Back to Home

Privacy Policy

Last Updated: 26 March 2026

FLOWEDGE AI LTD ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how your personal information is collected, used, and disclosed by Flow AI.

This policy specifically addresses our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller responsible for your personal data is:

FLOWEDGE AI LTD
193 Cambridge Street
Aylesbury, Buckinghamshire
United Kingdom, HP20 1BQ

+44 7955 482 319
support@flowedgeai.com

2. Information We Collect

We collect information to provide and improve our AI voice receptionist service:

  • Identity Data: Business name, owner name, email address.
  • Contact Data: Business address, phone number, email address.
  • Call Data: Inbound call recordings, transcripts, caller phone numbers, call duration, and AI-generated summaries.
  • Vehicle Data:Vehicle registration numbers and MOT history (retrieved from the DVSA API at the caller's request during a call).
  • Transaction Data: Subscription payments, invoices, and billing history via Stripe.
  • Technical Data: IP address, browser type, device information, and usage analytics.
  • Configuration Data: Business hours, services, pricing, AI assistant settings, and widget preferences.

3. How We Use Your Information

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Performance of Contract: To register you as a subscriber, provision your AI receptionist, process calls, store transcripts, and manage payments.
  • Legitimate Interests: To improve our AI models and call quality, prevent fraud, and provide technical support.
  • Legal Obligation: To comply with legal or regulatory requirements (e.g., tax reporting, law enforcement requests).

4. Data Sharing and Third Parties

We may share your data with:

  • Voice AI Provider: Vapi.ai — processes voice calls (speech-to-text, AI responses, text-to-speech). Calls are processed in real-time and not permanently stored by Vapi.
  • Telephony Provider: Twilio — provisions and routes phone numbers and calls.
  • Database & Auth: Supabase — stores account data, call logs, and transcripts with row-level security.
  • Payment Processor: Stripe — processes subscription payments securely. We do not store your full card details.
  • CRM Integration: GoHighLevel — if you connect your CRM, we share appointment and contact data with it at your direction.
  • Email Provider: Resend — sends call summary emails and transactional notifications.
  • Vehicle Data: DVSA MOT History API — we query this public UK government API when a caller requests vehicle information.

5. Call Recording and Transcription

All inbound calls answered by the AI receptionist are transcribed and stored in your dashboard. Call transcripts contain personally identifiable information (caller phone number, conversation content). As the data controller for your customers' data, you are responsible for:

  • Informing callers that calls are handled by an AI and may be recorded.
  • Having a lawful basis for processing caller data (e.g., legitimate interest, contract).
  • Responding to data subject requests from your callers.

6. International Transfers

Some of our third-party providers process data outside the UK (e.g., Vapi.ai, Stripe). Whenever we transfer personal data out of the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or transfers to countries with adequacy decisions.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including: row-level security on all database tables, encrypted connections (TLS), API key rotation, input sanitisation, and Content Security Policy headers. Access to personal data is limited to authorised personnel on a need-to-know basis.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Call transcripts are retained for the duration of your subscription plus 90 days. After account deletion, we remove your data within 30 days, except where we are required to retain it for legal or regulatory purposes.

9. Your Legal Rights (UK GDPR)

Under data protection law, you have the right to:

  • Request access to your personal data (Subject Access Request).
  • Request correction of inaccurate personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction of processing.
  • Request data portability — receive your data in a structured format.
  • Withdraw consent at any time.

We provide GDPR data export and deletion endpoints in your dashboard. You can also exercise any right by emailing support@flowedgeai.com.

10. Complaints

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.