Flowdesk Cloud logoFlowdesk Cloud

Privacy Policy

Last Updated: January 12, 2025

This Privacy Policy explains how Flowdesk Cloud (FlowDesk, "we", "us", or "our") collects, uses, discloses, and safeguards data when hotels, their staff, and their guests use our intelligent operations platform. By using the Service, you agree to the practices described below. If you do not agree, please refrain from using the Service.

1. Who We Are

Flowdesk Cloud provides workflow, messaging, and routing tools that help hotels manage guest issues in real time. For customer account data, Flowdesk Cloud acts as the data controller. For guest data captured on behalf of hotel customers, we act as a data processor and process the data solely under the customer's instructions.

2. Information We Collect

2.1 Account and Property Data

Information provided by administrators and staff, including:

  • Names, work emails, role assignments, authentication details
  • Property names, addresses, time zones, routing rules
  • Billing contacts and plan selections

2.2 Guest Interaction Data

Information entered through QR flows, guest portals, or SMS, including:

  • Guest identifiers (name, room number, phone)
  • Issue descriptions, attachments, ratings, chat history
  • Metadata such as timestamps, ticket IDs, property mapping

2.3 Usage and Device Data

Automatically collected when anyone uses the Service:

  • Log data (pages viewed, feature flags, performance metrics)
  • IP address, browser type, operating system, language
  • Event diagnostics from our analytics and observability stack

2.4 Communications and Support

When you contact us, we collect the content of your inquiry, related metadata, and any supporting files to help resolve the request.

2.5 Payment and Commercial Data

Subscription and invoicing details are handled by our PCI-compliant payment processor. We retain transaction identifiers, plan metadata, and payment status but never store full card numbers on our systems.

3. How We Use Information

We use the data described above to:

  • Provide, configure, and maintain property workspaces
  • Route guest issues, facilitate staff messaging, and send notifications
  • Deliver onboarding, customer support, and product communications
  • Monitor usage for reliability, fraud detection, and abuse prevention
  • Analyze aggregated trends to improve product performance
  • Comply with legal obligations and enforce our agreements

4. Legal Bases for Processing (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract: Processing necessary to provide the Service requested by customers and their staff.
  • Legitimate Interests: Improving the platform, securing systems, and preventing fraud.
  • Consent: Optional communications or cookies where legally required.
  • Legal Obligation: Meeting tax, accounting, and regulatory requirements.

5. How We Share Information

We do not sell personal data. We share information with third parties only as needed to operate the Service:

  • Infrastructure: cloud hosting, edge delivery, and managed database providers.
  • Messaging: carrier aggregators that route SMS and voice communications, including phone numbers and message content.
  • Payments: PCI-compliant processors that handle subscription billing and invoicing.
  • Analytics & Monitoring: observability tooling used for product telemetry and reliability insights.
  • Support & Productivity: Email, ticketing, or incident-management tools used by our team.
  • Legal & Compliance: Professional advisers and law enforcement when required.

Each service provider is bound by contractual obligations to protect personal data and to use it only for the services provided to us.

6. Cookies & Tracking

We use cookies and similar technologies to keep you signed in, store preferences, measure performance, and understand product usage. You can adjust browser settings to reject cookies; however, disabling essential cookies will break authentication flows.

7. Data Retention

We retain data only for as long as necessary:

  • Account & Billing Records: Life of the account plus up to seven (7) years for compliance.
  • Guest Tickets & Messages: Available to customers until deleted or 30 days after account closure.
  • Diagnostics & Logs: Up to 18 months, unless needed longer for investigations.
  • Support Conversations: Retained for the life of the account to document service history.

8. Security Practices

We implement administrative, technical, and physical safeguards such as encrypted transport (TLS), encryption at rest, least-privilege access controls, regular vulnerability scanning, and continuous monitoring. Customers are responsible for securing their devices, enforcing strong passwords, and managing staff access.

9. Customer Responsibilities for Guest Data

Hotel customers control how guest data is collected and displayed. You must obtain all required consents, configure QR signage in compliance with local rules, refrain from uploading sensitive categories of data unless permitted by law, and honor guest requests submitted through your channels. We provide tooling to export or delete guest records upon request.

10. International Transfers

We store data primarily in the United States. If we transfer data to other jurisdictions, we rely on approved safeguards such as Standard Contractual Clauses or equivalent mechanisms. By using the Service, you acknowledge these transfers.

11. Your Rights

Subject to local laws, you may have the right to access, correct, delete, restrict, or export your personal data, and to object to certain processing. You can submit requests by emailing privacy@flowdesk.cloud. We respond within 30 days or sooner where required. If we process data on behalf of a hotel customer, we will direct the request to that customer.

12. California, Virginia & Similar State Rights

Residents of California, Virginia, Colorado, Connecticut, and other U.S. states with privacy laws have additional rights, including the right to know what data is collected, to request deletion, and to opt out of certain processing. Flowdesk Cloud does not sell personal data or use it for cross-context behavioral advertising. To exercise state-specific rights, contact us at the email above.

13. Children's Data

The Service is intended for professional use in hospitality settings and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, please notify us so we can delete it.

14. Changes to This Policy

We may update this Privacy Policy to reflect product, legal, or operational changes. We will provide notice of material updates via email or in-product messaging at least 15 days before the effective date whenever feasible. Continued use of the Service after the effective date constitutes acceptance.

15. Contact

For privacy questions or requests, email privacy@flowdesk.cloud. For general product support, reach us at support@flowdesk.cloud. Additional legal terms governing your use of the Service are found in our Terms of Service.

Questions about privacy? Contact privacy@flowdesk.cloud.