Privacy Policy

This Privacy Policy describes how xoloflow (“we,” “us,” or “our”) collects, uses, discloses, and safeguards information when you access or use our mobile application and related services (the “App”). This Privacy Policy is intended to comply with applicable U.S. privacy laws, the General Data Protection Regulation (“GDPR”), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), where applicable.

By using the App, you acknowledge that you have read, understood, and agreed to this Privacy Policy.

1. Scope and Applicability

This Privacy Policy applies to personal information processed in connection with the App. It does not apply to third-party websites, applications, or services that may be linked to or accessible from the App.

2. Categories of Information We Collect

2.1 Personal Information Provided by Users

We may collect the following categories of personal information when voluntarily provided by you:

• Full name
• Email address
• Phone number
• Physical or billing address

Providing this information is optional; however, certain information may be required to generate invoices or business records at your request.

2.2 Usage and Operational Data

We process operational data necessary to provide the App’s functionality, including:

• Time tracking entries
• Task descriptions
• Invoice-related metadata
• App usage data strictly required for system operation

2.3 Information We Do Not Collect

We do not intentionally collect:

• Government-issued identification numbers
• Financial account or payment card information
• Biometric identifiers
• Uploaded files or document content
• Sensitive personal information as defined under applicable law

3. Client and Third-Party Data Responsibility

The App permits users to input information relating to their own clients or third parties for invoicing and record-keeping purposes.

Users acknowledge and agree that:

• They are solely responsible for the legality, accuracy, and appropriateness of any client or third-party information entered into the App.
• They represent and warrant that they have obtained all necessary rights, permissions, and lawful bases to collect and process such information.
• They shall not enter sensitive, regulated, or special-category data, including but not limited to health, financial, payment, or government-issued identifiers.

With respect to such client or third-party data, we act strictly as a data processor or service provider and process such information only on documented user instructions.

4. Purposes of Processing

We process personal information solely for the following purposes:

• Providing time tracking functionality
• Generating invoices and work documentation
• Enabling AI-assisted task descriptions
• Managing user accounts and authentication
• Maintaining security, stability, and integrity of the App
• Communicating essential service-related notices

We do not use personal information for advertising, behavioral profiling, or data brokerage.

5. AI-Assisted Features

The App includes optional AI-assisted features designed to assist users in drafting task descriptions.

• AI processing occurs exclusively to provide user-requested functionality.
• AI outputs are informational only and do not constitute legal, financial, tax, or professional advice.
• AI features do not involve automated decision-making producing legal or similarly significant effects.

6. Legal Bases for Processing (GDPR)

Where the GDPR applies, we process personal data on the following legal bases:

• Performance of a contract with the user
• User consent, where required
• Legitimate interests, including service improvement and security
• Compliance with legal obligations

7. Disclosure of Information and Third-Party Processing

We do not sell, rent, or share personal information for commercial purposes.

Personal information may be processed on our behalf by third-party service providers acting as processors or service providers, including:

• Cloud infrastructure and hosting providers
• Database and storage providers
• Security and system maintenance providers

Such providers process personal information solely under our instructions and are bound by contractual confidentiality, data protection, and security obligations.

8. International Data Transfers

The App is hosted and operated on servers located in the United States. If you access the App from outside the United States, your personal information may be transferred to, stored, and processed in the United States.

Where required by law, appropriate safeguards are implemented to protect such transfers.

9. Data Retention

We retain personal information only for as long as necessary to:

• Provide the App’s services
• Maintain active user accounts
• Comply with applicable legal, tax, or regulatory obligations
• Resolve disputes and enforce agreements

Upon account deletion, personal information is permanently deleted unless retention is required by law.

10. Account and Data Deletion

Users may request deletion of their account at any time through the App.

Upon deletion:

• The user account is permanently closed
• All associated personal, usage, and client data is permanently deleted

Deletion is irreversible.

For self-service deletion, use the in-app Settings → Delete account.

For details, see the Data Deletion page.

11. Data Security

We maintain reasonable administrative, technical, and organizational safeguards designed to protect personal information, including access controls, encryption where appropriate, and least-privilege access principles.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Children’s Privacy

The App is not intended for children under the age of 13. We do not knowingly collect personal information from children.

13. Your Privacy Rights

13.1 GDPR Rights (EEA Residents)

You may have the right to access, correct, delete, restrict, object to processing, request portability of your personal data, and lodge a complaint with a supervisory authority.

13.2 CCPA / CPRA Rights (California Residents)

You may have the right to know, access, correct, or delete personal information and to be free from discrimination for exercising your rights. We do not sell or share personal information.

14. Law Enforcement and Legal Disclosures

We may disclose personal information where required to comply with applicable law, legal process, or governmental request.

15. Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal information may be transferred as part of the transaction, subject to applicable privacy protections.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective upon posting with a revised “Last updated” date.

17. Contact Information

For privacy-related inquiries or requests:

Email: support@xoloflow.com