1. Information We Collect

Flow collects and processes various types of information to provide our specialized operational services:

• Account Details: Name, email, organization, and professional role.
• Clinical & Operational Data: Case metadata, clinical notes, and participant identifiers.
• High-Sensitivity Documents: Identity scans (IDs), participant photos, and clinical reports.
• Integration Data: Authorized data from third-party services like Google Calendar (OAuth sync) and Notion.
• Technical Logs: IP addresses, browser metadata, and device identifiers used for security and reliability.

2. How We Use Information

Your information is used to facilitate high-trust operations:

• To operate core platform features including workflow automation, scheduling, and billing.
• To maintain Audit Integrity via permanent logs that track all CRUD (Create, Read, Update, Delete) actions.
• To facilitate communications through the Comms Hub (SMS and Email notifications).
• To manage licensing agreements and track case volume for overage billing.
• To detect fraud and ensure compliance with institutional security standards.

3. Data Sharing and Processors

We do not sell your personal or clinical data. Sharing is limited to:

• Trusted cloud infrastructure providers for hosting and encrypted storage.
• Third-party integrations you specifically authorize (e.g., Google, Notion).
• Legal compliance: Disclosures required by law or to prevent immediate harm.

4. Data Security and Governance

We implement role-based access control (RBAC), end-to-end encryption in transit, and immutable audit trails to protect your clinical and operational environment.

5. Data Retention

Records are retained while your account is active and for the duration required by clinical, legal, and regulatory obligations. Requests for deletion are subject to institutional data integrity requirements.

6. Feedback & Result Delivery

Access to certain reports and results may be subject to a 'Feedback Lock' mechanism, where quality reviews are gathered for process improvement and operational excellence.

7. Cookies and Detailed Tracking Disclosure

Flow uses technically essential cookies to maintain security and operational state:

• sessionid: Mandatory cookie used to keep you securely logged into your account.
• csrftoken: Security cookie used to prevent Cross-Site Request Forgery (CSRF) attacks.
• Functional Settings: Used to store temporary UI preferences like sidebar collapse state.
• Third-Party: External services (Google, Notion) may set their own cookies during interaction.

8. Policy Updates

We may update this policy periodically. Continued use of the platform after updates are posted constitutes acceptance of the revised policy.