LocalflowSign in

Privacy Policy

Effective date: 22 June 2026 · Last updated: 22 June 2026

This Privacy Policy explains how Enrich Services (Private) Limited, trading as Localflow ("Localflow", "we", "us", or "our") collects, uses, and protects your information when you use our software-as-a-service platform at localflow.travel and any related applications (the "Service").

By using the Service, you agree to the collection and use of information as described in this policy.

1. Who We Are

Localflow is a workflow and operations management platform built for tour operators and travel businesses.

Contact:
Enrich Services (Private) Limited (trading as Localflow)
46/8A, Gemunu Place, Senanayake Mawatha, Nawala
Sri Lanka
Email: hello@localflow.travel

2. Information We Collect

2.1 Account Information

When you register, we collect:

  • Name and email address
  • Password (hashed; never stored in plaintext)
  • Profile photo (optional)
  • Organisation name and details

2.2 Business Data You Enter

We store the business data you create within Localflow, including workflows, itineraries, and quotations; client and lead contact information; supplier profiles and pricing data; booking and payment records; and notes and documents you upload. This data is owned by you and your organisation. We process it only to provide the Service.

2.3 Calendar Integration (Google Calendar)

If you connect a Google Calendar account, we store OAuth access tokens and refresh tokens (encrypted at rest using AES-256-GCM) in order to read and write calendar events on your behalf. We do not share calendar data with third parties. You can revoke access at any time from Settings → Integrations.

2.4 Usage and Technical Data

We automatically collect:

  • Log data (IP address, browser type, pages visited, timestamps)
  • Device information (operating system, browser version)
  • Error and crash reports
  • Feature usage events (e.g. which screens are used)

2.5 Payment Information

We do not store credit card numbers or full payment details. Payment processing is handled by Stripe (see Section 5). We store your Stripe Customer ID and subscription status.

2.6 Communications

If you contact support, we retain those communications. If you opt in to product emails, we store your email address for that purpose.

3. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Process subscription payments and manage your account
  • Send transactional emails (account verification, invitations, receipts)
  • Provide AI-powered features (e.g. report generation) — see Section 5 for how prompts are processed
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations
  • Improve the Service through aggregated, anonymised analytics

We do not sell your personal data. We do not use your business data (client records, itineraries, etc.) to train AI models.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process personal data under the following bases:

PurposeLegal Basis
Providing the ServiceContract (Art. 6(1)(b))
Processing paymentsContract (Art. 6(1)(b))
Sending transactional emailsContract (Art. 6(1)(b))
Marketing emails (opt-in)Consent (Art. 6(1)(a))
Security, fraud preventionLegitimate interests (Art. 6(1)(f))
Legal complianceLegal obligation (Art. 6(1)(c))

5. Third-Party Data Processors

We share data with the following sub-processors as necessary to provide the Service. All sub-processors are bound by data processing agreements.

ProcessorPurposeData SharedPrivacy Policy
StripePayment processing, subscription managementName, email, billing address, payment method metadatastripe.com/privacy
ResendTransactional email deliveryEmail address, email contentresend.com/privacy
OpenAIAI-powered features (e.g. report generation, AI chat)Prompts containing workflow/itinerary data you submit to AI featuresopenai.com/policies
GoogleOAuth sign-in, Maps, Calendar integration, Places APIEmail address (OAuth); location queries; calendar event data (if integration enabled)policies.google.com
ConvexCloud database and backend infrastructureAll data stored in the Serviceconvex.dev/privacy
VercelWeb hosting and edge deliveryIP address, request logsvercel.com/legal

We do not permit sub-processors to use your data for their own purposes beyond providing services to us.

6. Data Retention

Data TypeRetention Period
Account dataUntil account deletion, then 30 days
Business data (workflows, clients, etc.)Until account/organisation deletion, then 30 days
Calendar OAuth tokensUntil integration disconnected or account deleted
Payment records7 years (legal/tax obligation)
Audit logs2 years
Usage logs90 days
Support correspondence3 years

You may request deletion of your data at any time (see Section 8).

7. Data Security

We implement the following measures to protect your data:

  • All data in transit encrypted with TLS 1.2+
  • Database at rest encrypted (AES-256)
  • OAuth tokens encrypted at rest with AES-256-GCM
  • Passwords hashed with bcrypt
  • Multi-factor authentication (TOTP) available for all accounts
  • Role-based access controls within organisations
  • Audit logs for all sensitive operations
  • Regular security reviews

No method of transmission or storage is 100% secure. We will notify you of any breach affecting your personal data as required by applicable law.

8. Your Rights

Depending on your location, you may have the following rights:

All users:

  • Access your personal data (export available in Settings)
  • Correct inaccurate data
  • Delete your account and associated data
  • Withdraw consent for marketing communications at any time

EEA / UK users (GDPR / UK GDPR):

  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing based on legitimate interests
  • Right to lodge a complaint with your supervisory authority

California residents (CCPA/CPRA):

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt out of sale (we do not sell personal information)
  • Right to non-discrimination for exercising your rights

To exercise any of these rights, email hello@localflow.travel. We will respond within 30 days (GDPR) or 45 days (CCPA).

9. Cookies

Cookie TypePurposeCan be disabled?
Strictly necessarySession management, authenticationNo
FunctionalUser preferencesNo
AnalyticsAggregated usage statisticsYes

You can manage cookies through your browser settings. Disabling strictly necessary cookies will prevent you from using the Service.

10. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

11. International Data Transfers

We are based in Sri Lanka. Your data may be processed in countries outside your own, including the United States (where our cloud infrastructure providers operate). Where required by law, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses for EEA/UK transfers).

12. Changes to This Policy

We may update this policy from time to time. We will notify you by email or in-app notice at least 14 days before material changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact Us

For privacy enquiries, data requests, or complaints:

Email: hello@localflow.travel
Post: Enrich Services (Private) Limited (trading as Localflow), 46/8A, Gemunu Place, Senanayake Mawatha, Nawala, Sri Lanka

If you are in the EEA, you also have the right to lodge a complaint with your local data protection authority.