Privacy Policy

Overview

QFlow ("we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our queue management software and services (the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

HIPAA Notice: For healthcare organizations, we maintain HIPAA-compliant data handling practices. Please refer to our Data Processing Agreement for healthcare-specific privacy protections.

Information We Collect

1. Information You Provide Directly

We collect information that you provide when using our Services:

Account Information: Name, email address, phone number, organization name, job title, billing address
Customer Data: Names, contact information, service preferences for queue participants (collected on behalf of our clients)
Communication Data: Messages, feedback, support requests, and survey responses
Payment Information: Billing details (processed securely through third-party payment processors; we do not store full credit card numbers)

2. Automatically Collected Information

When you access our Services, we automatically collect certain information:

Usage Data: Features used, pages visited, time spent, queue interactions, ticket generation statistics
Device Information: IP address, browser type, operating system, device identifiers, mobile network information
Location Data: Approximate geographic location based on IP address (precise location only if you grant permission)
Cookies & Similar Technologies: See the "Cookies & Tracking Technologies" section below

3. Information from Third-Party Sources

Integration Partners: Data from CRM systems, appointment scheduling platforms, and other integrated services (with your authorization)
Analytics Providers: Website usage statistics and performance metrics
Public Sources: Publicly available business information for B2B sales and marketing purposes

How We Use Your Information

We use the collected information for the following purposes:

1. Service Delivery & Operations

Provide, operate, and maintain our queue management Services
Process transactions and send related information (confirmations, invoices, technical notices)
Manage your account and provide customer support
Send service announcements, updates, and security alerts

2. Service Improvement & Development

Analyze usage patterns to improve functionality and user experience
Develop new features and services
Conduct research and analytics for product enhancement
Monitor and analyze trends, usage, and activities

3. Communication & Marketing

Send promotional communications about new features, products, or services (you can opt out anytime)
Conduct surveys and collect feedback
Deliver targeted marketing and advertising

4. Legal & Security

Comply with legal obligations and enforce our agreements
Detect, prevent, and address fraud, security breaches, and technical issues
Protect the rights, property, and safety of QFlow, our users, and the public

How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

1. Service Providers

We share information with third-party vendors who perform services on our behalf:

Cloud hosting providers (AWS, Azure)
Payment processors (Stripe, PayPal)
Email and SMS communication services
Analytics and monitoring services
Customer support platforms

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

2. Business Transfers

If QFlow is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

3. Legal Requirements

We may disclose your information if required to do so by law or in response to:

Valid legal processes (subpoenas, court orders, search warrants)
Requests from government authorities
Legal claims or disputes
Emergencies involving danger of death or serious physical injury

4. With Your Consent

We may share your information for purposes not listed in this policy with your explicit consent.

Data Security

We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction:

Technical Safeguards

Encryption: AES-256 encryption at rest, TLS 1.3 encryption in transit
Access Controls: Role-based access with multi-factor authentication (MFA)
Network Security: Firewalls, intrusion detection systems, and DDoS protection
Monitoring: 24/7 security monitoring and automated threat detection
Penetration Testing: Regular third-party security audits and vulnerability assessments

Organizational Safeguards

Employee Training: Regular security awareness and data protection training
Access Limitation: Need-to-know basis access policies
Incident Response: Documented procedures for security breach notification and remediation
Vendor Management: Due diligence and contractual security requirements for all third-party processors

Important: While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods

Account Data: Retained while your account is active, plus 3 years after account closure for legal and compliance purposes
Queue Transaction Data: Retained for 2 years for analytics and compliance purposes (HIPAA-covered data follows specific retention requirements)
Billing Records: Retained for 7 years to comply with tax and financial regulations
Marketing Data: Retained until you unsubscribe or request deletion
Security Logs: Retained for 1 year for security monitoring and incident investigation

After the retention period, we securely delete or anonymize your information. You may request earlier deletion of your data subject to our legal and contractual obligations.

Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

General Rights

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information (subject to legal retention requirements)
Portability: Request a copy of your data in a structured, machine-readable format
Objection: Object to processing of your information for direct marketing purposes
Restriction: Request restriction of processing in certain circumstances

GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under GDPR:

Right to withdraw consent at any time
Right to lodge a complaint with your local data protection authority
Right to know the legal basis for processing your data
Right to automated decision-making and profiling protections

CCPA Rights (California Users)

California residents have specific rights under the California Consumer Privacy Act:

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information (subject to exceptions)
Right to opt-out of the sale of personal information (we do not sell personal information)
Right to non-discrimination for exercising CCPA rights

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@qflow.io
Privacy Portal: qflow.io/privacy-request
Mail: QFlow Privacy Team — registered address available on request

We will respond to your request within 30 days (or as required by applicable law).

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of our Services.

Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential Cookies	Enable core functionality (authentication, security, session management)	Session / 1 year
Analytics Cookies	Understand how visitors use our Services (Google Analytics, Mixpanel)	2 years
Functionality Cookies	Remember your preferences and settings	1 year
Marketing Cookies	Deliver relevant advertisements and track campaign effectiveness	1 year

Managing Cookies

You can control cookie preferences through:

Browser Settings: Most browsers allow you to refuse cookies or delete existing cookies
Cookie Consent Tool: Use our cookie preference center on first visit
Opt-Out Tools: Visit youronlinechoices.eu or optout.networkadvertising.org

Note: Disabling certain cookies may limit functionality of our Services.

International Data Transfers

QFlow is based in the United States. If you are accessing our Services from outside the U.S., please be aware that your information may be transferred to, stored, and processed in the U.S. and other countries where our service providers operate.

We implement appropriate safeguards for international data transfers, including:

Standard Contractual Clauses (SCCs): EU-approved model contracts for data transfers
Data Processing Agreements: Contractual commitments with service providers
Privacy Shield Framework: Compliance with applicable international frameworks
Adequacy Decisions: Transfers to countries recognized as providing adequate protection

Children's Privacy

Our Services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

Update the "Last Updated" date at the top of this policy
Notify you via email or in-app notification for material changes
Provide a summary of key changes in the notification
Post a notice on our website for 30 days following the update

Your continued use of our Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated policy, please discontinue use of our Services.

Table of Contents