Privacy Policy

Effective Date: April 8, 2026

This Privacy Policy explains how ReturnFlow HQ ("we", "us", "our") collects, uses, and protects information when you use our AI-powered SMS marketing platform ("Service").

1. Information We Collect

From Franchise Owners (You)

• Name, email address, phone number, business address
• Business name and type
• Login credentials (password stored as bcrypt hash — we never store plaintext)
• Payment information (processed by Stripe — we do not store card numbers)

From Square POS (Your Customers)

• Customer names and phone numbers
• Order history: dates, items purchased, transaction amounts
• Visit frequency and patterns

We access this data solely through the Square OAuth authorization you provide. We do not access bank accounts, employee data, or financial reports.

Automatically Collected

• Message delivery status and engagement metrics
• Login timestamps and usage patterns
• IP addresses and browser information for security purposes

2. How We Use Information

• Message Personalization: AI analyzes order history and visit patterns to generate relevant, personalized messages for each customer
• Service Delivery: Provisioning phone numbers, sending SMS messages, processing billing
• Performance Reporting: Generating dashboards showing revenue impact, messaging stats, and ROI
• Service Improvement: Analyzing aggregate patterns to improve AI message quality
• Compliance: Enforcing opt-outs, send windows, and regulatory requirements

3. Data Protection

• Square OAuth tokens are encrypted at rest using AES-256-GCM
• Passwords are hashed with bcrypt (never stored in plaintext)
• All data transmission uses HTTPS/TLS encryption
• Database access is isolated per tenant using Row Level Security
• Payment processing is handled entirely by Stripe (PCI DSS compliant)

4. Data Sharing

We do not sell, rent, or trade your data or your customers' data. We share data only with:

• Twilio: Phone numbers and message content for SMS delivery
• Square: OAuth token exchange for POS data access
• AI Providers (xAI/OpenAI): Anonymized context for message generation (no customer phone numbers are sent to AI)
• Stripe: Payment processing
• Law Enforcement: Only when required by valid legal process

5. Customer Opt-Out Rights

End customers (the people receiving SMS messages) can:

• Reply STOP to any message to immediately opt out
• Opt-outs are processed automatically and permanently
• We maintain a suppression list to prevent re-messaging opted-out numbers

6. Data Retention

• Active Accounts: Data is retained for the duration of your subscription
• After Cancellation: Data is retained for 30 days, then permanently deleted
• Message Logs: Retained for 12 months for compliance and reporting
• Opt-Out Records: Retained indefinitely to honor opt-out requests

7. Your Rights

You have the right to:

• Access the data we hold about you and your customers
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your data in a standard format
• Withdraw Square OAuth authorization at any time

8. Cookies & Sessions

We use session cookies for authentication. These are:

• Strictly necessary for login functionality
• HttpOnly and Secure flagged
• Expire after 24 hours of inactivity
• We do not use tracking cookies or third-party analytics

9. Children's Privacy

The Service is not intended for use by individuals under 18. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email at least 30 days before taking effect.

11. Contact

Questions or concerns about your privacy? Contact us at [email protected].