Flow CX Privacy Policy

Last Updated: April 01, 2020


This privacy notice addresses the data Flow CX (Flow) collects to provide our SaaS platform and services to our clients. Clients use this platform to collect customer feedback through different channels, including surveys and integrations with other platforms. Flow also provides reporting applications that allow our clients to view and analyze the collected feedback.

In our privacy notice, we use the following terms:

What Data We Collect and How We Collect It

Flow’s and our Clients’ Roles in Data Collection.  In providing the Flow CX Solution to our clients, Flow collects data only according to our clients’ instructions. Our clients specify what customers we should contact to provide feedback, when we should contact them, how we should contact them (for example, email or SMS), how often we should send them reminders to provide feedback, and what questions are asked. Flow’s clients also decide whether to use inbound or outbound data integrations, and how to use or respond to feedback that is collected.

Flow enters into agreements with our clients that legally obligate Flow to protect data we receive or are directed to collect, and use it only to provide the products and services specified by the client. Under many data protection laws, including those in Europe, Flow is considered a “data processor” to our clients, and our clients are considered “data controllers.” As data controllers, Flow clients are responsible for complying with laws that may require notice, disclosure or consent related to the transfer of data to Flow or its use in the Flow CX Solution.

Legal Basis for Processing. Flow clients provide instructions with regard to the upload, collection, transfer, and access of personal data in the Flow CX Solution. As such, Flow clients determine the legal basis they have for data processing. Flow clients can use legitimate interest or consent as a legal basis for processing personal data in the Flow CX Solution, although others may apply. For more information, refer to the privacy notice or communications of the Flow client.

Identity of the Data Controller. As data controllers, Flow clients are responsible for identifying themselves, where appropriate, in communications sent by the Flow CX Solution. For example, Flow survey invitations sent by email or SMS should identify the name of the Flow client who directs us to conduct the survey.

Web-based Surveys and Chat Communications. In web-based surveys offered by the Flow CX Solution, customers or employees receive a survey invitation and respond to the survey in a web interface. In addition, with the Flow CX Solution’s chat communication products, clients can communicate with their customers through SMS or other messaging applications. To send survey invitations or chat communications Flow clients can, for example, provide the Flow CX Solution with customer names, email addresses, mobile phone numbers, social messaging handle, and information about the customers’ interactions with their business. In addition, Flow clients can provide the Flow CX Solution with information that segments customers into groups, such as the type of account the customer holds, the type of product or service purchased, or enrollment in a loyalty program.

When a respondent navigates to a Flow web-based survey or a chat communication, Flow collects the respondent’s IP address, the date and time the respondent accessed the survey, survey or chat responses (typically numerical scores and narrative text responses), how far the user has navigated in the survey, and the type of device and web browser the customer used to access the survey. In some surveys, clients also direct Flow to collect the geographical location of the customer’s device that is used to access the survey.

Integrations. Clients can integrate other tools, processes or platforms as inbound sources of data for the Flow CX Solution, such as CRM platforms or marketing tools. Flow clients control what data is stored in the Flow CX Solution from these integrations. For more information, refer to the privacy notice or the communications of the Flow client.

Clients can also configure the Flow CX Solution as an outbound source of data for other tools, processes, or platforms. Clients and any third parties associated with those tools, processes, or platforms are responsible for managing personal data outside the Flow CX Solution. For example, clients can configure surveys to prompt customers to write reviews on third-party websites. If a customer chooses to submit a review for publication on that third-party site, any information the customer provides on that site is governed by the privacy notice or communications of that site.

Flow Reporting Applications. Flow provides clients web-based applications that are used by employees of Flow clients to review and analyze customer feedback and other data collected in the Flow CX Solution (referred to as “reporting applications” in this notice). To provide their employees access to these applications, clients may send Flow employee names, identifiers (e.g., an employee ID), job title or function, and the store or business location they are associated with.

When an employee accesses a Flow reporting application, Flow collects the employee’s user name, IP address of the device used to access the reporting application, geographic area associated with the IP address, type of web browser and mobile device, time and date that the reporting application was accessed, and areas of the reporting application that were visited.

Information Flow Does Not Collect. Unless configured by a client to do so, the Flow CX Solution does not collect sensitive data, such as credit card numbers or government identification numbers, nor does it collect information defined as “sensitive personal data” under EU law, such as race, sexual orientation, or union membership.

How Personal Data is Used

By Flow and Partners. Flow uses personal data gathered in the Flow CX Solution to provide the SaaS platform and services for which the client has engaged Flow.

These uses can include contacting a client’s customers to provide feedback for web-based surveys, providing gathered feedback and assisting the customer in managing data in the Flow CX Solution, and analyzing the data gathered to improve the client’s business.

Flow Clients. Flow clients can use personal data collected in the Flow CX Solution to improve their customers’ experiences with their business. Clients can use Flow’s reporting applications to provide customer feedback to their employees. Clients can also perform analysis in customer feedback to prioritize and make operational changes to their business, and use personal data gathered in the Flow CX Solution to send follow-up communications to customers.

Who Accesses Personal Data

Flow Professional Services and Support. When a Flow client engages Flow’s professional services, Flow professional services employees can access personal data of that client to perform work associated with tasks described above. If there is a support request, troubleshooting issue, or technical error that requires access to personal data, Flow support staff who are needed to address the issue will access that data.

Access to personal data stored in the Flow CX Solution is provided using systems, procedures and controls approved by Flow’s security team. Access is provided only as long as needed to perform the necessary work.

Flow Clients. Flow clients can provide their employees access to the Flow CX Solution so that they can view and analyze gathered feedback. For more information, please contact the appropriate Flow client.


Flow maintains a comprehensive security program with appropriate organizational and technical security practice measures to protect data stored in the Flow CX Solution. We maintain industry-leading security practices. Such practices include storing data in Tier III, SSAE-16 and/or ISO 27001 certified data centers, hardening our systems according to industry best practices, segregating client data, continuously scanning and monitoring our network, and role-based access control.

Storage Period.

The data of a Flow client is retained in the Flow CX Solution until the termination of the client’s subscription, unless earlier deleted or modified per the client’s request.

Data Subject Rights.

The Flow CX Solution provides clients tools and processes for data modification, export, or deletion to address the needs of individuals in jurisdictions that provide individuals Data subject rights. If you are a individual who wants to modify, access, or delete personal data associated with you in the Flow CX Solution, please contact the appropriate Flow client.

Opt Out and Withdrawal of Consent.

Flow offers its clients opt-out mechanisms to include in communications to individuals. Individuals who exercise an opt-out mechanism will be opted out of further communications for the relevant client for that communication channel.