Privacy Policy

This Privacy Policy describes how XoloFlow ("we," "us," or "our") collects, uses, discloses, and safeguards information when you access or use our mobile application and related services (the “App”). This Privacy Policy is intended to comply with applicable U.S. privacy laws, the General Data Protection Regulation ("GDPR"), and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), where applicable.

By using the App, you acknowledge that you have read, understood, and agreed to this Privacy Policy.

1. Scope and Applicability

This Privacy Policy applies to personal information processed in connection with the App. It does not apply to third-party websites, applications, or services that may be linked to or accessible from the App.

2. Categories of Information We Collect

Personal information is collected directly from users through manual entry within the App and through user-initiated interactions with App features.

2.1 Personal Information Provided by Users

We may collect the following categories of personal information when voluntarily provided by you:

• Full name
• Email address
• Phone number
• Physical or billing address

Providing this information is optional; however, certain information may be required to generate invoices or business records at your request.

2.2 Usage and Operational Data

We process operational data necessary to provide the App’s functionality, including:

• Time tracking entries
• Task descriptions
• Invoice-related metadata
• App usage data strictly required for system operation

2.3 Information We Do Not Collect

We do not intentionally collect:

• Government-issued identification numbers
• Financial account or payment card information
• Biometric identifiers
• Uploaded files or document content
• Sensitive personal information as defined under applicable law

3. Client and Third-Party Data Responsibility

The App permits users to input information relating to their own clients or third parties for invoicing and record-keeping purposes.

Users acknowledge and agree that:

• They are solely responsible for the legality, accuracy, and appropriateness of any client or third-party information entered into the App.
• They represent and warrant that they have obtained all necessary rights, permissions, and lawful bases to collect and process such information.
• They shall not enter sensitive, regulated, or special-category data.

With respect to such client or third-party data, we act strictly as a data processor or service provider and process such information only on documented user instructions.

4. Purposes of Processing

We process personal information solely for the following purposes:

• Providing time tracking functionality
• Generating invoices and work documentation
• Enabling AI-assisted task descriptions
• Managing user accounts and authentication
• Maintaining security, stability, and integrity of the App
• Communicating essential service-related notices

We do not use personal information for advertising, behavioral profiling, or data brokerage.

5. AI-Assisted Features and Third-Party AI Processing

The App includes optional AI-assisted features that allow users to generate or refine task descriptions based on information manually entered by the user.

5.1 Data Sent to AI Services

When a user explicitly chooses to use an AI-assisted feature, the following data may be transmitted to a third-party AI service:

• User-provided time entry, expense, invoice summary, and invoice line-item descriptions
• Related project and client names used as context for the requested suggestion
• Invoice line-item details (such as quantity, unit price, amount, and currency) included by the user

The App does not transmit:

• Account passwords
• Email addresses
• Phone numbers
• Payment card numbers or bank account credentials
• Payment, billing, or financial account information

5.2 AI Service Provider

AI processing is performed by OpenAI, L.L.C., acting as a data processor and service provider. OpenAI processes data solely to provide AI-generated outputs requested by the user and does not use such data to identify users or for advertising purposes.

5.3 User Consent

AI-assisted processing only occurs after the user provides explicit consent within the App before first use. Users may withdraw consent at any time through the App’s settings, which will immediately disable AI-assisted processing until consent is provided again.

5.4 No Automated Decision-Making

AI-assisted features do not involve automated decision-making that produces legal or similarly significant effects under applicable law. AI-generated content is informational only and does not constitute legal, tax, financial, or professional advice.

6. Legal Bases for Processing (GDPR)

Where the GDPR applies, we process personal data on the following legal bases:

• Performance of a contract with the user
• User consent, where required
• Legitimate interests, including service improvement and security
• Compliance with legal obligations

7. Disclosure of Information and Third-Party Processing

We do not sell or share personal information for advertising or data brokerage purposes.

Personal information may be processed on our behalf by third-party service providers acting as processors or service providers, including:

• Cloud infrastructure and hosting providers
• Database and storage providers
• Security and system maintenance providers
• AI service providers used solely to deliver user-requested AI-assisted features

All such providers are contractually obligated to process personal information only under our instructions and to provide data protection safeguards equal to or greater than those required under applicable law.

8. International Data Transfers

The App is hosted and operated on servers located in the United States. If you access the App from outside the United States, your personal information may be transferred to, stored, and processed in the United States.

Where required by law, appropriate safeguards are implemented to protect such transfers.

9. Data Retention

We retain personal information only for as long as necessary to provide the App’s services, maintain active user accounts, comply with applicable legal obligations, resolve disputes, and enforce agreements.

Upon account deletion, personal information is permanently deleted unless retention is required by law.

10. Account and Data Deletion

Users may request deletion of their account at any time through the App.

Upon deletion, the user account is permanently closed and all associated personal, usage, and client data is permanently deleted.

Deletion is irreversible.

11. Data Security

We maintain reasonable administrative, technical, and organizational safeguards designed to protect personal information, including access controls, encryption where appropriate, and least-privilege access principles.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Children’s Privacy

The App is not intended for children under the age of 13. We do not knowingly collect personal information from children.

13. Your Privacy Rights

13.1 GDPR Rights (EEA Residents)

You may have the right to access, correct, delete, restrict, object to processing, request portability of your personal data, and lodge a complaint with a supervisory authority.

13.2 CCPA / CPRA Rights (California Residents)

You may have the right to know, access, correct, or delete personal information and to be free from discrimination for exercising your rights. We do not sell or share personal information.

14. Law Enforcement and Legal Disclosures

We may disclose personal information where required to comply with applicable law, legal process, or governmental request.

15. Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal information may be transferred as part of the transaction, subject to applicable privacy protections.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective upon posting with a revised “Last updated” date.

17. Contact Information

For privacy-related inquiries or requests:

Email: support@xoloflow.com