Ovo Flow

Privacy Policy — Ovo Flow

Effective date: [TO BE FILLED — launch date] Last updated: 2026-04-23

1. Who we are

Ovo Flow (the "Service", "we", "us", "our") is a software-as-a-service platform for bakery businesses operated by 16259855 Canada Inc., a federally incorporated Canadian company doing business as "Ovo Flow" ("the Company"). Our registered office is [TO BE FILLED — registered address of the corporation]. You can contact us at privacy@ovoflow.app.

2. What this Policy covers

This Privacy Policy describes how we collect, use, disclose, and protect information when you:

  • Create a Ovo Flow account as a bakery owner, team member, or administrator ("Customer").
  • Interact with a bakery that uses Ovo Flow to receive orders (via Instagram, WhatsApp, our web storefront, or any other integrated channel), in which case you are a "End Customer" of that bakery.
  • Visit our website https://ovoflow.app or any subdomain thereof.

This Policy applies to personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA, Canada), the General Data Protection Regulation (GDPR, EU/EEA), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and the Lei Geral de Proteção de Dados (LGPD, Brazil), among other applicable laws.

3. Information we collect

3.1 Information you give us directly (Customers)

  • Account info: name, email, password (hashed), business name, business address, country, preferred language and currency.
  • Team info: names, emails, and roles of team members you invite.
  • Payment info: processed by Stripe; we receive tokenized references, never your full card number.
  • Channel credentials: OAuth tokens for Instagram, WhatsApp Business API, Google Calendar, etc. Stored encrypted.

3.2 Information collected through integrations (End Customers of a bakery)

When an End Customer messages a bakery through a channel connected to Ovo Flow, we process, on the bakery's behalf:

  • Content of messages (text, images, audio) sent to/from the bakery.
  • Identifiers from the source channel (Instagram handle, WhatsApp number, Facebook page-scoped ID).
  • Delivery address if provided, food allergies if provided, order preferences.
  • Automated classifications generated by our AI model (e.g., "new order", "complaint", "delivery quote request").

In this context, the bakery is the Data Controller and Ovo Flow is the Data Processor (GDPR terminology). We only process End Customer data according to the bakery's instructions.

3.3 Information collected automatically

  • Log data (IP address, browser, OS, pages visited, timestamps).
  • Cookies and similar technologies (strictly necessary for authentication + privacy-preserving analytics via PostHog/Plausible; no third-party ad tracking).

4. How we use the information

| Purpose | Legal basis (GDPR) | |----------------------------------------|-------------------------------------| | Provide and operate the Service | Contract | | Process payments | Contract | | Route messages, generate AI responses | Contract (with bakery) / Legitimate interest (End Customer) | | Send transactional emails | Contract | | Send product updates and marketing | Consent (opt-in, revocable anytime) | | Comply with legal obligations | Legal obligation | | Security, fraud prevention | Legitimate interest | | Improve the Service (aggregated/anon.) | Legitimate interest |

5. AI processing

We use Claude (by Anthropic) and related large language models to generate bot replies, classify messages, and extract order details. Data sent to these models is processed under Anthropic's commercial Terms and is not used to train models. Customers can request an export of all prompts/responses tied to their business at any time.

6. Sharing of information

We share personal information only with:

  • Sub-processors we rely on to operate the Service: Supabase (database + auth, US/EU regions), Vercel (hosting, global edge), Anthropic (AI inference, US), Stripe (payments, global), Google (Maps, Calendar), Resend (transactional email), Meta (Instagram/WhatsApp APIs), Twilio or 360dialog (WhatsApp Business Platform), PostHog (product analytics). A current sub-processor list with regions and DPAs is available at https://ovoflow.app/sub-processors.
  • Legal authorities where required by valid legal process.
  • Business transfers (merger, acquisition) — users will be notified in advance.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising.

7. International data transfers

Data may be processed outside Canada, notably in the US and EU. We rely on Standard Contractual Clauses (SCCs) and, where applicable, the UK IDTA, plus the EU-US Data Privacy Framework where our US sub-processors are certified.

8. Retention

  • Customer account data: retained while your account is active, plus 90 days after deletion, then permanently deleted.
  • Billing records: retained for 7 years per Canadian tax law.
  • End Customer conversation data: retained for as long as the bakery keeps it in its Ovo Flow workspace. Bakeries can delete conversations at any time; deletions propagate within 30 days (backups rotate).

<a id="data-deletion"></a>

9. Your rights and data deletion

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate data.
  • Delete your data ("right to be forgotten").
  • Port your data in a machine-readable format.
  • Object to or restrict processing.
  • Withdraw consent at any time.
  • Lodge a complaint with a supervisory authority (Office of the Privacy Commissioner of Canada, or your local EU/UK DPA).

To exercise any right, email privacy@ovoflow.app. We respond within 30 days.

End Customers: please contact the bakery you interacted with in the first instance, since they are the Data Controller of your data. We assist them on request.

10. Security

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Row-Level Security at the database layer — each bakery's data is cryptographically isolated.
  • Role-based access controls for employees.
  • Annual third-party penetration testing (post-launch).
  • Incident notification within 72 hours where legally required.

11. Children

Ovo Flow is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, email privacy@ovoflow.app.

12. Changes

We will notify Customers by email at least 30 days before material changes take effect. The "Last updated" date above always reflects the current version.

13. Contact

Privacy questions: privacy@ovoflow.app General inquiries: hello@ovoflow.app Legal/DPO: legal@ovoflow.app Postal: 16259855 Canada Inc., [registered office address], Canada

Privacy Policy — Ovo Flow