Privacy Policy

1. Our Role

Floxa provides business management software for businesses, teams, freelancers and organisations.

Depending on the circumstances, Floxa may act as either a controller or a processor of personal data.

We act as a controller when we decide why and how personal data is used. This includes personal data used for account registration, billing, customer support, security, analytics, product improvement, legal compliance and communications with our customers.

We may act as a processor when our business customers upload, enter, store or manage personal data about their own customers, staff, contractors, suppliers, contacts or other individuals within the Floxa platform. In those cases, the customer is usually the controller, and Floxa processes that data on the customer's instructions, in accordance with our Terms, Data Processing Agreement and applicable law.

If you are an individual whose personal data has been entered into Floxa by one of our customers, you should usually contact that customer first about your data protection rights. We will assist our customers where required by applicable data protection law.

2. Business Use and Account Authority

Floxa is intended for business users aged 18 or over.

You must be at least 18 years old to create a Floxa account or use the service.

If you create an account on behalf of a company, organisation or other legal entity, you confirm that you are authorised to do so and to provide personal data to Floxa on its behalf.

Customers are responsible for ensuring that they have a lawful basis for entering personal data into Floxa and for providing any required privacy information to the individuals whose data they manage through the platform.

3. Personal Data We Collect

We collect different types of personal data depending on how you use Floxa.

3.1 Account and Profile Information

We may collect:

• name;
• email address;
• phone number, if provided;
• job title or role, if provided;
• username or account identifier;
• profile information;
• password and authentication information;
• organisation or business name;
• team membership and user permissions;
• account preferences and settings.

Users log in using email and password. Passwords are securely hashed and are not stored in plain text.

3.2 Business and Organisation Information

We may collect or process:

• company or organisation name;
• business address;
• billing address;
• VAT, tax or company information, if provided;
• team member details;
• roles and permissions;
• customer, supplier, contractor or contact records entered into the platform;
• project, task, invoice, expense, timesheet, CRM, support, document or operational data entered into the platform.

Customers may invite team members to their Floxa workspace. We process invited users' account details, roles, permissions, activity logs and related platform data to provide the service.

Floxa may process staff, contractor or team member information entered by customers, including timesheets, task assignments, approvals, roles, permissions, work records and related operational data.

3.3 Customer-Controlled Data

Customers may upload, enter, store or manage personal data about their own customers, staff, contractors, suppliers, contacts or other individuals.

This may include:

• names;
• email addresses;
• phone numbers;
• business addresses;
• invoice details;
• payment records;
• task and project information;
• timesheet and work records;
• support or communication records;
• documents, contracts, receipts, images and attachments;
• other information entered or uploaded by the customer.

For customer-controlled data, the customer is usually the controller and Floxa acts as processor.

3.4 Financial, Billing and Payment Information

Customers may create, upload or manage invoices, expenses, receipts, payment records and other financial or accounting-related records in Floxa. These records may contain personal data depending on the information entered or uploaded by the customer.

Floxa uses Stripe to manage subscription billing for Floxa accounts. Floxa may also use Stripe Connect to allow customers to connect their own Stripe accounts and accept payments for invoices issued through the platform.

We may collect or receive limited payment and billing information, such as:

• billing name;
• billing email;
• billing address;
• subscription plan;
• payment status;
• invoice records;
• transaction references;
• partial payment card details, such as card brand and last four digits, where provided by Stripe;
• tax or accounting information.

We do not intentionally store full payment card numbers or full card security codes on our own systems.

Floxa subscriptions are managed through Stripe. Floxa does not use Apple or Google in-app purchases for subscriptions at launch.

3.5 Uploaded Files, Receipts, Images and Documents

Users may optionally upload receipts, photos, documents and other files of their choice into Floxa.

These uploads may contain personal data depending on what the user chooses to upload. Floxa processes uploaded files to provide relevant platform features, such as receipts, expenses, invoices, records, attachments and document management.

Customers may upload, store and manage signed contracts or other documents in Floxa. Floxa does not provide electronic signing functionality at launch.

Authorised Floxa personnel may access uploaded documents only where necessary to provide support, troubleshoot issues, maintain security, investigate misuse, comply with legal obligations, or operate the service.

Floxa does not manually review user-uploaded images, receipts or documents for analytics purposes.

3.6 Usage, Device and Technical Information

When you use Floxa, we may collect:

• IP address;
• device type;
• operating system;
• browser type and version;
• app version;
• log data;
• session information;
• pages, screens or features used;
• dates and times of access;
• diagnostic data;
• security logs;
• audit logs.

Floxa may generate internal operational statistics from platform data, including subscription statistics, usage rates, support activity, account activity and general operational metrics.

Floxa does not use Google Analytics inside the logged-in web app/platform or mobile app at launch.

3.7 Mobile App Data and Permissions

The Floxa mobile app may request camera and photo/file access where needed to allow users to upload receipts, photos, documents, attachments or other files into the platform.

These uploads are optional. Floxa does not access the camera, photos or files unless the user grants permission and uses a feature that requires access.

Floxa does not request location, contacts, calendar, microphone or push notification permissions at launch.

The Android app is login-only at launch. Account creation is handled through the Floxa website. Signup may be added to the mobile app later, and this Privacy Policy and relevant app disclosures will be updated if that changes.

3.8 Communications and Support Data

If you contact us or use support features, we may collect:

• your name and contact details;
• message contents;
• support tickets;
• issue reports;
• email correspondence;
• attachments you send to us;
• information needed to investigate or resolve your request.

Customers may contact Floxa for support by email or through Support Stream ticketing. Floxa uses Support Stream to manage support requests, issue reports and related communications.

3.9 Cookies and Website Analytics

Floxa uses Google Analytics on the Floxa marketing website only, and only after the user gives cookie consent.

Google Analytics is not used inside the logged-in Floxa web app/platform or mobile app at launch.

The cookie banner remains visible until the user accepts or rejects analytics cookies. Rejecting analytics cookies does not affect access to essential Floxa functionality.

For more information, please see our Cookie Policy at:

https://floxa.co.uk/cookies

4. Special Category Data

Floxa is not designed to collect special category personal data.

Special category personal data may include information about health, religion, ethnicity, biometric data, trade union membership, sexual orientation or political opinions.

Customers should not upload or enter special category personal data unless they have a lawful basis to do so and it is necessary for their use of the service.

5. How We Use Personal Data

We use personal data for the following purposes.

5.1 To Provide and Operate Floxa

We use personal data to:

• create and manage accounts;
• authenticate users;
• provide access to the platform;
• enable platform features;
• manage organisations, teams, roles and permissions;
• store and display customer-entered business data;
• manage subscriptions and billing;
• send essential account, authentication, security and password reset communications;
• provide customer support;
• maintain service availability.

5.2 To Improve and Develop the Platform

We may use data to:

• understand usage rates and service performance;
• improve features, performance and usability;
• diagnose bugs and technical issues;
• test and develop new functionality;
• analyse operational trends;
• improve onboarding and user experience.

Where possible, we use aggregated or anonymised data for product improvement.

5.3 To Keep Floxa Secure

We use personal data to:

• detect and prevent unauthorised access;
• monitor suspicious activity;
• protect user accounts;
• maintain audit logs;
• prevent fraud, abuse, spam and misuse;
• investigate security incidents;
• enforce our terms and policies.

5.4 To Provide Support

We use personal data to:

• respond to customer enquiries;
• manage support tickets;
• investigate issue reports;
• troubleshoot technical problems;
• communicate with users about support matters;
• improve our support processes.

Authorised Floxa personnel may access customer account data only where necessary to provide support, troubleshoot issues, maintain security, investigate misuse, comply with legal obligations, or operate the service.

5.5 To Communicate With You

We may use contact details to send:

• account notices;
• security alerts;
• billing notices;
• service updates;
• support responses;
• legal or policy updates;
• product updates;
• marketing communications, where permitted by law.

You can opt out of marketing emails at any time. You cannot opt out of essential service, security, billing or legal communications.

5.6 To Comply With Legal Obligations

We may use and retain personal data where necessary to:

• comply with tax, accounting and company law obligations;
• respond to lawful requests;
• comply with court orders or regulatory requirements;
• establish, exercise or defend legal claims;
• keep legally required records.

6. Lawful Bases for Processing

Where UK GDPR or EU GDPR applies, we rely on different lawful bases depending on the purpose of processing.

Our legitimate interests include operating, securing, improving and protecting Floxa, supporting customers, preventing misuse, managing our business responsibly, and enforcing our rights.

Where we rely on consent, you may withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before consent was withdrawn.

7. How We Share Personal Data

We do not sell personal data.

Floxa shares limited personal data with service providers only where necessary to provide, secure, support, analyse, bill for, or improve the service.

7.1 Service Providers and Subprocessors

We may share personal data with trusted service providers who help us operate Floxa.

Our main service providers include:

Mailgun is configured to the EU region and is covered by a Data Processing Agreement.

Support Stream is used to manage customer support requests, issue reports and related communications. Support Stream is operated by a related provider and is covered by a Data Processing Agreement.

Service providers are only permitted to process personal data for specified purposes and must protect it appropriately.

7.2 Legal and Regulatory Disclosures

We may disclose personal data where required or permitted by law, including to:

• courts;
• regulators;
• law enforcement;
• tax authorities;
• government bodies;
• professional advisers.

7.3 Business Transfers

If Floxa is involved in a merger, acquisition, investment, restructuring, sale of assets or similar business transaction, personal data may be transferred as part of that transaction, subject to appropriate safeguards.

7.4 Customer-Controlled Sharing

Where a customer uses Floxa to invite team members, upload documents, generate records, issue invoices, manage projects, communicate with third parties, or connect external services such as Stripe Connect, personal data may be shared according to the customer's actions and account settings.

8. International Transfers

Floxa Ltd is based in the United Kingdom.

Floxa's main production data is hosted in the United Kingdom using AWS London infrastructure.

Personal data may also be processed in the United Kingdom, European Economic Area and other countries where our service providers operate.

Where personal data is transferred internationally, we will use appropriate safeguards where required by law. These may include adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or other lawful transfer mechanisms.

9. Data Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Our retention periods are set out below:

Backup copies are not actively used except for restoration, business continuity, security or legal purposes.

10. Account Deletion

Users can request deletion of their Floxa account and associated personal data at:

https://floxa.co.uk/account-deletion

Users may also request deletion by contacting:

privacy@floxa.co.uk

Where available, users may request deletion through their account settings.

When we receive a valid deletion request, we will delete or anonymise applicable personal data within 14 days unless retention is legally or operationally required. Backup copies may remain for up to 30 days before being automatically overwritten or deleted. Floxa billing, subscription, payment, tax and accounting records may be retained for up to 6 years to comply with UK company, tax, VAT and accounting obligations. See Section 9 for full retention details.

If personal data was entered into Floxa by one of our business customers, we may need to refer the request to that customer or act on their instructions.

11. Security

We use appropriate technical and organisational measures designed to protect personal data.

These measures may include:

• encryption in transit using HTTPS/TLS;
• password hashing;
• access controls;
• secure authentication and session management;
• role-based permissions;
• multi-tenant data isolation;
• logging and monitoring;
• backups;
• least-privilege access controls;
• security review of key systems.

No online service can guarantee absolute security. Users are responsible for keeping their login details secure and for managing access within their own organisation.

12. Cookies

We use cookies and similar technologies to operate, secure and improve Floxa.

Essential cookies are used for:

• login and authentication;
• session management;
• account security;
• fraud prevention;
• remembering essential preferences.

Floxa uses Google Analytics on the marketing website only after the user gives cookie consent.

Users may reject analytics cookies without losing access to essential Floxa functionality.

For more information, see our Cookie Policy:

https://floxa.co.uk/cookies

13. Mobile App Data Safety

Our Google Play and Apple App Store privacy disclosures are intended to match the data practices described in this Privacy Policy.

The Floxa mobile app may process:

• account information;
• app usage and technical information;
• uploaded receipts, photos, documents and files chosen by the user;
• device and app diagnostics;
• support communications;
• authentication and security data.

The Floxa mobile app may request camera and photo/file access where needed to allow users to upload receipts, photos, documents, attachments or other files into the platform.

Floxa does not request location, contacts, calendar, microphone or push notification permissions at launch.

Floxa does not use external crash or error monitoring at launch. If we introduce a crash or error monitoring provider later, we will update this Privacy Policy and relevant app disclosures before or when that provider is introduced.

Floxa does not use push notifications at launch. If push notifications are introduced later, this Privacy Policy and relevant app disclosures will be updated.

14. Artificial Intelligence

Floxa does not use AI features to analyse customer data at launch.

If AI features are introduced later, we will update this Privacy Policy and relevant app disclosures before or when those features are made available.

Floxa does not currently use personal data to make solely automated decisions that produce legal or similarly significant effects on individuals.

15. Marketing

We may send marketing communications to business users where permitted by law.

You can opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting:

privacy@floxa.co.uk

We will still send essential service, billing, security and legal communications where necessary.

16. Your Data Protection Rights

Depending on where you are located and which data protection laws apply, you may have rights in relation to your personal data.

These may include the right to:

• access your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of your personal data;
• request restriction of processing;
• object to processing;
• request data portability;
• withdraw consent where processing is based on consent;
• complain to a data protection authority.

To exercise your rights, contact:

privacy@floxa.co.uk

We may need to verify your identity before responding to a request.

If your personal data was entered into Floxa by one of our business customers, we may refer your request to that customer or handle it according to their instructions.

17. Children's Privacy

Floxa is intended for business users aged 18 or over.

Floxa is not directed at children and we do not knowingly collect personal data from children.

If we become aware that a child has provided personal data to us, we will take appropriate steps to delete it.

18. Complaints

If you are in the United Kingdom, you have the right to complain to the Information Commissioner's Office, the UK data protection regulator.

You can contact the ICO through its website or by using the contact details published by the ICO.

We would appreciate the opportunity to address your concerns first, so please contact us at:

privacy@floxa.co.uk

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

If we make significant changes, we may notify users by email, in-app notice, website notice, or another appropriate method.

The "Last updated" date at the top of this Privacy Policy shows when it was last changed.

20. Contact Us

For privacy questions, data protection requests, or complaints, contact: