FlowForce
Log inGet Started

Privacy Policy

Last updated: February 11, 2026

1. Introduction

FlowForce ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the FlowForce B2B SaaS lead generation platform ("the Service").

This policy is prepared in compliance with the Personal Data Protection Act B.E. 2562 (2019) of the Kingdom of Thailand ("PDPA") and applies to all users of the Service regardless of location. Where you are located in a jurisdiction with additional data protection requirements (such as the EU/EEA under GDPR, or California under CCPA), the applicable provisions of those frameworks are addressed in the relevant sections below.

2. Data Controller

For the purposes of the PDPA and applicable data protection laws, FlowForce acts as the data controller of your personal data. You may contact us at:

3. Information We Collect

3.1 Information You Provide

  • Account information: Your name, email address, and password when you create an account (or your Google profile information if you sign up via Google OAuth).
  • ICP preferences: Your SaaS product description, target industries, regions, company size, technology stack requirements, competitor tools to displace, funding stage preferences, and decision maker titles that you configure for lead matching.
  • Domain exclusions: Domains you add to your blocklist along with optional reasons.
  • Lead feedback: Ratings (helpful / not helpful) and notes you provide on individual leads.
  • Digest preferences: Your preferred timezone and delivery time for daily lead digests.
  • Email account connections: When you connect your email account (Gmail, Outlook, or SMTP) for outreach, we store OAuth tokens or credentials securely to send emails on your behalf.
  • Email sequences: Outreach email templates, sequence steps, and scheduling preferences you create for automated follow-ups.
  • Team information: Email addresses of team members you invite to your organization.

3.2 Information Collected Automatically

  • Authentication cookies: Essential cookies used for session management and authentication via Supabase.
  • Device and browser information: Browser type, operating system, and IP address collected during your interactions with the Service.
  • Usage data: Pages visited, features used, and interactions with lead data within the Service.

3.3 Payment Information

All payment processing is handled securely by Stripe. FlowForce does not store your credit card numbers or full payment card details. We store only:

  • Your Stripe customer ID and subscription ID for billing management.
  • A card fingerprint (a non-reversible identifier) used solely to enforce our one-free-trial-per-card policy.

3.4 Lead Data (Third-Party B2B Companies)

We collect and process publicly available information about third-party B2B companies for the purpose of providing ICP-matched lead discovery. This includes:

  • Company names, website URLs, and domain information.
  • Industry classification and geographic location.
  • Technology stack (software, frameworks, tools in use) for fit signal matching.
  • Company funding stage, growth indicators, and employee count where publicly available.
  • Verified decision-maker contact information (names, job titles, business email addresses, LinkedIn profile URLs, and phone numbers) obtained from B2B data providers.
  • Competitor tool usage and technology signals used to determine product-market fit.

This data is sourced from Apollo.io, a B2B company database, and publicly accessible business information. We use this data to match companies to your Ideal Customer Profile (ICP) and provide fit signals explaining why each lead is relevant to your SaaS product.

3.5 Outreach Email Tracking

When you send outreach emails through FlowForce, we collect:

  • Email delivery status (sent, delivered, bounced).
  • Email open tracking via pixel (when enabled).
  • Link click tracking (when enabled).
  • Reply detection and sentiment analysis.

This data is used to measure outreach effectiveness and optimize your email sequences. Recipients can opt out of tracking by disabling images in their email client.

4. Legal Basis for Processing

Under PDPA Section 24, we process your personal data based on the following legal grounds:

  • Contract performance (Section 24(3)): Processing necessary to provide the Service you subscribed to, including account management, lead delivery, and email digests.
  • Legitimate interest (Section 24(5)): Improving the Service through aggregate usage analytics, preventing fraud and abuse (e.g., one-trial-per-card enforcement), and ensuring the security of the platform.
  • Consent (Section 19): Where required, such as for optional marketing communications or features that process data beyond what is necessary for the core Service.
  • Legal obligation (Section 24(6)): Processing required to comply with applicable laws, such as maintaining financial records or responding to lawful requests from authorities.

5. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Service, including matching B2B companies to your ICP and delivering daily qualified lead lists with fit signals.
  • Process payments and manage your subscription through Stripe.
  • Send daily email digests containing your matched leads via Resend.
  • Generate AI-powered outreach angle suggestions using OpenAI, personalized based on each lead's fit signals and your product description. Only anonymized business and signal data is sent to OpenAI — no personal user data is included.
  • Send outreach emails on your behalf when you connect your email account and initiate email sequences.
  • Track email engagement (opens, clicks, replies) to help you measure and optimize your outreach campaigns.
  • Personalize your experience based on your ICP preferences and feedback.
  • Communicate with you about your account, service updates, and support requests.
  • Improve the Service through aggregate, anonymized usage analytics.
  • Prevent fraud and enforce our Terms of Service, including detecting duplicate free trials through card fingerprint matching.

6. Third-Party Service Providers

We share your data with the following third-party service providers, each of which processes data solely for the purposes described:

  • Supabase: Authentication, database hosting, and row level security. Stores your account data, ICP configurations, and lead data. Servers located outside Thailand.
  • Stripe: Payment processing and subscription management. Receives your payment information directly. Stripe is PCI DSS compliant.
  • Resend: Email delivery service used to send daily digest emails and transactional emails. Receives your email address and name.
  • OpenAI: AI model provider used to generate outreach angle suggestions. Receives only anonymized business data and signal data — no personal user information is shared.
  • Google APIs (Gmail): Used for sending outreach emails on your behalf when you connect your Gmail account via OAuth. Only the permissions you explicitly grant are used.
  • Vercel: Hosting provider for the FlowForce web application. Servers located outside Thailand.
  • Render: Hosting provider for the FlowForce analysis engine. Servers located outside Thailand.

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

7. International Data Transfers

Your personal data is processed and stored on servers located outside the Kingdom of Thailand, including servers operated by Supabase, Vercel, and Render. In accordance with PDPA Section 28, we ensure that:

  • The destination countries or organizations maintain adequate data protection standards.
  • Appropriate safeguards are in place through service provider agreements that require our providers to protect your data to standards no less protective than those required by the PDPA.
  • Transfers are necessary for the performance of the contract between you and FlowForce (PDPA Section 28(2)).

8. Data Retention

  • Account data: Retained for as long as your account is active. If you cancel your subscription or your account is terminated, your personal data is retained for 90 days to allow for potential re-activation, after which it is permanently deleted.
  • Lead data: Business data in the shared lead pool is retained indefinitely as it is compiled from publicly available sources and does not constitute personal data of our users.
  • Payment records: Transaction records are retained as required by applicable Thai tax and accounting laws.
  • System logs: Server and application logs are retained for up to 90 days for security and debugging purposes.

9. Your Rights Under the PDPA

Under the Personal Data Protection Act B.E. 2562 (2019), you have the following rights regarding your personal data:

  • Right of access (Section 30): Request a copy of the personal data we hold about you and information about how it is processed.
  • Right to data portability (Section 31): Request your personal data in a commonly used, machine-readable format.
  • Right to object (Section 32): Object to the processing of your personal data in certain circumstances.
  • Right to erasure (Section 33): Request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
  • Right to restriction (Section 34): Request that we restrict the processing of your personal data in certain circumstances.
  • Right to rectification (Section 35): Request correction of inaccurate or incomplete personal data.
  • Right to withdraw consent (Section 19): Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Right to lodge a complaint: You have the right to file a complaint with the Personal Data Protection Committee (PDPC) of Thailand if you believe your personal data has been processed in violation of the PDPA.

To exercise any of these rights, please contact us at support@flowforce.agency. We will respond to your request within 30 days. We may request verification of your identity before processing your request.

10. Rights for EEA/UK Users (GDPR)

If you are located in the European Economic Area or the United Kingdom, you also have rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, restriction, portability, and the right to object. Our legal bases for processing under GDPR mirror those described in Section 4 above.

To exercise your GDPR rights, contact us at support@flowforce.agency.

11. Cookies

We use essential cookies only for authentication and session management through Supabase. These cookies are strictly necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, tracking cookies, analytics cookies, or any third-party cookies for marketing purposes.

You can configure your browser to refuse all cookies, but doing so may prevent you from logging in and using the Service.

12. Security Measures

We implement industry-standard technical and organizational security measures to protect your personal data, including:

  • Encrypted data transmission using TLS/SSL for all communications between your browser and our servers.
  • Secure authentication managed by Supabase with JWT (JSON Web Token) session handling.
  • Row Level Security (RLS) enforced at the database level to ensure users can only access their own data.
  • Secure credential storage — passwords are hashed and never stored in plaintext.
  • Stripe PCI DSS compliance for all payment data handling.

While we take reasonable precautions to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

13. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@flowforce.agency.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or through a prominent notice within the Service at least 30 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was last revised. Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.

15. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights under the PDPA or other applicable data protection laws, please contact us at: