Legal
Privacy Policy
This Privacy Policy explains how FlowAgent handles personal information for our real estate CRM, AI email, AI voice, scheduling, and integration features.
Effective date: July 4, 2026
Legal review status: draft pending counsel review
Important draft notice
This policy is a version 1 operational draft for FlowAgent and is not a substitute for review by qualified privacy counsel. The legal entity name, physical mailing address, governing law posture, and final data protection language must be confirmed before production launch.
Who we are
FlowAgent provides software for real estate professionals to manage leads, communicate with prospects, schedule appointments, and use AI assisted email and voice workflows. In many cases, FlowAgent processes lead and client information on behalf of the real estate professional or brokerage using the service.
Information we collect
- Account information, such as name, email address, business mailing address, organization, team membership, login details, and profile settings.
- Lead and client information, such as names, emails, phone numbers, property preferences, budgets, notes, inquiry messages, source details, consent status, unsubscribe status, and do-not-call status.
- Communications content, including inbound and outbound emails, AI-generated draft or sent messages, call metadata, call recordings, transcripts, summaries, voicemail notes, and scheduling history when those features are used.
- Connected account and integration data, including OAuth tokens or API keys for Gmail, Outlook, Google Calendar, Outlook Calendar, Follow Up Boss, Vapi, Resend, Twilio, and similar services when connected by a user.
- Usage, device, and security information, such as IP address, browser and device details, request logs, error logs, audit events, and fraud or abuse signals.
- Billing information if paid plans are enabled. FlowAgent should use a payment processor and should not store full card numbers in the application database.
How we use information
- Provide, maintain, secure, and improve the FlowAgent service.
- Authenticate users, manage sessions, teams, permissions, support requests, and account settings.
- Capture, organize, and update leads and conversations for real estate professionals.
- Generate AI-assisted email drafts, automated replies, call scripts, call summaries, and lead summaries.
- Place or receive calls, send emails, schedule appointments, and sync calendar availability when enabled.
- Operate compliance controls, including unsubscribe handling, consent checks, quiet hours, DNC checks, recording disclosure prompts, Fair Housing review, abuse prevention, and security monitoring.
- Debug errors, monitor system health, prevent misuse, and comply with legal obligations.
AI, calls, and recordings
FlowAgent features may use AI providers to process lead messages, transcripts, notes, recordings, and CRM context in order to generate responses, summaries, classifications, and next-step recommendations. AI output can be inaccurate or incomplete, so users are responsible for reviewing settings, monitoring communications, and using appropriate human review where needed.
Voice features may record, transcribe, and summarize calls when enabled. FlowAgent includes disclosure prompts and compliance controls, but the customer remains responsible for confirming that its use of calling and recording features complies with applicable consent, disclosure, telemarketing, real estate, and privacy laws.
How we share information
We do not sell personal information in the ordinary sense. We share information with service providers and integrations as needed to run the product and as directed by our customers.
- Infrastructure and database providers, including Supabase and hosting providers.
- Voice and telephony providers, including Vapi and Twilio, when voice features are used.
- Email and notification providers, including Resend, Google, and Microsoft, when email or calendar features are used.
- AI model providers, including OpenAI or other configured providers, for AI-assisted processing.
- CRM integrations, including Follow Up Boss, when connected by a user.
- Monitoring, security, and error reporting providers, including Sentry when configured.
- Legal, compliance, safety, or business advisors when reasonably necessary.
- Authorities or third parties when required by law, to protect rights and safety, or to investigate abuse.
Google user data
When you connect a Google account, FlowAgent accesses Gmail messages and Google Calendar events only to provide the features you enable: reading and organizing lead conversations, sending replies you or your automation initiate, and syncing appointments and availability.
FlowAgent's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, we do not use Google user data for advertising, we do not sell it, we do not allow humans to read it except with your consent, for security or abuse investigation, to comply with law, or where the data has been aggregated and anonymized, and we do not use Google user data to develop, improve, or train generalized AI or machine-learning models. AI features process message content only to provide the user-facing features described above.
Retention
We retain account, lead, communication, call, transcript, recording, integration, and log data for as long as needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, and maintain security. Customers should configure retention practices appropriate for their brokerage and legal obligations. A formal production retention schedule is listed as a follow-up item in the legal compliance plan.
Account deletion and compliance records
When a user deletes their FlowAgent account, we delete or disconnect their account, workspace data, CRM records, integrations, and authentication account where technically available. Some deletion may not immediately remove data from encrypted backups, provider logs, or third-party systems that follow their own retention schedules.
To prevent abuse, honor opt-out and do-not-contact requests, resolve disputes, and keep evidence of communication compliance, FlowAgent may retain a minimal account-deletion compliance record. We aim to keep it no longer than necessary for these purposes — generally up to about five years after deletion, and longer only where needed for an active dispute, investigation, or legal obligation — and we periodically delete records we no longer need. These records are designed to exclude lead names, email addresses, phone numbers, message bodies, transcripts, notes, and live account links.
The retained compliance record may include only limited fields such as a deleted account identifier, suppression or opt-out status, consent status and source, do-not-call status, timestamps, lead source, and a minimal call-recording reference where needed to show what happened. These records are not visible in the dashboard, are not used for sales or marketing, and are restricted to operator/admin access for compliance, security, dispute handling, or legal defense.
Your choices and rights
- Users can update account settings and disconnect supported integrations from the dashboard where available.
- Users can delete their account from profile settings. Account deletion removes workspace data while retaining only the limited compliance records described above where needed.
- Leads can use unsubscribe links or ask the real estate professional to stop automated follow-up.
- Privacy, access, correction, deletion, and opt-out requests can be sent to support@flowagentcorp.com.
- Some requests may need to be verified or routed to the real estate professional that controls the lead record.
- California, Colorado, Connecticut, Virginia, Utah, EEA, UK, and other residents may have additional rights depending on the applicable law and the role FlowAgent plays for the relevant data.
Security
FlowAgent uses technical and organizational safeguards designed to protect personal information, including session controls, CSRF protection, encrypted credentials, access controls, webhook verification where supported, logging, and operational monitoring. No system is perfectly secure, and customers should protect their own credentials, connected accounts, and team access.
Cookies and tracking
FlowAgent currently uses only strictly necessary cookies: a session cookie to keep you signed in and a CSRF token cookie to protect state-changing requests. We do not use advertising cookies, social media pixels, or third-party analytics cookies. Error monitoring (Sentry), when enabled, is configured not to attach personal information such as cookies, request bodies, or IP-based identity to events. If we add analytics or marketing tools later, we will update this policy and add appropriate consent controls first.
International use
FlowAgent is offered for real estate workflows in the United States and English-speaking Canada only, and is not intended for Quebec or the European Union, EEA, or United Kingdom. If users or leads access the service from outside the United States, personal information may be processed in the United States and other countries where our service providers operate. Cross-border transfer language should be finalized with counsel before intentionally targeting any other market.
Contact
Privacy requests and questions can be sent to support@flowagentcorp.com. Legal entity name and mailing address are pending final company review.