Privacy Practices at FacilityFlow

Transparency is fundamental to trust. Understand exactly how FacilityFlow collects, uses, protects, and respects your data.

Our Privacy Principles

We only collect data necessary to provide our service. No excessive personal information, no unnecessary tracking.

Your data is used solely to provide FacilityFlow services. We never sell data or use it for unrelated purposes.

Our privacy policy is written in plain language. We tell you exactly what we collect and why.

Access, export, correct, or delete your data at any time. Your data belongs to you.

Privacy and security aren't afterthoughts—they're built into every feature we develop.

Account Information:- Information you provide when creating and managing your account.
- Data Types:
- - Name and email address
  - Job title and company name
  - Phone number (optional)
  - Profile photo (optional)
  - Password (encrypted, never stored in plain text)
  - Account preferences
- Purpose & Retention: Account creation, authentication, communication, support. Active account duration + 30 days after deletion request
Service Data (Customer Content):- Data you and your users enter into FacilityFlow for facility management purposes.
- Data Types:
- - Work orders and maintenance records
  - Asset and equipment information
  - Technician and staff details
  - Location and building data
  - Photos and documents
  - Comments and notes
- Purpose & Retention: Providing the FacilityFlow facility management service. Customer-controlled; deleted upon request or account termination
- Legal Basis: Contractual necessity (GDPR Art. 6(1)(b))
Usage & Analytics Data:- Information about how you use FacilityFlow, collected to improve our service.
- Data Types:
- - Feature usage patterns (aggregated)
  - Page views and session duration
  - Error logs (anonymized)
  - Performance metrics
  - Device and browser type
- Purpose & Retention: Service improvement, bug fixing, feature development. 12 months (aggregated/anonymized data retained longer).
- Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))

Essential Service Providers:- We work with carefully selected third parties to provide our service.
- Examples:
- - Microsoft Azure (cloud hosting)
  - Email delivery services (transactional emails)
  - Support platform (customer support tickets)
- Protections:
- - All bound by data processing agreements
  - Equivalent security and privacy obligations
  - Regular security assessments
  - Listed in our DPA sub-processor annex
Legal Obligations:- We may share data when required by law.
- Circumstances:
- - Valid legal process (subpoena, court order)
  - Regulatory compliance requirements
  - Protection of legal rights
- Protections:
- - We challenge overbroad requests
  - We notify customers when legally permitted
  - We share minimum necessary data
Business Transactions:- In the event of a merger, acquisition, or sale.
- Protections:
- - Advance notice to customers
  - Data protection obligations transfer to acquirer
  - Same or equivalent privacy protections maintained
  - Right to delete data before transfer
Authorized Sharing:- When you explicitly authorize us to share data.
- Examples:
- - Integrations you enable (e.g., connecting to other systems)
  - Support escalations to partners
  - Case study participation (with permission)
- Protections:
- - Clear consent request
  - Easy revocation of consent
  - Transparency about what's shared

Data Category:- Account data Retention Period:- Active account + 30 days After Deletion Request:- Deleted within 30 days
Data Category:- Service data (work orders, assets) Retention Period:- Customer-controlled After Deletion Request:- Deleted within 30 days
Data Category:- Backups Retention Period:- 30-day rolling retention After Deletion Request:- Purged within 60 days
Data Category:- Audit logs Retention Period:- 365 days After Deletion Request:- Anonymized, retained for compliance
Data Category:- Usage analytics Retention Period:- 12 months After Deletion Request:- Aggregated data retained
Data Category:- Support tickets Retention Period:- 3 years (legal requirement) After Deletion Request:- Anonymized after 3 years
Data Category:- Billing records Retention Period:- 7 years (tax compliance) After Deletion Request:- Required retention

Rights for All Users: Regardless of your location, FacilityFlow provides:
- Access to your personal data
- Ability to correct inaccurate data
- Data export in machine-readable format
- Account deletion upon request
- Opt-out from marketing communications
Additional Rights Under GDPR:
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to object to processing
- Right to lodge complaint with supervisory authority
- Right to withdraw consent
Additional Rights Under CCPA:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to say no to the sale of personal information
- Right to equal service and price
How to Exercise Rights:
- Submit a request through:
- - Privacy Request Form: facilityflow.app/privacy-request
  - Email: [email protected]
  - In-App: Settings > Privacy > Data Rights
- Response Time: Within 30 days (GDPR) or 45 days (CCPA)

Strictly Necessary Cookies:
- Purpose: Required for the website and application to function
- Examples: Authentication tokens, security cookies, preferences
- Consent Required: No (legitimate interest)
Functional Cookies:
- Purpose: Enhanced features and personalization
- Examples: Language preferences, saved settings
- Consent Required: Yes
Analytics Cookies:
- Purpose: Understanding how visitors use our site
- Examples: Page views, feature usage, performance
- Consent Required: Yes
- Tool: [Analytics Provider]
Marketing Cookies (if any):
- Purpose: Advertising and remarketing (limited use)
- Examples: Conversion tracking on our marketing pages
- Consent Required: Yes
- Note: Marketing cookies are NOT used in the application

Our privacy team is here to help. We respond within 24-48 hours.