ForeFlow - Privacy Policy

Privacy Policy

Effective date: 20 February 2026

1. Introduction

1.1 ForeFlow Pty Ltd (ABN 41 693 400 029) ("ForeFlow", "we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose and protect your personal information in connection with:

our websites (including foreflow.com.au, app.foreflow.com.au and related domains);
our ForeFlow web application and related services; and
any other services that link to this Privacy Policy

(together, the "Services").

1.2 By using our Services or providing personal information to us, you consent to us handling your personal information in accordance with this Privacy Policy and the Privacy Act 1988 (Cth) and other applicable privacy laws.

1.3 We may update this Privacy Policy from time to time. The updated version will be published on our website and will take effect from the date of publication.

2. What personal information we collect

2.1 The personal information we collect will depend on how you interact with us, and may include:

Identity and contact details: Name, business role, email address, phone number, business name, ABN, business address and contact preferences.

Account details: Username, password (stored in encrypted form), account settings, subscription tier and billing details.

Business and usage information: Information about your business (for example, number of staff, services you provide, financial year dates, working hours, region and public holiday settings), how you use the Services, dashboard configurations, budget strategies, pricing parameters and preferences.

Integrated system data: Where you connect third-party systems to ForeFlow, we may receive and process:

from accounting platforms (such as Xero): invoices, bills, bank transactions, payroll data (including employee names, pay rates and payslip details), profit and loss reports, chart of accounts and contact records;
from job management platforms (such as Simpro or ServiceM8): job records, quotes, customer names, site addresses, job costs, scheduling data, cost centre information and salesperson attribution; and
from payment processors (such as Stripe): subscription and billing data.

This data may contain personal information about your employees, customers, suppliers and other individuals.

Support and communication records: Details of enquiries, feedback, support requests and communications with us.

Recruitment information: If you apply for a job with us, we may collect information from your CV or resume, cover letter, references and related information you or third parties provide.

2.2 We generally do not seek to collect "sensitive information" (as defined in the Privacy Act), such as health information, except where it is reasonably necessary (for example, in recruitment) and you provide it to us voluntarily.

3. How we collect personal information

3.1 Directly from you

When you create an account or use the Services, connect or authorise integrations with third-party services, fill out forms or questionnaires, subscribe to our mailing list or waitlist, contact us by email, phone, web form or social media, or participate in feedback, surveys or promotions.

3.2 From third parties

From third-party services you choose to integrate with ForeFlow (for example, Xero, Simpro, ServiceM8 or other connected platforms), from service providers who assist us in delivering our Services, or from recruitment agencies or referees when you apply for a role.

3.3 Automatically

When you use our website or app, we may collect your IP address, device and browser type, pages viewed and time spent, referring pages, and log data related to how you use the Services.

3.4 Cookies and similar technologies

We use cookies and similar technologies to remember your preferences and settings, keep you logged in, understand how our website and Services are used, and improve performance and user experience.

You can adjust your browser settings to refuse cookies, but this may limit some functionality.

3.5 Analytics

We may use third-party analytics tools (such as Google Analytics or similar services) to help us understand how our website and app are used and to improve them. These tools may collect information about your use of our Services and your device, in accordance with their own privacy policies.

4. How we use personal information

We may use your personal information for purposes including:

Providing and operating the Services: To set up and manage your account, process subscriptions and payments, operate integrations with your connected platforms, synchronise data, and deliver features including dashboards (CashDash, SalesDash), budgeting tools, pricing calculations, cashflow forecasting and sales tracking.

AI features and model improvement: To power AI-generated insights, recommendations and scenario modelling through FlowPilot (AI business coach) and FlowLab (decision simulator), and to improve our models and features over time. AI features primarily use de-identified or aggregated data for model improvement. Your identifiable business data is used to generate personalised insights for your business only, not to train models that serve other users.

Analytics and insights: To analyse trends and usage, understand how our Services are used, create industry benchmarks (using de-identified or aggregated data), and improve performance and experience.

Customer support: To respond to enquiries, support requests and complaints.

Security and fraud prevention: To monitor, detect and prevent unauthorised access, abuse or harmful activity, and to maintain the security and integrity of our multi-tenant platform.

Marketing and communication: To send you updates, newsletters and information about features or offers, in accordance with your communication preferences and applicable laws.

Business operations: To manage our business, maintain records, conduct audits, perform reporting, and comply with our legal obligations.

Recruitment: To assess job applications and manage recruitment processes.

We may also create de-identified or aggregated data from your information (for example, usage statistics, industry benchmarks or anonymised performance metrics). De-identified or aggregated data no longer reasonably identifies individuals and we may use or disclose it for any purpose.

5. How we share personal information

5.1 Service providers

To trusted third-party service providers who help us operate and support the Services and our business, including:

Hosting and infrastructure: Supabase (database, authentication and serverless functions)
AI services: Anthropic (Claude API for FlowPilot and FlowLab AI features)
Payment processing: Stripe
Analytics and monitoring tools
Email, communications and support tools
Professional advisers (lawyers, accountants, auditors, consultants)

These providers may be located in Australia or overseas. We require them to handle personal information in a manner consistent with this Privacy Policy and applicable law.

5.2 Third-party services you connect

Where you enable integrations between ForeFlow and third-party services:

we may share data with those services where necessary to operate the integration (for example, writing back data to Xero or Simpro where you have configured this); and
we may receive data from those services (for example, importing invoices, jobs or bank transactions).

You control which integrations are enabled and can disconnect them at any time through your ForeFlow settings. The privacy practices of those third-party services are governed by their policies, not this Privacy Policy.

5.3 Business transfers

If we are involved in a merger, acquisition, sale of assets, restructuring or similar transaction, your personal information may be transferred as part of that transaction, subject to confidentiality and applicable law.

5.4 Legal and regulatory

We may disclose personal information where required or authorised by law, regulation, court order or government request, or to enforce our legal rights, protect our property, or protect the safety of individuals.

6. Overseas disclosures

Our service providers and infrastructure may be located in, or store data in, countries outside Australia, including (for example) the United States. Key overseas disclosures include:

Supabase: Database hosting and serverless functions (data may be stored in AWS regions including the United States)
Anthropic: AI processing for FlowPilot and FlowLab features (United States)
Stripe: Payment processing (United States)

By using the Services, you acknowledge that your personal information may be transferred to and stored in these locations, and consent to such transfers, understanding that the privacy laws in those jurisdictions may not provide the same level of protection as the laws in Australia.

We will take reasonable steps to ensure that any overseas recipients protect your personal information in a manner consistent with this Privacy Policy and the Australian Privacy Principles, where required.

7. Security

7.1 We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure, including through:

row-level security policies that isolate each business's data from other users on our multi-tenant platform;
authentication and access controls across all database functions and API endpoints;
encryption of data in transit;
using reputable cloud and infrastructure providers;
limiting access to personal information to personnel and service providers who need it to perform their duties; and
secure handling of third-party API credentials and OAuth tokens.

7.2 However, no method of transmission or storage is completely secure. We cannot guarantee absolute security and you use the Services at your own risk.

8. Retention and deletion

8.1 We keep personal information for as long as your account is active and as reasonably needed to provide the Services, and for a further period as necessary for legitimate business purposes (for example, records and compliance) or as required by law.

8.2 We take reasonable steps to destroy or permanently de-identify personal information that we no longer need, and to ensure any data held in backups is subject to appropriate security controls until it is deleted in the ordinary course of our backup lifecycle.

8.3 If you close your account, we may retain limited information (for example, transaction records, communications or audit logs) where required for our legitimate business purposes or legal obligations. We will revoke any active third-party service authorisations and cease synchronising data from your connected platforms.

9. Access and correction

9.1 You can generally access and correct certain personal information directly via your account settings in the Service, including your business profile, team member details and integration configurations.

9.2 You may also request access to, or correction of, the personal information we hold about you by contacting us using the details in section 11.

9.3 We will respond to such requests within a reasonable time. In some cases, we may need to verify your identity or we may be permitted or required by law to refuse your request. If we refuse, we will tell you why (unless it is unreasonable to do so).

10. Marketing communications

10.1 We may send you marketing communications (such as emails about new features, offers or updates) where you have given your consent or we are otherwise permitted by law.

10.2 You can opt out of marketing communications at any time by using the unsubscribe link in the message or contacting us using the details below.

10.3 Even if you opt out of marketing, we may still send you non-marketing communications (for example, service announcements, security alerts, invoices, subscription reminders or important notices about your account or connected integrations).