Privacy Policy
Last updated: March 1, 2026
PRIVACY POLICY
Effective Date: March 1, 2026
Last Updated: March 1, 2026
1. Who We Are
CARDIGITAL FZCO, trading as InFlow AI, is a company registered at the International Free Zone Authority (IFZA), Dubai Silicon Oasis, Dubai, United Arab Emirates, under Trade License No. 15150.
InFlow AI provides a software-as-a-service (SaaS) platform for automated accounts receivable (AR) communications. We help businesses streamline payment collection through intelligent, multi-channel communication with their debtors.
Contact: a@inflowai.ai
2. Scope of This Policy
This Privacy Policy explains how InFlow AI collects, uses, stores, and protects personal data in connection with our website (inflowai.ai) and platform. This policy applies to:
- Our Clients — businesses that use the InFlow AI platform (account holders);
- End Users / Data Subjects — individuals (debtors) whose personal data is processed through the platform on behalf of our Clients.
With respect to End User data, InFlow AI acts as a Data Processor on behalf of our Clients, who are the Data Controllers under the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL").
3. What Data We Collect
3.1 Client Account Data (Controller)
When you register for and use InFlow AI, we collect:
- Company name, address, and registration details
- Contact person name and email address
- Billing and payment information (processed via Stripe)
- Account credentials (email and hashed password)
- Usage and analytics data
3.2 End User Data (Processor)
Our Clients upload personal data of their debtors for automated AR communications. This data may include:
- Full name
- Email address
- Phone number
- Outstanding debt amount and invoice details
- Payment history
- Communication history (messages, delivery status, responses)
- WhatsApp identifiers
InFlow AI processes this data solely on behalf of and under the instructions of our Clients. We do not independently determine the purposes of processing End User data.
4. How We Use Data
4.1 Client Data
- Providing, maintaining, and improving the InFlow AI platform
- Account management and customer support
- Billing and invoicing
- Communicating service updates and product information
- Compliance with legal obligations
4.2 End User Data
- Delivering automated AR communications (email, SMS, WhatsApp) on behalf of Clients
- Tracking message delivery and debtor engagement
- Providing analytics and reporting to Clients
- Facilitating payment processing
5. Legal Basis for Processing
We process personal data on the following legal grounds under the UAE PDPL (Articles 4–5):
| Data Type | Legal Basis |
|---|---|
| Client account data | Contractual necessity — required to perform our services under the service agreement |
| Billing data | Contractual necessity and legal obligation |
| End User data | Processor basis — processed under Client's instructions; the Client is responsible for establishing a lawful basis (e.g., legitimate interest in debt recovery, contractual obligation) |
| Usage analytics | Legitimate interest — improving our platform and services |
6. Data Sharing and Sub-processors
We share personal data only as necessary to provide our Services and with the following categories of recipients:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting and authentication | EU (Frankfurt, Germany) |
| Resend Inc. | Transactional email delivery | United States |
| Twilio Inc. | SMS delivery | United States |
| Stripe Inc. | Payment processing | United States / EU |
| Meta Platforms Inc. | WhatsApp Business API message delivery | United States / EU |
We may also disclose personal data where required by law, court order, or regulatory request.
7. Data Retention
- Client account data: Retained for the duration of the service relationship and for 2 years thereafter for legal and accounting purposes.
- End User data: Retained for 2 years after full payment of the associated debt, or as instructed by the Client, whichever is shorter. Upon expiry, data is securely deleted.
- Billing records: Retained as required by applicable tax and commercial laws (minimum 5 years).
- Audit logs: Retained for 12 months.
Clients may request earlier deletion of End User data at any time, subject to any legal retention obligations.
8. Data Subject Rights
Under the UAE PDPL (Articles 12–18), Data Subjects have the following rights:
- Right of Access (Article 12) — obtain confirmation of whether your data is being processed and access a copy
- Right to Rectification (Article 13) — correct inaccurate or incomplete data
- Right to Erasure (Article 14) — request deletion of your data in certain circumstances
- Right to Restrict Processing (Article 15) — limit how your data is used
- Right to Data Portability (Article 16) — receive your data in a structured, machine-readable format
- Right to Object (Article 17) — object to processing based on legitimate interest
For End Users (debtors): As InFlow AI acts as a Data Processor, Data Subject requests regarding End User data should be directed to the relevant Client (Data Controller). If we receive a request directly, we will promptly forward it to the appropriate Client.
For Clients: Please contact us at a@inflowai.ai to exercise your rights.
9. Security Measures
We implement appropriate technical and organisational measures to protect personal data, as required by Article 28 of the UAE PDPL, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control with multi-factor authentication
- Row Level Security (RLS) for tenant data isolation
- Comprehensive audit logging
- Regular security assessments
- Automated daily backups with point-in-time recovery
- Incident response procedures with 72-hour breach notification
10. International Data Transfers
Personal data is primarily stored in the European Union (Supabase, Frankfurt, Germany). Some Sub-processors may process data in the United States or other jurisdictions.
Where personal data is transferred outside the UAE, we ensure appropriate safeguards are in place in accordance with Article 22 of the UAE PDPL, including contractual protections, adequacy assessments, and technical security measures.
11. Cookies and Tracking
InFlow AI uses minimal cookies, limited to:
- Authentication cookies — essential for maintaining your logged-in session
- Security cookies — CSRF protection and session management
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No consent banner is required as our cookies are strictly necessary for the operation of the service.
12. Children's Data
InFlow AI is a business-to-business platform and is not directed at individuals under the age of 18. We do not knowingly collect or process personal data of children. If we become aware that we have inadvertently collected data of a minor, we will promptly delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website with a revised "Last Updated" date
- Sending email notification to registered Clients for material changes
Continued use of the platform after changes constitutes acceptance of the updated policy.
14. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or our data processing practices:
CARDIGITAL FZCO (InFlow AI)
IFZA, Dubai Silicon Oasis
Dubai, United Arab Emirates
Email: a@inflowai.ai
Website: inflowai.ai
15. UAE PDPL Compliance
This Privacy Policy has been prepared in compliance with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations. InFlow AI is committed to upholding the data protection principles established under the UAE PDPL, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.
Data Subjects may lodge a complaint with the UAE Data Office if they believe their rights under the UAE PDPL have been infringed.