Privacy Policy

Account data: name, email, company, billing details and authentication metadata when you create or use a Floo account.

Usage data: dashboard activity, feature usage, IP address, browser type, and standard server logs to keep the service running and secure.

Voice and call data: when you operate a Floo voice agent, we process audio, transcripts, and metadata for the duration of a call. This data is stored encrypted and tied to your tenant only.

Knowledge base content: any documents, URLs, or data sources you upload to power your agents.

Operate the service — provision agents, route calls, store transcripts, generate summaries, and bill correctly.

Improve the product — aggregate, anonymized usage signals help us debug issues and improve reliability. Your call audio and transcripts are never used to train shared models without explicit consent.

Communicate — send service notifications, security alerts, and (only with consent) product updates.

Comply with law — meet TCPA, DNC, HIPAA-aligned, and other applicable obligations.

By default, we do not use your call recordings, transcripts, or knowledge-base content to train any shared AI model.

Models you select on Floo (Llama on Groq, ElevenLabs voices, Deepgram STT, etc.) are queried via APIs that your tenant configures. Each provider's privacy terms apply on top of ours.

We share data only with subprocessors needed to deliver the service — including LiveKit (telephony infrastructure), Groq and other LLM providers, Deepgram (STT), ElevenLabs (TTS), Stripe (billing), and Vercel/AWS (hosting).

A current list of subprocessors is available on request from privacy@floo.ai. We sign data-processing agreements (DPAs) with all subprocessors that touch customer data.

Account and billing data is retained for the life of your account and for up to 7 years after closure for tax and legal purposes.

Call recordings, transcripts, and analytics are retained per the retention setting you configure (default 90 days). You can permanently delete any record from the dashboard.

On account closure, customer-controlled data is deleted within 30 days unless legal hold requires longer retention.

Access, correct, export, or delete your personal data by emailing privacy@floo.ai or using the dashboard self-service tools.

If you are in the EU/UK, you have rights under GDPR including the right to lodge a complaint with your local supervisory authority.

If you are a California resident, you have rights under CCPA including the right to know, delete, and opt out of sale (we do not sell personal information).

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is logged, audited, and limited to the smallest team possible.

We are working toward SOC 2 Type II and HIPAA compliance. Current security documentation is available under NDA from security@floo.ai.

Floo is operated by VLMS Global with infrastructure in the US and EU. Data may be transferred across regions for service delivery.

We rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms for cross-border transfers where required.

We will notify users of material changes via email or in the dashboard at least 30 days before they take effect.

The most current version is always at floo.ai/legal/privacy-policy.

Privacy questions: privacy@floo.ai. Legal: legal@floo.ai. Security: security@floo.ai.