Legal
Privacy policy
Last updated 15 July 2026
FloConnector (“FloConnector”, “we”, “us”) is a hosted integration platform that lets the AI client you already use reach the SaaS tools your business runs on. This policy explains what we collect, why, how we protect it, and the choices you have. It covers floconnector.com, the console, and the connection endpoints we host for you.
The short version. We store the minimum we need to run the service. Your vendor credentials are encrypted before they touch our database. We don’t keep a copy of the business data that flows through your connections. It passes through and is discarded. We don’t sell your data or use it to train AI models.
1. Who this applies to
This policy is written for our customers, the businesses and people who register for a FloConnector account, and the authorised users they invite. Where we process data on your behalf about your own customers or contacts (for example, records that live in a platform you connect), we act as a processor, and you are the controller of that data under your own privacy obligations.
2. Data we collect
Account and identity
When you register we collect your email address and, optionally, your name and workspace/account details. We authenticate you with a magic link sent to your email, so we don’t store passwords. We record basic session and device information to keep your account secure.
Vendor connection credentials
When you connect a platform (for example Xero), we receive OAuth tokens that let us call that platform on your behalf. These tokens are envelope-encrypted in our application before they are written to the database. Our database never sees them in plaintext. We refresh them server-side as needed. The AI client you plug in never receives your vendor credentials.
Business data flowing through connections
To fulfil a request from your AI client, we call the platforms you’ve connected and relay the result. We operate as a proxy: we do not maintain a persistent mirror of your platform data. Where a request needs to analyse a larger dataset, we load it into an ephemeral, in-memory analytics engine that is discarded at the end of the request; the underlying records never enter the AI model’s context and are not retained by us.
Usage and audit metadata
We keep a metadata-only record of tool calls (which tool ran, on which connection, when, whether it succeeded, and the resulting usage count) for billing, support, security, and product analytics. By default this log stores metadata, not the sensitive payloads of your requests. Full-argument capture is off unless you opt in.
Billing
Payments are processed by Dodo Payments as our Merchant of Record. Your card details are handled by Dodo and their payment processors. We do not receive or store full card numbers. We retain billing records such as plan, invoices, and usage totals.
Site and support
We collect standard server logs (IP address, browser, pages requested) and any information you send us when you contact support or submit feedback.
3. How we use data
- To provide, secure, and maintain the service and your connections.
- To authenticate you and protect against fraud and abuse.
- To meter usage and bill you accurately.
- To provide support and respond to your requests.
- To understand which connectors and tools are used, so we can improve the product.
- To comply with legal obligations.
We do not sell your personal information, and we do not use your data or the data flowing through your connections to train AI or machine-learning models.
4. Sub-processors we rely on
We use a small set of service providers to run FloConnector. Each is bound by contract to protect your data:
- Dodo Payments: payment processing (Merchant of Record).
- Composio: managed connectivity and OAuth for the broader connector catalogue. For connectors delivered through Composio, request and response data passes through Composio’s infrastructure to reach the vendor. Our natively integrated connectors (for example Xero) call the vendor directly without Composio.
- Resend: transactional email (magic links, notifications).
- Our hosting provider: infrastructure hosting for the application and database.
Some sub-processors may process data outside your country. Where they do, we rely on appropriate safeguards for those transfers.
5. How long we keep data
- Account data: for as long as your account is active.
- Vendor tokens: until you disconnect the platform or close your account, after which they are deleted.
- Business data in transit: not retained; discarded at the end of each request.
- Usage and billing records: retained as required for accounting, tax, and legal purposes.
6. How we protect data
Vendor credentials are encrypted application-side before storage. Connections are served over encrypted transport, and every data-plane request requires a valid bearer token scoped to your workspace. Access to each connection is controlled per user, and you decide which tools an AI client is allowed to use. No security measure is perfect, but we design to store as little sensitive data as possible in the first place.
7. Cookies and analytics
Our marketing website (floconnector.com) can use Google Analytics to
understand which pages people find useful. It is off by default. The first
time you visit we ask with a banner, and we do not load Google Analytics or set
its cookie unless you accept. If you decline, no analytics cookie is set. You can change your
mind at any time by clearing the flc-consent value your browser stored for our
site, which brings the banner back.
When enabled, Google Analytics sets a first-party cookie to measure page visits and traffic sources. It receives nothing about the platforms you connect or the business data that flows through your connections. The console (the signed-in product) does not run Google Analytics; we understand product usage through the metadata-only tool-call log described above. We also use a small number of strictly necessary cookies for sign-in and security, which are required for the service to function and are not used for analytics.
8. Your rights and choices
Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. Australian customers are covered by the Privacy Act and the Australian Privacy Principles; customers in the EEA/UK and California have rights under the GDPR/UK GDPR and CCPA/CPRA respectively. You can exercise these rights, or ask a question, at support@floconnector.com. You can also disconnect a platform or close your account at any time from the console.
9. Children
FloConnector is a business product and is not directed to anyone under 16. We don’t knowingly collect data from children.
10. Changes to this policy
We may update this policy as the product evolves. When we make material changes, we’ll update the date above and, where appropriate, notify you.
11. Contact
FloConnector is operated by MODLL PTY LTD (ABN 79 639 342 484), based in Victoria, Australia. For any privacy question, email support@floconnector.com.