Flow

Privacy Policy

Last updated: January 15, 2025

Introduction

At Flow GRC (“Flow,” “we,” “us,” or “our”), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our governance, risk, and compliance (GRC) platform and related services.

Information We Collect

Personal Information

We may collect the following types of personal information:

  • Account Information: Name, email address, job title, company name, and contact details
  • Profile Data: Professional information, role within your organization, and preferences
  • Authentication Data: Login credentials, multi-factor authentication tokens, and security questions
  • Communication Data: Messages, feedback, and support requests

Business Information

  • Organizational structure and hierarchy
  • Risk assessments and compliance data
  • Audit trails and governance documentation
  • Vendor and third-party information

Technical Information

  • IP addresses, device identifiers, and browser information
  • Usage patterns, feature interactions, and performance metrics
  • Log files and error reports
  • Cookies and similar tracking technologies

How We Use Your Information

We use your information for the following purposes:

  • Service Delivery: Providing and maintaining our GRC platform and services
  • Account Management: Creating and managing your account, authentication, and access control
  • Communication: Sending service notifications, updates, and responding to inquiries
  • Improvement: Analyzing usage patterns to enhance our platform and develop new features
  • Security: Monitoring for security threats, fraud prevention, and maintaining system integrity
  • Compliance: Meeting legal and regulatory requirements
  • Marketing: Sending promotional materials (with your consent where required)

Information Sharing and Disclosure

We may share your information in the following circumstances:

With Your Consent

We will share information when you explicitly consent to such sharing.

Service Providers

We may share information with trusted third-party service providers who assist in:

  • Cloud hosting and infrastructure services
  • Payment processing and billing
  • Customer support and communication tools
  • Analytics and performance monitoring
  • Security and fraud prevention services

Legal Requirements

We may disclose information when required by law, regulation, legal process, or government request.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.

Data Security

We implement comprehensive security measures to protect your information:

  • Encryption: Data encryption in transit and at rest using industry-standard protocols
  • Access Controls: Role-based access controls and multi-factor authentication
  • Monitoring: Continuous security monitoring and threat detection
  • Compliance: SOC 2 Type II, ISO 27001, and GDPR compliance
  • Regular Audits: Third-party security assessments and penetration testing
  • Employee Training: Regular security awareness training for all personnel

Data Retention

We retain your information for as long as necessary to:

  • Provide our services and maintain your account
  • Comply with legal and regulatory requirements
  • Resolve disputes and enforce our agreements
  • Maintain security and prevent fraud

When information is no longer needed, we securely delete or anonymize it according to our data retention policies.

Your Rights

Depending on your location, you may have the following rights:

  • Access: Request access to your personal information
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information
  • Portability: Request a copy of your data in a portable format
  • Restriction: Request restriction of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent for processing where applicable

To exercise these rights, please contact us at privacy@flowgrc.com.

International Data Transfers

Flow operates globally, and your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international data transfers, including standard contractual clauses and adequacy decisions where applicable.

Children’s Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the “Last Updated” date. Your continued use of our services after changes become effective constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Flow GRC Privacy Team

Email: privacy@flowgrc.com

Address: 357 Bay Street, Toronto, ON M5H 4A6