← back to fflo.io
DRAFT — version 0.1-draft. This document is pending legal review and is not in effect. Use it for review only.

Privacy Policy

Service: fflo Effective date: To be set on publication Version: 0.1 — DRAFT, pending legal review Last updated: To be set on publication

1. Who we are

fflo is operated by BP Labs AU, a sole trader based in Melbourne, Australia (registration in process), trading in the Philippines as Blueprint Labs Business Consultancy Services (registration in process). In this Privacy Policy, "BP Labs", "we", "us", and "our" refer to BP Labs AU acting through these trading names. "You" refers to the individual using fflo.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have. It applies to fflo and the related websites, applications, and integrations we operate as part of the fflo service (collectively, the Service).

If you have any questions, contact us at privacy@bp-labs.tech.

2. Scope

This Policy applies to information we collect:

  • when you create or use a fflo account;
  • when you visit our public marketing pages or any individual fflo profile page (including pages we host on your behalf);
  • when you communicate with us through the Service or by email;
  • when you connect a third-party service to your fflo account;
  • when you receive operational, transactional, or marketing communications from us in connection with the Service.

This Policy does not apply to third-party websites, services, or applications you choose to connect to fflo. Those are governed by the privacy policies of the relevant third party.

3. The information we collect

3.1 Information you give us

  • Account and identity information. Name, email address, password (stored only as a hashed value we cannot read), profile handle, profile photo or headshot, role, professional credentials, years of experience, jurisdiction, and any biographical text you choose to publish.
  • Billing information. Where you subscribe to a paid plan, our payment processor handles your card details; we receive only the data necessary to manage your subscription, such as your billing name, country, currency, plan, the last four digits of your card, billing-cycle status, invoice history, and any tax identifier you provide.
  • Content and operational data you create in the Service. This includes contacts and lead information you upload or capture, scheduling and meeting data, content drafts, lead magnets, knowledge-base inputs you provide for personalisation, brand-kit details, voice samples, and any messages you send through the Service.
  • Communications. Messages you send us (including the bodies and attachments of support requests, feedback, feature requests, and submissions sent through the in-app assistant), the channels you use, and the timestamps of those messages.

3.2 Information we collect automatically

  • Usage and device data. Pages visited, features used, actions taken, approximate location (derived from IP address), browser type and version, operating system, device identifiers, language, time zone, and referrer URLs.
  • Log data. Server logs that include IP addresses, request methods, request paths, response codes, response times, error stacks, and similar diagnostic information.
  • Cookies and similar technologies. We use first-party cookies and similar technologies that are necessary to operate the Service (for example, to keep you signed in and to remember your theme preference). Where we use any non-essential cookies in the future, we will surface a separate cookie notice and request your consent where required.

3.3 Information from third parties

  • Authentication providers. If you sign in using a third-party identity provider, we receive the identifiers, basic profile fields, and email address you authorise that provider to share.
  • Calendar, communications, and content integrations. When you connect a calendar, email account, scheduling tool, social platform, contact list, file store, or analytics tool, we access only the scopes you authorise — typically read access to schedule availability, read/write access to send messages on your behalf, or specific files you select. You can disconnect these integrations at any time through the Service.
  • Payment processor. We receive transaction status, currency, amount, processor-side identifiers, dispute and refund events, and tax-treatment metadata from our payment processor.
  • AI service providers. When you use AI-powered features, we transmit prompts, conversation history, and selected context to our AI service providers; we receive their responses, token-usage counts, model identifiers, and any safety signals they return. See Section 4.
  • Public sources. Where you operate a public profile page or listing, we may augment that page with information you have made publicly available elsewhere, such as a professional license number you have published on a regulator's website.

3.4 Sensitive information

We do not seek or require sensitive personal information such as health data, government-issued identification numbers, or biometric data to use the core Service. If a feature you choose to use requires that you provide such information (for example, an identity-verification step required by a regulator), the feature will explain what is collected, why, and where it is sent before you submit it.

4. How we use your information

We use your information to:

  • create and maintain your account and authenticate your sessions;
  • provide, operate, maintain, secure, and improve the Service, including the core features (contact management, scheduling, content drafting, lead-magnet generation, the in-app AI assistant, weekly content cycles, the public profile page, conversations, the lead inbox, and analytics) and any future features we add;
  • generate AI-assisted output you request through the Service, by sending the relevant prompts and context to our AI service providers under appropriate confidentiality and processing terms;
  • process payments, manage subscriptions, issue invoices, prevent and investigate fraudulent or abusive transactions, and comply with tax and accounting obligations;
  • send transactional and operational communications (for example, sign-in links, password resets, billing receipts, security alerts, scheduled-meeting reminders, and important Service notices);
  • respond to your support requests, feedback, and feature requests;
  • analyse aggregate usage so we can prioritise improvements, identify regressions, and understand which features are working;
  • detect, investigate, and prevent activity that violates our Terms of Service, our acceptable-use rules, or the law;
  • comply with our legal, regulatory, contractual, audit, and reporting obligations;
  • enforce our agreements and protect the rights, property, or safety of BP Labs, you, or others.

We will not use your information for materially different purposes without first updating this Policy and, where required by law, obtaining your consent.

5. Legal bases for processing

Where applicable law requires us to identify a legal basis (such as the EU/UK GDPR or analogous frameworks), we rely on the following:

  • Performance of a contract. To provide the Service you have requested or to take steps before entering into a contract with you.
  • Legitimate interests. To operate, secure, and improve the Service; to detect and prevent fraud or abuse; to communicate with you about your account; and to develop new features. We balance these interests against your rights and freedoms, and you may object as described in Section 9.
  • Consent. Where we ask for it (for example, before sending non-transactional marketing emails or activating non-essential cookies). You can withdraw consent at any time.
  • Legal obligation. Where we must process information to comply with a legal, regulatory, or court-ordered requirement.

In the Philippines, we process personal information in accordance with the Philippine Data Privacy Act of 2012 (R.A. 10173) and its implementing rules. In Australia, we process personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

6. AI-powered features

fflo includes features that use generative AI, including the in-app ask ffai assistant, AI-assisted content drafting, lead-magnet generation, brand-pillar and voice analysis, hero-copy and landing-page suggestions, and similar tools.

When you use these features:

  • the inputs you submit, the relevant page context, and a window of recent conversation history may be transmitted to our AI service providers under processing agreements that prohibit the providers from using your data to train or improve their models without your consent;
  • model responses, token-usage counts, and safety metadata are returned to us and stored against your account so we can show your conversation history, manage usage, and bill where applicable;
  • you can clear or delete your AI conversation history at any time through the in-app controls, subject to the retention periods described in Section 11.

You should not paste regulated, classified, or highly sensitive information into the AI assistant unless you have a legitimate basis to do so and you accept the associated risks. AI output may be inaccurate, incomplete, or out-of-date, and must be independently verified before you rely on it for advice, marketing, compliance, or financial decisions.

7. Public information

Some information you provide is intentionally public or shared by design. This includes:

  • the contents of your public fflo profile page (where enabled);
  • the lead magnets, articles, or other content you publish through fflo;
  • any post you share to a connected public platform.

You control what is published. We will not unilaterally publish identifiable information about you that has not been provided by you for that purpose.

8. How we share your information

We share information only as follows:

  • With service providers and processors. We use third-party providers to host the Service, store data, send email and notifications, process payments, deliver AI-powered features, monitor and debug the Service, manage analytics, and similar operational functions. These providers act on our instructions under written agreements that require them to keep your information confidential and to use it only for the purposes we specify.
  • With integrations you authorise. When you connect a third-party service, we share the data necessary to operate the integration. We share only the scopes you authorise, and we never sell your data to those providers.
  • With recipients you direct us to send to. When you use the Service to send a message, schedule a meeting, share a profile link, or publish content, we send the relevant information to the recipients you have selected.
  • For legal reasons. We may disclose information when we reasonably believe disclosure is required to comply with a law, regulation, legal process, or government request; to enforce our terms; to protect the rights, property, or safety of BP Labs, you, or others; or to investigate fraud, security, or technical issues.
  • In a corporate transaction. If we are involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of all or a portion of our assets, your information may be disclosed or transferred as part of that transaction. We will require any successor to honour the protections described in this Policy or to give you notice and a meaningful choice before applying a materially different policy to information collected before the transition.

We do not sell your personal information.

9. Your rights and choices

Subject to applicable law, you have the following rights:

  • Access — to ask us what information we hold about you;
  • Correction — to ask us to correct inaccurate or incomplete information;
  • Erasure — to ask us to delete your information, subject to retention obligations described in Section 11;
  • Portability — to receive an export of your information in a commonly used format;
  • Restriction or objection — to ask us to stop or limit certain processing, including processing based on legitimate interests;
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing;
  • Marketing opt-out — to unsubscribe from marketing communications using the link in any such email or by contacting us;
  • Lodge a complaint — with the Office of the Australian Information Commissioner (oaic.gov.au) or the National Privacy Commission of the Philippines (privacy.gov.ph), or with the data-protection authority of your country of residence.

To exercise any of these rights, contact us at privacy@bp-labs.tech with enough information for us to verify your identity. We will respond within the period required by applicable law (and in any case within 30 days where no specific period applies).

10. Security

We use technical and organisational measures designed to protect your information, including encryption in transit, encryption at rest for our managed database, role-based access control, audit logging of administrative actions, and the principle of least privilege. No system is perfectly secure and we cannot guarantee the security of your information; you are also responsible for keeping your account credentials confidential and for the security of the devices and networks you use to access the Service.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities within the timeframes required by applicable law.

11. Data retention

We retain personal information for as long as we need it to provide the Service to you, plus a reasonable period afterwards to satisfy our legal, accounting, dispute-resolution, and audit obligations. In particular:

  • Account information is retained while your account is active and for up to 24 months after closure, unless you ask us to delete it sooner or a longer retention period is required by law (for example, financial records under tax law).
  • Content you create in the Service is retained while your account is active. On account closure, you can export your content and we will delete it within 90 days unless you ask us to delete it sooner or a longer retention period is required by law.
  • AI conversation history can be cleared at any time from the in-app controls; otherwise it is retained for the life of your account.
  • Billing records and invoices are retained for at least 7 years to comply with Australian and Philippine tax-record requirements.
  • Audit logs and security records are retained for up to 24 months.
  • Backup copies containing your information are retained for up to 35 days after deletion from primary systems.

If you ask us to delete your information, we will do so unless we are legally required to retain it. Where we are required to retain information, we will continue to keep it confidential and will not use it for any other purpose.

12. International transfers

We are based in Australia, our team includes members based in the Philippines, and we use service providers that may host or process information in Australia, the Philippines, the United States, the European Union, Singapore, and other jurisdictions. When we transfer personal information across borders, we take steps required by applicable law, which may include reliance on standard contractual clauses, the recipient's adequacy status, your explicit consent, or the necessity of the transfer to perform our contract with you.

You can ask us for more information about the safeguards we use by contacting privacy@bp-labs.tech.

13. Children

The Service is not directed to, or intended for, individuals under 18 years of age, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided personal information to us, please contact privacy@bp-labs.tech and we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top and, where the changes are material, we will notify you in advance through the Service or by email. Your continued use of the Service after the effective date of an updated Policy means you accept the changes; if you do not accept them, you should stop using the Service and may close your account as described in Section 9.

We will keep prior versions of this Policy available on request.

15. How to contact us

For privacy questions, complaints, or to exercise any of the rights in Section 9:

  • Email: privacy@bp-labs.tech
  • Postal (Australia): BP Labs AU, Melbourne, Victoria, Australia
  • Postal (Philippines): Blueprint Labs Business Consultancy Services, Manila, Philippines

We will route your request to the appropriate person and respond within the period required by applicable law.

This document is version 0.1 — a starting template prepared for legal review. It is not effective until reviewed by qualified counsel and published with an effective date.

fflo is operated by BP Labs AU (Melbourne) trading in the Philippines as Blueprint Labs Business Consultancy Services.