Privacy Policy

Legal name: Targeted Flow Analytics (trading as TargetedFlow)
Location: Laguna, Philippines
Contact: support@targetedflow.com

Targeted Flow Analytics is a sole proprietorship registered in the Philippines under the Department of Trade and Industry (DTI).

For the purposes of applicable data protection law, Targeted Flow Analytics acts as:

• Data Controller — for personal data relating to user accounts (admins, managers, and members who use the Service).
• Data Processor — for appointment, contact, and calendar data that our clients (GoHighLevel agencies) sync into the Service from their GoHighLevel sub-accounts. In this capacity, we process data on behalf of and under the instructions of our clients, who remain the Data Controllers for that data.

2.1 Account Data

When you register for an account or are invited to join a workspace, we collect:

• Full name
• Email address
• Password (hashed — we never store plaintext passwords)
• Role within your organization (admin, manager, or member)

2.2 GoHighLevel Integration Data

When you connect a GoHighLevel sub-account to ApptFlow using a Private Integration Token (PIT), we sync and store the following data from your GoHighLevel account:

• Appointment details (title, date, time, status, notes)
• Contact information (name, email address, phone number)
• Calendar names and identifiers
• Location (sub-account) names and identifiers

This data originates from and remains the responsibility of the agency (our client). We process it solely to provide the Service.

2.3 Payment Data

Subscription payments are processed by PayMongo (PayMongo Philippines Inc.). We do not store your full card number, CVV, or bank account details. PayMongo provides us with a transaction reference and billing status. See PayMongo's Privacy Policy for how they handle payment data.

2.4 Communications Data

If you contact us via our contact form or by email, we collect your name, email address, phone number (if provided), and the content of your message.

2.5 Technical Data

Our hosting provider (Vercel) may log standard server information such as IP addresses and request timestamps for security and infrastructure purposes. We do not use third-party analytics tools, advertising trackers, or behavioral tracking scripts.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

We share personal data with the following sub-processors solely to operate the Service:

All US-based providers are required to comply with applicable US data protection standards. Where required by UK GDPR or the Philippine Data Privacy Act, appropriate data transfer safeguards (including standard contractual clauses where applicable) are or will be in place.

We do not share your data with any other third parties unless required to do so by law or with your explicit consent.

• Account data — retained for as long as your account is active. If you close your account, account data is deleted within 30 days, except where we are required by law to retain certain records.
• GHL integration data (appointments, contacts, calendars) — retained in ApptFlow for as long as the connected GoHighLevel sub-account (location) remains active in the Service. When a sub-account is disconnected and removed, all associated appointment and contact data is deleted from our systems. The original data remains in your GoHighLevel account.
• Payment records — retained for a minimum of 10 years in accordance with Philippine tax and accounting requirements.
• Contact form submissions — retained for up to 2 years, then deleted.

Depending on your location, you may have the following rights regarding your personal data:

Under the Philippine Data Privacy Act (RA 10173)

• Right to be informed — know that your data is being collected and processed.
• Right of access — request a copy of your personal data.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data.
• Right to object — object to processing for direct marketing or other purposes.
• Right to data portability — receive your data in a portable format.
• Right to damages — seek compensation if your rights under the DPA have been violated.

Under UK GDPR (for UK-based users)

• All rights listed above, plus:
• Right to restrict processing — limit how we use your data in certain circumstances.
• Right to lodge a complaint — with the UK Information Commissioner's Office (ICO) at ico.org.uk.

Under CCPA/CPRA (for California-based users)

• Right to know — what personal data we collect and how it is used.
• Right to delete — request deletion of your personal data.
• Right to opt-out of sale — we do not sell personal data.
• Right to non-discrimination — exercising your rights will not affect your access to the Service.

To exercise any of these rights, email us at support@targetedflow.com. We will respond within 30 days.

The ApptFlow application uses only essential session cookies required for authentication (managed by Supabase Auth). We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

The marketing website (targetedflow.com) does not use any tracking or analytics cookies.

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted data transmission (TLS/HTTPS) on all connections
• Hashed password storage via Supabase Auth
• Row-Level Security (RLS) policies enforcing strict data isolation between tenants
• GoHighLevel Private Integration Tokens (PITs) encrypted at rest
• Role-based access control limiting data visibility within your organization

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at support@targetedflow.com.

Targeted Flow Analytics is based in the Philippines. Our infrastructure providers (Supabase, Vercel, Resend) are based in the United States. By using the Service, your data may be transferred to and processed in the United States.

For users in the United Kingdom, we are in the process of implementing appropriate transfer safeguards as required under UK GDPR, including registration with the UK Information Commissioner's Office (ICO).

The Service is intended for business use by adults (18 years and older). We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact us at support@targetedflow.com and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and notify active subscribers by email at least 14 days before material changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data rights:

Targeted Flow Analytics
Laguna, Philippines
Email: support@targetedflow.com

For UK users, you may also contact the UK ICO at ico.org.uk.

For Philippine users, you may contact the National Privacy Commission at privacy.gov.ph.