

To exercise any of these rights, please contact us at hello@flohly.com. We will respond within one calendar month. We may need to verify your identity before fulfilling a request.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data practices. We will notify you of material changes by email and will update the "Last updated" date at the top of this document. We encourage you to review this Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us: