Last Updated: March 2026
This privacy notice for AIAGS Ltd d/b/a Inflowave ("Inflowave", "we", "us", or "our"), describes how and why we collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:
Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices.
If you do not agree with our policies and practices, do not use our Services.
For further inquiries, contact support@inflowave.io.
This summary provides key points from our privacy notice. You can find out more details by clicking the link associated with each key point or by using the TABLE OF CONTENTS below.
What personal information do we process?
When you visit, register, or use our Services, we process personal information such as contact details, usage logs, connected account data, calendar content, communication transcripts, analytics, demographic information, business data, and payment status.
See: WHAT INFORMATION DO WE COLLECT?
Do we process sensitive data?
We do not collect or process sensitive categories such as health, religious, biometric, political, or ethnicity data.
See: WHAT INFORMATION DO WE COLLECT?
Do we receive information from third parties?
Yes. We process data from connected platforms such as Instagram, Facebook, Google Calendar (read/write access), Zoom, and your usage of extensions or APIs.
See: WHAT INFORMATION DO WE COLLECT?
How do we process your information?
We process your information to provide and improve our Services, deliver CRM and automation features, recommend marketplace connections, train AI models only if explicitly introduced in the future and only with opt-in consent, and comply with security and legal requirements.
See: HOW DO WE PROCESS YOUR INFORMATION?
Do we share your information?
We only share data with service providers (e.g., hosting, payments, security monitoring, email delivery). We do not sell personal data.
See: WHEN AND WITH WHOM DO WE SHARE PERSONAL INFORMATION?
How long do we keep your data?
We retain data according to a category-based retention schedule (see Section 5), including up to 12 months for CRM data and longer where legally required.
See: HOW LONG DO WE KEEP YOUR INFORMATION?
How do we keep your information safe?
We maintain strong technical and organizational security controls (encryption, hashing, TLS, CSP, rate limiting, secret scanning, RLS, and SOC/ISO vendor compliance).
See: HOW DO WE KEEP YOUR INFORMATION SAFE?
Do we collect data from minors?
No. Users must be 18 or older.
See: DO WE COLLECT INFORMATION FROM MINORS?
What are your rights?
Depending on your location, you may have rights regarding accessing, deleting, correcting, restricting, or exporting your data.
See: WHAT ARE YOUR PRIVACY RIGHTS?
How can you exercise your rights?
Submit your request to: support@inflowave.io
In short: We collect personal information you voluntarily provide to us.
We collect personal information that you provide when you register, subscribe, connect accounts, participate in calls, upload content, interact with our platform, or communicate with us.
The personal information we collect includes, but is not limited to:
(full payment card details are stored by Stripe and not by Inflowave)
Sensitive Information.
We do not process sensitive information (such as health, religion, politics, biometric data, or protected classification data).
Payment Data.
Payments are processed by third-party providers including Stripe and CoinPayments (for crypto transactions). We only store whether you have paid and your subscription history. Full card or wallet information is never stored by Inflowave. For more on their policies, visit:
In short: We automatically collect certain device and usage information.
We collect logs and diagnostic data required for:
This includes:
Heatmaps and user journey recordings
We may use tools like Microsoft Clarity (on certain pages) for UX research. These recordings exclude social media message content and sensitive data fields.
When you connect third-party accounts, we may process relevant authorized data from:
| Integration | Purpose |
|---|---|
| Instagram/Facebook | Messaging access, analytics, automation, CRM enrichment |
| Google Calendar (Read/Write) | Scheduling content and events |
| Zoom | Joining, generating, or scheduling calls |
| API/Webhooks | Sending or receiving Inflowave CRM data |
We collect only data needed to provide our Services.
If you join our marketplace, you may choose what information to display publicly. This may include:
You control what is displayed and may remove marketplace visibility at any time.
In short: We process your information to operate our Services, deliver automation and analytics, improve user experience, ensure security, comply with legal requirements, and—only if you opt in—to train our AI systems.
We process your personal data for the following purposes:
This includes:
Including but not limited to:
Inflowave does not use customer conversations, CRM data, or social media messages to train artificial intelligence models by default.
If AI-based training or learning is introduced in the future:
Users may withdraw consent at any time without impacting their ability to use the platform.
If enabled by the user:
Marketplace participation is voluntary and revocable.
We may use information to send:
We may process data to:
This may include:
We may process personal information to:
We use server-side conversion tracking (Meta Conversions API and Google Analytics Measurement Protocol) to measure the effectiveness of our advertising. When you register for an account or complete a purchase, we send hashed, non-reversible identifiers (such as a SHA-256 hash of your email address) to Meta and Google from our servers. This does not use cookies or any client-side tracking technology.
The legal basis for this processing is:
Data sent server-side includes only: hashed email, hashed name (if provided), event type (e.g., "Purchase", "Registration"), transaction value, and a unique event identifier for deduplication. No browsing behavior, device fingerprint, IP address, or cookie data is transmitted.
You may opt out of marketing communications at any time.
We process information necessary for:
Including:
We may process information to:
In short: We process your personal information only when legally permitted.
To provide the Services requested by you, including:
Required for:
You may withdraw consent at any time.
Where processing is reasonably expected and does not override your rights, including:
Including tax, compliance, and regulatory retention requirements.
Such as preventing harm due to fraud, account hijacking, or malicious use.
In short: We only share information with service providers, regulatory authorities when required, and with marketplace participants if you choose to share.
| Category | Sub-Processor | Compliance |
|---|---|---|
| Database & Auth | Cloud database provider (AWS) | SOC 2 Type II, AES-256 |
| Secret Management | Cloud KMS provider | SOC 2, ISO 27001, FIPS 140-2 |
| Payment Processing | Stripe | PCI DSS Level 1 |
| Crypto Payments | CoinPayments | PCI compliant |
| Email Delivery | SendGrid (Twilio) | SOC 2 Type II, ISO 27001 |
| UX Analytics | Microsoft Clarity | GDPR compliant |
| Social Platform | Meta (Instagram/Facebook) | EU-US Data Privacy Framework |
| Calendar Integration | Google Calendar API | SOC 2, ISO 27001 |
| Video Conferencing | Zoom | SOC 2 Type II |
| Marketplace Connections | Only if user opts in | N/A |
If Inflowave is involved in a merger, acquisition, restructuring, financing, or sale of company assets, your information may be transferred as part of the transaction.
We do not sell personal data under any jurisdiction, including CCPA guidelines.
Your data is hosted in the following geographic locations:
| Infrastructure | Location | Purpose |
|---|---|---|
| Primary Database | **Canada** | Main data storage |
| Database Backups | **Poland (European Union)** | Encrypted geo-redundant backup |
| Database Backups | **Singapore** | Encrypted geo-redundant backup |
| Encryption Keys | **Cloud KMS (US)** | Secret management only |
Some of our service providers (including Meta, Stripe, Google, Zoom, and infrastructure providers) are located outside the United Kingdom and European Economic Area.
When we transfer personal data internationally, we rely on:
Canada benefits from an EU adequacy decision, while transfers to other countries (including the United States for Google Cloud secret management and Singapore for backups) are safeguarded by Standard Contractual Clauses and the UK Addendum.
These safeguards ensure your data receives the same level of legal protection regardless of where it is processed.
When you connect Instagram or Facebook, Inflowave processes data in accordance with Meta's Platform Terms and Data Protection Requirements.
You may revoke Inflowave's access to Meta platforms at any time through:
Meta is not responsible for how Inflowave processes your data after it is received through Meta APIs.
In short: We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Notice and to meet legal, tax, and regulatory obligations.
| Data Category | Retention Period |
|---|---|
| Instagram & Facebook messages | 12 months after account cancellation |
| CRM contacts, leads, pipelines | 12 months after account cancellation |
| Marketplace profiles & metrics | Until disabled or account deletion + 12 months |
| Platform analytics & usage logs | 24 months |
| Support tickets & chat transcripts | 3 months |
| Zoom, calendar, and meeting integration data | 3 months |
| Security, fraud & audit logs | As required for security and legal defense |
| Billing, invoicing, and tax records | 6 years (legal obligation) |
When the applicable retention period expires, data is either:
Backups are encrypted and automatically purged on a rolling basis and are never reintroduced into active systems after deletion.
In short: We implement organizational and technical safeguards that meet or exceed industry standards.
We classify all data by sensitivity level and apply protection controls accordingly:
| Classification | Examples | Protection |
|---|---|---|
| **Confidential** | OAuth tokens, API credentials, encryption keys | AES-256 Fernet encryption, secret manager only |
| **Internal** | User IDs, account metadata, token metadata | Encrypted at rest, access-controlled |
| **Customer** | Email, CRM data, messages, analytics | Encrypted at rest, tenant-isolated (RLS) |
| **Transient** | Meeting data, OAuth state, session tokens | Not persisted or deleted immediately after use |
In the event of a personal data breach:
Despite our safeguards, no method of transmission over the Internet is guaranteed completely secure.
In short: We do not knowingly collect or market to individuals under 18 years of age.
By using the Services, you represent and warrant that you are:
If we become aware that data has been collected from a child under 18:
1. We will deactivate the associated account, and
2. We will delete personal data from our systems within a commercially reasonable time.
If you believe a minor has provided data to Inflowave, contact: support@inflowave.io
In short: Depending on your location, you may have rights that give you more control over your data.
These rights may include the ability to:
You may exercise these rights at any time by contacting:
If we rely on consent to process your data, you may withdraw consent at any time. This withdrawal will not affect:
You may opt out of:
Note: We may still send transactional messages (e.g., receipts, security alerts).
If you request account deletion:
If you are located in the European Union, you also have the right to lodge a complaint with your local data protection authority or with the UK Information Commissioner's Office (ICO) as our lead supervisory authority.
Most browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature that signals a preference not to be tracked.
Currently, no uniform industry standard governs compliance with DNT signals; therefore:
We do not currently respond to Do-Not-Track signals.
If standards change, we will update this Privacy Policy accordingly.
In short: If you reside in California, Colorado, Connecticut, Utah, or Virginia, you have specific state-based privacy rights.
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, phone, IP, account identifiers | YES |
| Customer Records | Contact info, billing history | YES |
| Protected Class Data | Race, gender, religion, health | NO |
| Commercial Info | Transaction data, payment status | YES |
| Biometric | Fingerprints, facial recognition | NO |
| Internet Activity | Log data, analytics, interactions | YES |
| Geolocation | Approx. IP-based region | YES (approximate only) |
| Audio/Visual Data | Support recordings (if applicable) | YES |
| Professional Info | Brand ownership, niche, categories | YES |
| Education Info | Student records | NO |
| Inferences | Automated preference modeling | NO (unless consented) |
| Sensitive Personal Info | As defined by state laws | NO |
We do not sell personal data, including for advertising purposes.
We may use data with advertising platforms only to target businesses, not individuals.
You may have the right to:
Email: support@inflowave.io
We may require identity verification to prevent unauthorized actions.
Residents of Canada, Australia, New Zealand, and South Africa have certain privacy rights under their respective national laws, including rights to:
Contact: support@inflowave.io
We will respond in accordance with applicable regulations.
In short: Yes, we update this notice as needed to remain legally compliant.
We may notify you directly of significant changes by:
Google Calendar Integration
InflowaveAI uses Google OAuth 2.0 to access Google Calendar data with user authorization.
With user permission, InflowaveAI may:
The application only accesses calendar events belonging to the authenticated user.
Use of Google Calendar Data
Google Calendar data is used solely to provide appointment scheduling and calendar management functionality.
We may store limited appointment-related information necessary to operate the service, such as event ID, date/time, title, and associated lead information. We do not use Google Calendar data for advertising purposes.
Google Calendar data is retained only as long as necessary to provide the service and may be deleted upon user request.
Revoking Access
Users may revoke Google Calendar access at any time via their Google Account permissions page.
Users may request deletion of their data by contacting: support@inflowave.io
Google API Compliance
InflowaveAI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
For more information, please review our related policies:
You may contact us for data requests, questions, or complaints at:
Email: support@inflowave.io
Legal Entity: AIAGS Ltd
Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Phone: +44 744 533 4361 (for business/legal inquiries)
In accordance with Article 37 of the UK GDPR and EU GDPR, Inflowave has appointed a Data Protection Officer:
Mateusz Kielbasa
Email: matt@inflowave.io
The DPO is responsible for overseeing compliance with data protection laws and is the primary contact point for supervisory authorities and users regarding privacy matters.
You may request to:
Submit a request to: