Privacy Policy

Effective date: March 27, 2026

1. Who we are

This Privacy Policy describes how AdvisoryFlow (“we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal information in connection with the websites, applications, and related services we offer under the name AdvisoryFlow (collectively, the “Services”).

Contact. For privacy inquiries: privacy@advisoryflow.com. Postal address: 1326 E Commercial Blvd., Unit #2179, Oakland Park, FL, 33334, USA.

The Services may include (depending on your role) our marketing site, advisor-facing applications, and client-facing applications. This policy applies to all of them unless we say otherwise.

2. Roles and relationships

Advisors and organizations. If you use AdvisoryFlow on behalf of a firm or organization, we may process personal information about you and about individuals your organization serves (for example, clients). Your organization’s own notices and agreements may also apply.

Clients. If you access AdvisoryFlow because an advisor invited you or manages your relationship through the platform, your advisor may control certain account settings and may see information you submit. This policy explains our practices as the platform provider; it does not replace your advisor’s privacy notice or regulatory obligations.

3. Information we collect

We collect information you provide, information generated by your use of the Services, and information from third-party sources you connect.

3.1 Account and profile

  • Name, email address, phone number, credentials, and security settings (including multi-factor authentication data).
  • Organization details, roles, invitations, and billing contacts.

3.2 Financial account data (Plaid)

When you choose to link financial institutions, we use Plaid Inc. as a service provider. Through Plaid we may receive identifiers, institution and account metadata, balances, transactions, investment holdings and activity, liability/loan-related information, and asset-related information, depending on which Plaid products are enabled for your use case. We may also receive webhooks and technical logs related to those connections.

Plaid’s processing of end user information is also described in Plaid’s End User Privacy Policy.

3.3 Email and calendar-related data (Google and Microsoft)

If you connect a Google or Microsoft account to use email features, we access and store data in accordance with the permissions you grant. For Google Gmail, this may include reading, sending, and modifying mail (including related metadata) and your email address. For Microsoft Outlook / Microsoft 365, this may include reading, sending, and managing mail and basic profile information associated with the connected account.

Google’s terms and policies apply to use of Google user data; see Google’s API Services User Data Policy. Microsoft’s privacy statement is available at privacy.microsoft.com.

3.4 Payments (Stripe)

Subscription and payment processing may be handled by Stripe, Inc. (or its affiliates). We receive and retain billing status and limited payment-related information; Stripe collects payment method details subject to the Stripe Privacy Policy.

3.5 Content you upload or generate

  • Documents, files, messages, forms, signatures, tax or financial documents, and other materials you or your organization submits to the Services.
  • Support requests and communications with us.

3.6 Technical and usage data

  • Device and connection data, IP address, browser type, dates and times of access, and diagnostic logs.
  • Cookies and similar technologies used to maintain sessions and security (for example, authentication cookies on our marketing and app sites).

4. How we use information

We use personal information to:

  • Provide, operate, maintain, and improve the Services;
  • Authenticate users, prevent fraud and abuse, and protect security;
  • Connect financial accounts and display financial data to authorized users (such as linked advisors and clients you designate);
  • Enable email and communications features you connect (Gmail, Outlook, in-product messaging, notifications);
  • Process subscriptions and payments, send invoices, and manage accounts receivable;
  • Comply with law, respond to lawful requests, and enforce our terms;
  • Analyze aggregated or de-identified usage to improve the product (where permitted by law).

Google user data. We use data received from Google APIs only to provide or improve user-facing features of the Services that are prominent in our application and in this Privacy Policy. We do not sell Google user data. We do not use Google user data for serving ads. We do not allow humans to read Google user content except (a) with your consent, (b) for security or compliance purposes, (c) when aggregated and de-identified, or (d) when necessary to provide the Services and comply with applicable law, as permitted under Google’s API Services User Data Policy.

5. Legal bases (EEA, UK, and similar jurisdictions)

Where the GDPR or UK GDPR applies, we rely on legal bases such as: performance of a contract, legitimate interests (for example, securing the Services and improving reliability, balanced against your rights), consent where required (for example, certain marketing or non-essential cookies, if used), and legal obligation. Your counsel should confirm the correct mapping for each processing activity and region.

6. How we share information

We do not sell your personal information as those terms are commonly defined in U.S. state privacy laws. We share information with service providers that process data on our behalf (“subprocessors”), when you direct us to share it, or when required by law.

Categories of recipients may include:

  • Plaid — linking financial institutions and retrieving financial data (Plaid End User Privacy Policy).
  • Google — Gmail and related APIs when you connect a Google account.
  • Microsoft — Outlook / Microsoft identity when you connect a Microsoft account.
  • Stripe — payments and billing (Stripe Privacy Policy).
  • Cloud and infrastructure providers — for example, hosting, databases, object storage, serverless compute, security, and observability (e.g., Cloudflare).
  • Communications providers — for example, email delivery or SMS if you enable those channels.
  • Professional advisers — lawyers, auditors, or insurers when necessary.
  • Corporate transactions — merger, acquisition, financing, or sale of assets, subject to appropriate protections.

We may publish a dedicated subprocessor list; until then, this section summarizes the main categories.

7. Retention and deletion

We retain personal information only for as long as necessary to provide the Services, comply with applicable law, resolve disputes, and enforce our agreements. Retention periods vary by data category and use case; we do not keep personal information longer than needed for those purposes unless a longer period is required or permitted by law.

When you disconnect an integration (for example, Plaid, Gmail, or Outlook), we stop new collection through that integration. We then delete associated credentials and related data where applicable, or retain limited residual information only as needed for backups, security logs, or legal compliance, in line with the practices below.

Deletion requests. You may request deletion of your personal information or your account by contacting privacy@advisoryflow.com. We will verify your request where required by law and respond within a reasonable timeframe. Some information may be retained in encrypted backups or archived systems for a limited period before secure overwrite or expiry, or kept longer where we have a legal obligation, an ongoing legitimate need (for example, fraud prevention or unresolved claims), or where deletion is not technically feasible without disproportionate effort.

Review. We review our data retention and deletion practices periodically (at least annually) and when we launch material new features or processing activities, and we update this Privacy Policy when those practices change in a material way.

8. Security

We implement technical and organizational measures designed to protect personal information, including encryption in transit and access controls. Certain highly sensitive tokens (such as Plaid access tokens) are stored in encrypted form. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, or export personal information; to object to or restrict certain processing; to withdraw consent where processing is consent-based; and to opt out of certain “sharing” or targeted advertising (as defined by local law). You may also have the right to lodge a complaint with a data protection authority.

To exercise rights, contact privacy@advisoryflow.com. We may verify your request as permitted by law.

Do Not Track. There is no consistent industry standard for DNT; we do not respond to DNT signals in a uniform way.

10. International transfers

We may process and store information in the United States and other countries where we or our service providers operate. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) as determined by counsel.

11. Children

The Services are not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take appropriate steps.

12. Third-party services and links

The Services may contain links to third-party sites or allow you to connect third-party accounts. Their privacy practices are governed by their own policies. Financial institutions you link through Plaid are not controlled by us.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the “Effective date” above. If changes are material, we will provide additional notice as required by law (for example, email or in-product notice).

14. California and other U.S. state privacy rights

If you are a resident of a U.S. state with a comprehensive privacy law, you may have additional rights regarding access, deletion, correction, and opt-out of certain processing. We do not “sell” personal information or use sensitive data for inferring characteristics in a manner that violates those laws, except as disclosed above and as updated after counsel review. Contact privacy@advisoryflow.com to submit requests. You may designate an authorized agent where permitted by law.