Privacy Policy

01Who we are

HighFlowAI LLC is a Texas limited liability company, operating from Brisbane, Australia. We design and deploy AI automation systems — chatbots, voice assistants, booking flows and custom integrations — for businesses in the United States, Australia, and selectively in other jurisdictions.

For the purposes of US state privacy laws, HighFlowAI is the controller (or business) of personal information we collect about you. For clients who engage us to build systems that process their end-users' data, we typically act as a processor (or service provider) with respect to that end-user data, governed by the terms of our service agreement with the client.

Contact details for privacy questions are at the bottom of this page.

02Information we collect

Information you give us

When you fill out our contact form, email us, call us, or work with us as a client, we collect information you provide directly. This typically includes:

• Your name
• Your email address
• Your phone number (if you provide it)
• Your company name and role
• The contents of messages you send us
• Information needed to deliver services (e.g., billing details, account credentials for systems we integrate with on your behalf)

Information collected automatically

When you visit the Site, our hosting provider and analytics tools may automatically collect:

• IP address and approximate location derived from it
• Browser type, operating system and device type
• Referring URL and pages visited
• Date, time and duration of your visit
• Interactions with specific page elements (e.g., scroll depth, outbound link clicks, form submissions)
• Cookie and similar technology identifiers (see Cookie Policy)

This information may be shared with our analytics and advertising measurement providers (see Section 05) unless you have opted out using a Global Privacy Control signal, in which case none of this information is transmitted to those providers.

Information from third parties

If you reach us through a third-party platform (e.g., a social network, a CRM you've authorized) we may receive limited information that platform shares with us per its own privacy terms. We do not buy contact lists or third-party marketing data.

Sensitive information

We do not knowingly collect "sensitive personal information" as defined under California or Texas law (such as government IDs, precise geolocation, biometric data, racial or ethnic origin, religious beliefs, or health data). Please do not send us any such information through our website forms.

03How we use it

We use the personal information we collect for the following purposes:

• Responding to your inquiries — answering messages, scheduling calls, providing quotes.
• Delivering services — building, deploying, monitoring and improving the systems we've been engaged to build.
• Account & billing administration — invoicing, payment processing (via Stripe), support communications.
• Site operation & improvement — diagnosing issues, measuring traffic, refining content.
• Advertising measurement & attribution — understanding how visitors find our website, which marketing channels generate engagement, and which campaigns are effective. We share limited data with analytics and advertising providers for this purpose (see Section 05). We do not use this data to build profiles for behavioral advertising on third-party sites, beyond the standard attribution mechanisms used by these providers to measure ad effectiveness.
• Security — detecting and preventing fraud, abuse, and unauthorized access.
• Legal compliance — meeting our obligations under applicable law and enforcing our agreements.
• Marketing — sending occasional updates only to people who have asked to receive them. For Australian recipients, our messages comply with the Spam Act 2003 (Cth); for US recipients, with the CAN-SPAM Act. You can unsubscribe at any time using the link in every message, or by emailing us.

We do not use your personal information to train artificial intelligence models, and we do not sell your data.

04Legal bases for processing

Where required by applicable law, we rely on one or more of the following legal bases to process personal information:

• Performance of a contract — when processing is necessary to deliver services you've engaged us for.
• Legitimate interests — for things like operating and securing the Site, responding to inquiries, and improving our services. We balance these interests against your rights.
• Consent — for marketing communications and non-essential cookies, where we ask for your permission.
• Legal obligation — to comply with laws, court orders or regulatory requirements.

05Who we share with

We share personal information only as needed to operate our business and measure the effectiveness of our marketing, and only with parties who are contractually obligated to protect it. Specifically:

Service providers

We rely on a small number of third-party tools to run the business. These providers receive only the information needed to perform their function and are prohibited from using it for any other purpose. Categories include:

• Hosting and cloud infrastructure providers
• Email and communication tools
• Customer relationship management (CRM) systems
• Payment processors (we use Stripe)
• Professional services (accounting, legal)

Analytics providers

We use Google Analytics 4 (provided by Google LLC) to understand how visitors interact with the Site — which pages are read, where visitors come from, and what content holds attention. The data shared includes pseudonymous identifiers, page interactions, truncated IP addresses, and device metadata. We have configured the property for measurement only and have not enabled data sharing with Google's broader advertising products.

Advertising measurement providers

We use the Meta Pixel and Conversion API (provided by Meta Platforms, Inc.) to measure the effectiveness of advertising campaigns we run on Meta's platforms (Facebook, Instagram). The data shared includes hashed contact identifiers (email addresses are cryptographically hashed before transmission, so the plaintext email is never sent), browser cookie identifiers, IP addresses, page interaction data, and conversion event data such as contact form submissions.

Under the California Privacy Rights Act (CPRA) and similar US state laws, this transmission constitutes "sharing" for cross-context behavioral advertising. You have the right to opt out of this sharing — see Section 10 and our dedicated Do Not Sell or Share page. We honour Global Privacy Control (GPC) browser signals as a valid opt-out, and when GPC is detected no data is transmitted to Meta or to Google Analytics from your browser.

Legal & protective disclosures

We may disclose information when we believe in good faith it's necessary to: comply with a legal obligation, court order, or government request; protect our rights or property; prevent fraud or harm; or protect the safety of any person.

Business transfers

If HighFlowAI is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you (e.g., by email or prominent Site notice) before your information becomes subject to a different privacy policy.

What we don't do

We do not sell your personal information for monetary consideration. We do not provide personal information to data brokers. Beyond the analytics and advertising measurement sharing described above — which you can opt out of via GPC or a written request — we do not share personal information with third parties for their own marketing purposes.

The complete list of third-party services we use is published at our Subprocessors page.

06Cookies & tracking

The Site uses cookies and similar technologies (like local storage) for essential functionality, aggregated analytics, and advertising attribution. For a full breakdown of which cookies we use, what they do, and how to manage them, see our Cookie Policy.

Global Privacy Control (GPC)

We honour the Global Privacy Control browser signal as a valid opt-out preference signal under California, Colorado, Connecticut and other state laws that recognise it. When your browser sends a GPC signal:

• No data is transmitted to Google Analytics 4 from your visit
• No data is transmitted to Meta (Pixel or Conversion API) from your visit
• No advertising-attribution cookies are set
• The opt-out applies for the duration of your visit and on every subsequent visit while the GPC signal is sent

You do not need to take any additional action if you have GPC enabled in your browser. To enable GPC, see the help pages for your browser — Brave, Firefox, and DuckDuckGo browsers send the signal by default; Chrome, Edge and Safari support it via extensions.

07How long we keep it

We keep personal information only as long as we need it for the purposes described above, or as long as required by law. As a general guide:

• Inquiries Up to 24 months from your last contact, then deleted unless you've become a client.
• Client records For the duration of the engagement and up to 7 years after, to meet tax and legal obligations.
• Analytics Event-level data is retained for up to 14 months in Google Analytics 4 (our configured maximum); aggregated reports may be retained longer.
• Advertising measurement Meta retains conversion event data per its own retention policies (currently up to 180 days for hashed contact identifiers, longer for aggregated reporting). We do not control Meta's retention beyond what their platform settings allow.
• Marketing list Until you unsubscribe, then suppression-list only (so we don't email you again).
• Privacy rights requests 24 months from receipt, as required under California regulations.

08How we protect it

We take reasonable administrative, technical, and physical safeguards to protect personal information against loss, theft, misuse and unauthorized access. These include encryption in transit, access controls on backend systems, and ongoing review of our security practices.

That said, no system is perfectly secure. If we ever experience a security incident affecting your personal information, we will notify you and any required regulators in accordance with applicable law.

09Your rights

Depending on where you live, you may have some or all of the following rights regarding your personal information:

• Access — to know what we hold about you and request a copy.
• Correction — to fix inaccurate or incomplete information.
• Deletion — to request that we erase your information.
• Portability — to receive your data in a portable format.
• Opt-out of sale or sharing — we do share limited data with analytics and advertising providers for measurement purposes (see Section 05). You can opt out of this sharing via Global Privacy Control or by submitting a written request through our Do Not Sell or Share page.
• Opt-out of profiling — for decisions producing legal or similarly significant effects.
• Withdraw consent — where we relied on your consent, you can withdraw it at any time.
• Non-discrimination — we won't penalize you for exercising any of these rights.

To exercise any of these rights, email privacy@highflowai.com with your request and enough information for us to verify your identity. We will respond within the timeframes required by applicable law (generally 45 days, extendable once where reasonably necessary).

You may also designate an authorized agent to make a request on your behalf. We will require written proof of authorization and may require the consumer to verify their own identity directly.

10California residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights. The information in Section 02 describes the categories of personal information we have collected in the past 12 months, and Sections 03 and 05 describe our purposes for collection and the categories of recipients.

Categories of personal information collected (CCPA)

• Identifiers — name, email, phone, IP address, cookie identifiers, hashed email addresses transmitted to advertising providers.
• Customer records — billing address, payment-related details (held by our payment processor).
• Commercial information — services purchased, engagement history.
• Internet activity — pages visited, referring URLs, interactions with the Site, conversion events such as contact form submissions.
• Geolocation — approximate location derived from IP. We do not collect precise geolocation.
• Professional information — company name and role, where you provide it.
• Inferences — limited inferences drawn from the above (e.g., likely interest in a particular service).

Sale of personal information

We have not sold personal information for monetary consideration in the past 12 months, and we do not currently do so.

Sharing of personal information

Under the CPRA, "sharing" specifically refers to sharing personal information with third parties for cross-context behavioral advertising. In the past 12 months, we have shared the following categories of personal information for this purpose:

• Identifiers — hashed email addresses, cookie identifiers, IP addresses
• Internet activity — page interactions, conversion events

This sharing is exclusively with Meta Platforms, Inc. for the purpose of measuring the effectiveness of advertising campaigns we run on Meta's platforms. We do not share personal information with any other third party for cross-context behavioral advertising. We have not knowingly shared the personal information of consumers under 16 years of age.

You have the right to opt out of this sharing. We honour Global Privacy Control signals as valid opt-out preference signals, and we also accept written opt-out requests. See our Do Not Sell or Share page for details on how to submit a request.

Sensitive personal information

We do not collect sensitive personal information as defined under the CPRA, and therefore do not use or disclose it for purposes that would require a notice of the right to limit use.

How to exercise your CCPA rights

Email privacy@highflowai.com or call us at the number listed below. We will not discriminate against you for exercising your rights.

"Shine the Light"

California Civil Code Section 1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

11Other US state privacy rights

Residents of other US states with comprehensive privacy laws — including but not limited to Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia — may have similar rights to those described above, including the right to access, correct, delete, port, and opt out of certain processing (including targeted advertising). To exercise these rights, please contact us using the details below, or use the Global Privacy Control browser signal, which we honour where the applicable state law recognises it.

Texas residents

HighFlowAI is a Texas LLC. The Texas Data Privacy and Security Act (TDPSA) generally exempts businesses that meet the U.S. Small Business Administration's small business size standards. We currently meet that exemption. Regardless of exemption status, we do not sell sensitive personal data, and we will respond to verifiable Texas consumer requests in accordance with the TDPSA's principles.

Appeal rights

If we deny a privacy request, you have the right to appeal that decision. To appeal, email privacy@highflowai.com with the subject line "Privacy Appeal" within 30 days of our denial. We will respond within 60 days. If your appeal is denied, you may contact your state attorney general.

12International visitors

HighFlowAI operates from the United States and Australia. We serve clients in both countries as a matter of course, and may accept engagements in other jurisdictions on a case-by-case basis.

Australian residents

Where the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") apply to our handling of your personal information, we comply with those obligations.

Your rights under the Privacy Act. Australian residents have rights to access and correct personal information held about them, to know the kinds of personal information we collect and why, to opt out of direct marketing, and to make a complaint about how we handle personal information.

Overseas disclosure (APP 8). We may disclose your personal information to recipients located outside Australia, including in the United States (for hosting, payment processing, AI model providers, analytics, advertising measurement, and CRM tools) and, where service providers route data through EU data centres, the European Union. Before disclosing personal information overseas, we take reasonable steps to ensure that the recipient handles personal information in a way consistent with the APPs, generally through binding contractual arrangements with our service providers.

Notifiable data breaches. We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we experience an eligible data breach affecting your personal information that is likely to result in serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by law.

Direct marketing & Spam Act. Any commercial electronic messages we send to Australian recipients comply with the Spam Act 2003 (Cth). We send marketing messages only with consent (express or inferred), identify ourselves clearly, and provide a working unsubscribe option in every message.

Making a complaint. To exercise your rights or make a complaint about our handling of your personal information, contact privacy@highflowai.com. We will acknowledge your complaint within five (5) business days and aim to provide a substantive response within thirty (30) days. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.

EEA / UK residents

If you are located in the European Economic Area or the United Kingdom, you may have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the rights described in Section 09 as well as the right to lodge a complaint with your local supervisory authority. We process personal data of EEA/UK residents only where a lawful basis under GDPR/UK GDPR applies. Where we transfer EEA/UK personal data to the United States or Australia, we use appropriate safeguards (such as Standard Contractual Clauses) where required. If you'd like more detail about transfers relevant to your engagement, contact privacy@highflowai.com before submitting personal information.

Other jurisdictions

For residents of jurisdictions not specifically addressed above, we'll work with you to identify and comply with applicable local privacy laws where reasonably possible. Some jurisdictions have specific requirements that may affect how, or whether, we can engage with you; we'll be transparent if that applies to your situation.

Cross-border transfers

By using the Site or engaging us for services, you understand that your information may be transferred to and processed in the United States and Australia, as well as to service providers that may store or process data in the European Union, Singapore, or other locations, depending on the specific tools used in your engagement. We take reasonable steps to ensure personal information is treated consistently with this Privacy Policy regardless of where it is processed.

13Children's privacy

Our Site and services are not directed to children under 13 (or, where applicable, the age defined by local law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@highflowai.com and we will delete it.

14Changes to this policy

We may update this Privacy Policy from time to time. When we do, we'll change the "Last updated" date at the top and, for material changes, post a notice on the Site or email registered users. Your continued use of the Site after the change takes effect means you accept the updated policy.

15Contact us

If you have questions about this policy, want to exercise your privacy rights, or want to report a concern, reach us at: