Privacy Notice

1. Scope and roles

For marketing, sales, account administration and service security, FitterFlow acts as a controller of the relevant personal information.

For worker, client, timesheet, signature, invoice and similar operational data entered by a customer, the customer is normally the controller and FitterFlow processes the data on its instructions. The applicable service agreement or data processing agreement should confirm those roles.

2. Information we collect

The categories depend on how you use the service.

• Contact and account data, such as name, work email, phone number and authentication records.
• Agency, team, client, job and worker profile data.
• Shift assignments, status updates, timesheets, notes, pay calculations, expenses and signatures.
• Invoice, payment-tracking and accounting-integration records.
• Worker documents and bank details where customers or workers choose to provide them.
• Device, log, security, IP address, browser and service-usage information.
• Demo requests, sales communications and support correspondence.
• Prompts, source fields and generated results when enabled AI features are used.

3. How information is obtained

Information may be provided directly by website visitors, agency users and workers; entered by an agency about its workforce or clients; generated through use of the service; or received from configured payment, messaging, accounting and authentication providers.

4. Purposes and lawful bases

We process personal information to provide and secure the service, authenticate users, administer accounts, respond to enquiries, support customers, process subscriptions, maintain audit records, prevent abuse and improve reliability.

Depending on the context, the lawful basis may be performance of a contract, steps requested before entering a contract, legitimate interests in operating and securing the service, compliance with legal obligations or consent where required.

5. Customer-controlled operational processing

Agency customers determine why worker and client operational data is used, which records are required, who receives access and how long the information should be retained, subject to the service controls and applicable law.

Workers should direct questions about an agency's employment, assignment or payroll decisions to that agency.

6. Bank, payment and billing data

The product supports worker bank details, payment tracking, external payment records and subscription billing. Sensitive bank values are encrypted and masked in supported interfaces.

Stripe may process customer subscription payment information. FitterFlow does not claim to act as a bank or payroll processor.

7. AI-assisted processing

Where AI is enabled, selected content may be redacted, limited and sent to a configured provider to generate a draft or suggestion. Usage is subject to access controls, limits and audit logging.

FitterFlow AI features are designed for human review and are not intended to make solely automated decisions with legal or similarly significant effects.

8. Sharing and service providers

We may use hosting, storage, monitoring, email, messaging, payment, accounting, security and AI service providers where needed to operate configured features.

Relevant providers can include Stripe, Cloudflare Turnstile, Xero, QuickBooks, Sage, email or WhatsApp providers and configured AI providers. A provider is only involved when the related feature is enabled or used.

We may also disclose information where required by law, to protect rights and security, or in connection with a business transaction subject to appropriate safeguards.

9. International transfers

Some providers may process information outside the United Kingdom. Where required, transfers should rely on adequacy regulations, approved contractual safeguards or another lawful transfer mechanism.

10. Retention

We retain personal information only for as long as reasonably needed for the relevant service, contract, security, dispute, audit and legal purposes.

Exact production retention and deletion arrangements depend on the customer agreement, controller instructions, backups and legal obligations. Customers should define their operational retention policy rather than assume a universal period.

11. Security

FitterFlow uses access controls, role checks, tokenised links, audit records and encryption or masking for supported sensitive fields. Security controls reduce risk but no system can guarantee absolute security.

Users must protect credentials and report suspected unauthorised access promptly.

12. Cookies and similar technologies

The service may use technologies necessary for authentication, security, language or session operation. Cloudflare Turnstile may process technical data when human verification is enabled.

Invisible human verification is subject to Cloudflare's Turnstile Privacy Addendum: https://www.cloudflare.com/turnstile-privacy-policy/

Non-essential analytics or advertising technologies should not be introduced without the required notice and consent controls.

13. Your rights

Depending on applicable law and our role, you may have rights to access, correct, erase, restrict or object to processing, receive portable data, withdraw consent and complain to a regulator.

Where FitterFlow processes operational data for an agency, we may refer the request to that agency as controller.

14. Complaints

You can contact us first so we can investigate. In the United Kingdom, you may also complain to the Information Commissioner's Office at ico.org.uk.

15. Children

FitterFlow is a business workforce service and is not directed to children. Customers are responsible for ensuring their worker-data practices are lawful for the people they engage.

16. Changes to this notice

We may update this notice as the product, providers or legal requirements change. The effective date above identifies the current published version.