Privacy Policy
Last updated: 2026-04-20
1. Who we are
This Privacy Policy describes how Flowly AI, operated by TOO Kenguru Group, registered at Zhibek Zholy 135, 7 floor, Almaty, Kazakhstan ("we", "us", or "Flowly"), collects and processes personal data.
Data Protection Officer contact: flowlyaialmaty@gmail.com.
2. Data we collect
Account data: email address, password hash, name, billing information.
Instagram channel data (when you connect an Instagram Business Account via Meta Login):
- Basic profile of the connected business account (username, display name) —
instagram_business_basicpermission - Direct message content (text, media URLs) between the connected account and end users —
instagram_business_manage_messagespermission - Profile data of end users who message the connected account (username, display name, profile picture URL) as delivered by Meta
Other channels (Telegram, WhatsApp): chat content, sender name and handle, media URLs, timestamps.
Usage data: request logs, IP addresses (for rate limiting), feature usage analytics.
3. Legal basis (GDPR Art. 6 / ZRK-152 RK)
- Contract performance (Art. 6(1)(b)) — providing the bot service you requested
- Legitimate interest (Art. 6(1)(f)) — fraud prevention, platform security
- Explicit consent (Art. 6(1)(a)) — collected at registration; separate consent for cross-border data transfer per ZRK-152 RK
4. Third parties with whom we share data
To operate the service, we transmit message content and related metadata to the following processors:
- OpenAI, Inc. (United States) — large-language-model inference for bot responses
- Anthropic, PBC (United States) — large-language-model inference for bot responses
- Google LLC (United States) — Gemini models (OCR for uploaded documents, LLM inference)
- DigitalOcean, LLC (Amsterdam, Netherlands) — infrastructure hosting (servers, databases)
- Qdrant (self-hosted on our infrastructure) — vector search for retrieval-augmented generation
- Resend, Inc. (United States) — transactional email delivery
- Chat platform providers (Meta / Telegram / WhatsApp) — as necessary to route messages
We do not sell personal data to third parties.
5. Cross-border data transfer
Our servers are physically located outside the Republic of Kazakhstan, in Amsterdam, Netherlands. The recipient jurisdiction provides adequate data protection under GDPR and related frameworks. In accordance with Law of the Republic of Kazakhstan No. 94-V "On Personal Data and Their Protection" (ZRK-152), we obtain your explicit consent for cross-border transfer of your personal data at registration.
6. Retention
Chat history is retained for up to 12 months. Account data is retained for the duration of your account plus 30 days after closure. Audit records for data-deletion requests are retained indefinitely, as required under GDPR Article 5(2) accountability.
7. Your rights
Under GDPR and ZRK-152 RK, you have the right to:
- Access the personal data we hold about you
- Request erasure of your data (see Data Deletion)
- Export your data in a portable format
- Object to processing or withdraw consent
To exercise any right, contact flowlyaialmaty@gmail.com.
8. Security
Passwords are stored hashed (Argon2 primary, bcrypt fallback). OAuth tokens are encrypted at rest. All network traffic uses HTTPS/TLS.
9. Changes to this policy
Material changes will be communicated by email to account holders. The "Last updated" date at the top of this page reflects the latest revision.
10. Contact
Questions or complaints: flowlyaialmaty@gmail.com.