Privacy Policy

Welcome to Flow (hosted at flow.nanocon.in). Flow ("we", "our", or "us") is operated by Nanocon. We provide a cloud-based Customer Relationship Management (CRM) service, customer communication tools, lead ingestion pipelines (including automated integration with platforms like IndiaMART), and messaging services (including automated and direct WhatsApp dispatches).

We respect your privacy and are committed to protecting the Personal Data and Business Data you entrust to our platform. This Privacy Policy outlines what information we collect, how it is used, stored, and protected, and your rights concerning your data.

To provide, improve, and secure our CRM services, we collect the following categories of information:

Flow uses the collected data exclusively to run our service and assist your business in sales operations:

• To Provide Services: Creating and managing lead pipelines, updating conversation statuses, and tracking customer interactions.
• To Manage Integrations: Processing live WhatsApp webhooks, enabling two-way customer messaging from the browser dashboard, and automating greeting notifications to new leads.
• To Secure & Monitor: Executing Meta webhook signature verification, ensuring single-tenant data isolation through strict database RLS (Row Level Security), and locking concurrent manual sync processes.
• To Calculate Usage & Fees: Recording conversation windows (marketing, utility, authentication, service) in the ledger database to accurately evaluate Meta Cloud API baseline costs and platform markups.
• To Support & Improve: Responding to customer inquiries, tracking and repairing server latency, and improving platform usability.

We do not sell, rent, or trade your lead, business, or connection data. To operate Flow, we securely integrate with and transmit limited encrypted payload fragments to the following trusted third-party providers:

• Meta Platforms, Inc. (WhatsApp Cloud API): To dispatch template welcome messages and free-text replies, and to capture incoming customer messages and statuses via active webhooks.
• Supabase, Inc. (Database & Auth Infrastructure): Used to host our PostgreSQL database, manage secure authentication sessions, and handle application storage.
• Google LLC (Google OAuth): Utilized solely to enable fast, single-click sign-in and profile verification.
• Cloud Infrastructure & Payment Services: Hosting nodes (such as Vercel) to deliver rapid page responses, and secure payment processing APIs to manage premium SaaS subscription billing.

Flow is built from the ground up with data security in mind. We implement rigorous, industry-standard administrative, physical, and technical measures to protect your database assets:

• Symmetric Token Encryption: Meta WhatsApp access tokens and IndiaMART API keys are encrypted at rest using industry-grade symmetric cryptography algorithms (e.g., pgp_sym_encrypt with AES-256) using server-side secrets. They are decrypted in-memory only during dynamic outbound dispatches.
• Row Level Security (RLS): Every table in our database has RLS policy guards actively enabled. Unauthenticated anon users are strictly blocked at the database engine layer, isolating workspace contents completely.
• Encrypted Communications: All traffic is routed exclusively over TLS/HTTPS tunnels preventing interception, and webhooks undergo cryptographic HMAC-SHA256 signature verification prior to execution.

We believe in giving our users full control over their business credentials and customer data. Depending on your jurisdiction, you enjoy the following rights which can be exercised instantly in your user dashboard or by contacting support:

• Access & Export: You can view all imported lead payloads, usage ledger logs, and message histories at any time.
• Disconnection & Revocation: You can immediately disconnect your WhatsApp Business integration or IndiaMART API feeds from the Settings interface. Disconnection fully halts API calls and marks associated database credentials for removal.
• Deletion (Right to be Forgotten): You can request the permanent removal of your organization profile, lead databases, and messaging logs. Upon request, we will purge all data from active tables, subject only to valid statutory records compliance.

Flow utilizes essential cookies, local storage, and secure browser sessions to sustain your user authentication state, secure request channels, and remember dashboard filters (such as monthly lead views or custom date ranges).

We may also collect aggregate, fully anonymized diagnostic analytics to track server performance, detect compilation bugs, and measure page load latencies. We do not use tracking cookies for behavioral target marketing.

We retain your account info, connected lead history, usage ledgers, and WhatsApp logs only for as long as your workspace account remains active and registered.

Should you decide to close or deactivate your account, we will erase or permanently anonymize your data within thirty (30) days from our active server production databases, except where keeping specific information is required to satisfy tax audits, active commercial billing records, or federal statutory law.

If you have any questions, compliance requests, or concerns regarding this Privacy Policy or your data, please reach out to our dedicated legal and technical support channels: