Privacy Policy

FlowForge Labs ("we," "our," or "us") operates the website flowforgelabs.in and provides SaaS products for businesses in India. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our products, in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 ("IT Act"), and applicable rules thereunder.

By accessing our website or using our services, you consent to the collection and use of your information as described in this policy.

• Data Fiduciary: FlowForge Labs, the entity that determines the purpose and means of processing personal data.
• Data Principal: You, the individual whose personal data is being processed.
• Data Processor: Any entity that processes personal data on behalf of FlowForge Labs.
• Personal Data: Any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act.
• Processing: Any operation performed on personal data, including collection, storage, use, sharing, and deletion.

We may collect information in the following ways:

• Information You Provide: Name, email address, phone number, business name, and other details you submit through our contact forms, booking system, or product sign-up.
• Usage Data: Browser type, IP address, device information, pages visited, time spent on pages, and other diagnostic data collected automatically through server logs.
• Product Data: Data you input into our SaaS products (e.g., patient records in DentaFlow, purchase orders in SupplyFlow). This data is processed solely to provide the service.
• Cookies: We use essential cookies to ensure proper functionality. See our Cookie Policy for details.

Under the DPDP Act 2023, we process your personal data on the following lawful bases:

• Consent: You have given clear consent for us to process your personal data for a specific purpose.
• Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party (e.g., providing our SaaS services).
• Legitimate Uses: Processing is permitted for certain legitimate uses as specified under the DPDP Act, including compliance with legal obligations, responding to medical emergencies, and employment-related purposes.

• To provide, operate, and maintain our SaaS products
• To respond to your inquiries and provide customer support
• To process bookings and service requests
• To send transactional communications (e.g., booking confirmations, service updates)
• To improve our website and user experience
• To detect and prevent fraud or security incidents
• To comply with legal obligations under Indian law

We do not sell, trade, or rent your personal information to third parties. We may share data with:

• Service Providers: Trusted third-party services that assist in operating our platform (e.g., hosting providers, email delivery services, analytics tools), subject to data processing agreements.
• Legal Compliance: When required by law, court order, or government authority under Indian jurisdiction.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction, with prior notice.

Your data is stored on secure servers provided by our infrastructure partners. We implement industry-standard security measures including:

• HTTPS encryption for all data in transit
• Encrypted database storage for sensitive information
• Role-based access controls for internal systems
• Periodic security reviews and vulnerability scanning (best-effort; no formal third-party audit at current scale)

While we take reasonable steps to protect your data as required under Section 43A of the IT Act and the DPDP Act, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy, or as required by applicable Indian law. Specifically:

• Account Data: Retained for the duration of your active subscription. On termination, retained for a reasonable wind-down period (typically up to 90 days) to support any export or migration requests.
• Product Data: Available for export on reasonable written request following account termination. After the agreed wind-down period, data is permanently deleted.
• Contact Form Submissions: Retained for up to 12 months unless a business relationship is established.
• Usage Data: Retained in anonymised form for analytics purposes.

Under the DPDP Act 2023, as a Data Principal, you have the following rights:

• Right to Access: Request a summary of your personal data being processed and the processing activities.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data when it is no longer necessary for the purpose it was collected.
• Right to Grievance Redressal: Lodge a complaint with our Grievance Officer or the Data Protection Board of India.
• Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to Withdraw Consent: Withdraw previously given consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact our Grievance Officer at the details provided below.

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to delete that information in accordance with the DPDP Act.

We use essential cookies to ensure proper functionality of our website. For detailed information about the cookies we use, their purpose, and how to manage them, please refer to our Cookie Policy.

Your data is primarily stored and processed within India. In cases where data may be transferred to servers outside India (e.g., through our cloud infrastructure providers), such transfers are made in compliance with the provisions of the DPDP Act and any rules notified by the Central Government regarding permissible jurisdictions.

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will provide prominent notice via our website or email. Continued use of our services after changes constitutes acceptance of the updated policy.

In accordance with the DPDP Act 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the following person is designated as the Grievance Officer:

• Name: Parvez Mohammed
• Designation: Founder & Grievance Officer
• Email: hello@flowforgelabs.in
• Response Time: Within 72 hours of receiving a complaint.

If you have questions about this Privacy Policy, contact us at:

• Email: hello@flowforgelabs.in
• Address: ALT.F Coworking, Sector 58, Noida, Uttar Pradesh, India