Privacy Policy
Effective date: 22 June 2026 · Last updated: 22 June 2026
This Privacy Policy explains how Enrich Services (Private) Limited, trading as Localflow ("Localflow", "we", "us", or "our") collects, uses, and protects your information when you use our software-as-a-service platform at localflow.travel and any related applications (the "Service").
By using the Service, you agree to the collection and use of information as described in this policy.
1. Who We Are
Localflow is a workflow and operations management platform built for tour operators and travel businesses.
46/8A, Gemunu Place, Senanayake Mawatha, Nawala
Sri Lanka
Email: hello@localflow.travel
2. Information We Collect
2.1 Account Information
When you register, we collect:
- Name and email address
- Password (hashed; never stored in plaintext)
- Profile photo (optional)
- Organisation name and details
2.2 Business Data You Enter
We store the business data you create within Localflow, including workflows, itineraries, and quotations; client and lead contact information; supplier profiles and pricing data; booking and payment records; and notes and documents you upload. This data is owned by you and your organisation. We process it only to provide the Service.
2.3 Calendar Integration (Google Calendar)
If you connect a Google Calendar account, we store OAuth access tokens and refresh tokens (encrypted at rest using AES-256-GCM) in order to read and write calendar events on your behalf. We do not share calendar data with third parties. You can revoke access at any time from Settings → Integrations.
2.4 Usage and Technical Data
We automatically collect:
- Log data (IP address, browser type, pages visited, timestamps)
- Device information (operating system, browser version)
- Error and crash reports
- Feature usage events (e.g. which screens are used)
2.5 Payment Information
We do not store credit card numbers or full payment details. Payment processing is handled by Stripe (see Section 5). We store your Stripe Customer ID and subscription status.
2.6 Communications
If you contact support, we retain those communications. If you opt in to product emails, we store your email address for that purpose.
3. How We Use Your Information
We use your information to:
- Provide, operate, and maintain the Service
- Process subscription payments and manage your account
- Send transactional emails (account verification, invitations, receipts)
- Provide AI-powered features (e.g. report generation) — see Section 5 for how prompts are processed
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
- Improve the Service through aggregated, anonymised analytics
We do not sell your personal data. We do not use your business data (client records, itineraries, etc.) to train AI models.
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA) or United Kingdom, we process personal data under the following bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Contract (Art. 6(1)(b)) |
| Processing payments | Contract (Art. 6(1)(b)) |
| Sending transactional emails | Contract (Art. 6(1)(b)) |
| Marketing emails (opt-in) | Consent (Art. 6(1)(a)) |
| Security, fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
5. Third-Party Data Processors
We share data with the following sub-processors as necessary to provide the Service. All sub-processors are bound by data processing agreements.
| Processor | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Stripe | Payment processing, subscription management | Name, email, billing address, payment method metadata | stripe.com/privacy |
| Resend | Transactional email delivery | Email address, email content | resend.com/privacy |
| OpenAI | AI-powered features (e.g. report generation, AI chat) | Prompts containing workflow/itinerary data you submit to AI features | openai.com/policies |
| OAuth sign-in, Maps, Calendar integration, Places API | Email address (OAuth); location queries; calendar event data (if integration enabled) | policies.google.com | |
| Convex | Cloud database and backend infrastructure | All data stored in the Service | convex.dev/privacy |
| Vercel | Web hosting and edge delivery | IP address, request logs | vercel.com/legal |
We do not permit sub-processors to use your data for their own purposes beyond providing services to us.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion, then 30 days |
| Business data (workflows, clients, etc.) | Until account/organisation deletion, then 30 days |
| Calendar OAuth tokens | Until integration disconnected or account deleted |
| Payment records | 7 years (legal/tax obligation) |
| Audit logs | 2 years |
| Usage logs | 90 days |
| Support correspondence | 3 years |
You may request deletion of your data at any time (see Section 8).
7. Data Security
We implement the following measures to protect your data:
- All data in transit encrypted with TLS 1.2+
- Database at rest encrypted (AES-256)
- OAuth tokens encrypted at rest with AES-256-GCM
- Passwords hashed with bcrypt
- Multi-factor authentication (TOTP) available for all accounts
- Role-based access controls within organisations
- Audit logs for all sensitive operations
- Regular security reviews
No method of transmission or storage is 100% secure. We will notify you of any breach affecting your personal data as required by applicable law.
8. Your Rights
Depending on your location, you may have the following rights:
All users:
- Access your personal data (export available in Settings)
- Correct inaccurate data
- Delete your account and associated data
- Withdraw consent for marketing communications at any time
EEA / UK users (GDPR / UK GDPR):
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing based on legitimate interests
- Right to lodge a complaint with your supervisory authority
California residents (CCPA/CPRA):
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt out of sale (we do not sell personal information)
- Right to non-discrimination for exercising your rights
To exercise any of these rights, email hello@localflow.travel. We will respond within 30 days (GDPR) or 45 days (CCPA).
9. Cookies
| Cookie Type | Purpose | Can be disabled? |
|---|---|---|
| Strictly necessary | Session management, authentication | No |
| Functional | User preferences | No |
| Analytics | Aggregated usage statistics | Yes |
You can manage cookies through your browser settings. Disabling strictly necessary cookies will prevent you from using the Service.
10. Children's Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
11. International Data Transfers
We are based in Sri Lanka. Your data may be processed in countries outside your own, including the United States (where our cloud infrastructure providers operate). Where required by law, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses for EEA/UK transfers).
12. Changes to This Policy
We may update this policy from time to time. We will notify you by email or in-app notice at least 14 days before material changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
13. Contact Us
For privacy enquiries, data requests, or complaints:
Email: hello@localflow.travelPost: Enrich Services (Private) Limited (trading as Localflow), 46/8A, Gemunu Place, Senanayake Mawatha, Nawala, Sri Lanka
If you are in the EEA, you also have the right to lodge a complaint with your local data protection authority.