QONFLO AI — PRIVACY POLICY

Last Updated: 10 February 2026

This Privacy Policy explains how Qonflo AI ("Qonflo AI", "we", "us", or "our") collects, uses, shares, and protects Personal Data when you: visit our websites and pages that link to this Privacy Policy (the "Site"); create an account, administer an account, or otherwise use our software platform and related services (the "Services"); contact us for support, sales, onboarding, or other inquiries; or receive marketing communications from us (where permitted by law). This Privacy Policy should be read together with our Terms and Conditions of Service.

1. Scope and Roles (Controller vs. Processor)

  1. When Qonflo AI acts as a Controller
    • Qonflo AI acts as a Personal Data Controller when we determine the purposes and means of processing, such as for:
    1. account administration and billing for Customers and users who sign up;
    2. sales/marketing and relationship management with prospects and Customers;
    3. operating the Site, analytics, and security; and
    4. compliance and legal obligations.
    • In these situations, this Privacy Policy describes our processing.
  2. When Qonflo AI acts as a Processor (Customer Data)
    • When a business Customer uses Qonflo AI to manage contacts and communicate with End Users (for example via WhatsApp), Qonflo AI generally acts as a Personal Data Processor on behalf of the Customer, and the Customer is the Personal Data Controller for that Customer Data.
    • In those cases:
    1. the Customer decides what Personal Data is collected and used, who is messaged, what is sent, and why; and
    2. Qonflo AI processes Customer Data to provide the Services, secure them, and support the Customer.
    • If you are an End User receiving messages from a Qonflo AI Customer, your privacy questions and requests should usually be directed to the business that contacted you, because that business controls the processing.
    • If you are a Customer and need a DPA, you may request one by contacting us (see Section 14).

2. Definitions

  • Personal Data means information relating to an identified or identifiable individual, as defined under applicable data protection laws (including Indonesia’s PDPL and implementing regulations).
  • Customer Data means data submitted to or processed through the Services by or on behalf of a Customer (including messages, contact lists, CRM records, and metadata).
  • End User means an individual with whom a Customer communicates using the Services (e.g., the Customer’s customer, lead, patient, student, user).
  • Meta Platforms includes Meta Platforms, Inc. and its affiliates and products/services, including the WhatsApp Business Platform.

3. Personal Data We Collect

  1. Personal Data you provide to us (Controller context)
    • We may collect the following categories of Personal Data when you interact with us directly:
    1. Account and profile data
      1. name, email address, phone number
      2. company name, job title, department
      3. login and authentication data (e.g., encrypted password, SSO identifiers)
    2. Billing and payment-related data
      1. billing address, tax information (if applicable)
      2. invoice details and payment status
      3. Note: We typically use third-party payment processors; we may not store full card numbers.
    3. Communications
      1. messages you send to us (support tickets, emails, feedback)
      2. call recordings or meeting notes where permitted by law and with notice/consent where required
    4. Customer reference/marketing preferences
      1. preferences for receiving marketing communications
      2. opt-in/opt-out records
  2. Personal Data collected automatically (Site/Services usage)
    • When you access the Site or Services, we may automatically collect:
    1. Device and technical data
      1. IP address, device identifiers
      2. browser type, operating system
      3. language, time zone
    2. Usage and log data
      1. pages/screens visited, features used, timestamps
      2. event logs, error logs, audit logs
      3. approximate location derived from IP (not precise GPS unless you explicitly provide it)
    3. Cookies and similar technologies
      1. We use cookies and similar technologies as described in Section 9.
  3. Personal Data from third parties
    • We may receive Personal Data from:
    1. your employer or organization if they create your user account;
    2. resellers/partners or referral sources (where applicable);
    3. Third-Party Services you connect (integrations), based on your configuration and permissions; and
    4. Meta Platforms in connection with WhatsApp Business Platform operations (see Section 8), depending on what you connect and how the integration works.
  4. Customer Data processed through the Services (Processor context)
    • Customers may upload or generate Customer Data in the Services, which may include:
    1. End User identifiers and contact data (names, phone numbers, emails, customer IDs)
    2. conversation content (message text, attachments) where enabled by the Customer
    3. messaging metadata (timestamps, delivery status, conversation IDs)
    4. CRM records (notes, tags, deal stages, custom fields)
    5. support and operational information included by Customers
    • Important: Qonflo AI does not decide what Customer Data a Customer collects or sends. Customers are responsible for ensuring they have a lawful basis/consent to provide and process this data.

4. How We Use Personal Data (Purposes)

  1. To provide and operate the Services
    1. create and manage accounts
    2. authenticate users and enable access controls
    3. provide requested features (CRM, messaging, dashboards, automations, APIs)
    4. process transactions and send invoices/receipts
  2. To secure and maintain the Services
    1. monitor for suspicious activity, fraud, abuse, and security incidents
    2. troubleshoot, error detection, performance monitoring
    3. enforce our Terms and prevent prohibited use
  3. To provide support and communicate with you
    1. respond to inquiries and support requests
    2. send administrative messages (service notices, security alerts, billing notices)
  4. To improve and develop our products (including analytics)
    1. analyze feature usage and performance
    2. improve reliability, user experience, and security
    3. develop new features and integrations
    • Where possible, we use aggregated and/or de-identified data for analytics and service improvement.
  5. Marketing and sales (where permitted)
    1. send product updates, newsletters, event invitations, and promotional communications
    2. personalize marketing based on your interactions
    • You can opt out at any time (see Section 11).
  6. Legal compliance
    1. comply with applicable laws, regulations, lawful requests, and legal processes
    2. protect rights, safety, and property of Qonflo AI, Customers, End Users, and the public

5. Legal Bases for Processing (Where Required)

  • Depending on applicable law and the specific context, Qonflo AI processes Personal Data on one or more of the following bases:
  1. Consent (e.g., marketing where consent is required; certain cookies)
  2. Contract necessity (e.g., to provide the Services you requested)
  3. Legal obligation (e.g., tax, accounting, compliance requests)
  4. Legitimate interests (e.g., securing and improving the Services, preventing fraud), balanced against your rights and interests
  5. Vital interests / public interest (in limited circumstances, where applicable)
  • For Customer Data processed on behalf of Customers, the Customer is responsible for establishing the appropriate legal basis and providing required notices and consents to End Users.

6. Sensitive / Specific Personal Data

  1. Our approach
    • We do not intentionally request “sensitive” or “specific” categories of Personal Data (such as health data, biometrics, genetic data, political opinions, sexual orientation, criminal records, or precise financial credentials), unless explicitly needed for a specific use case and handled in compliance with applicable law.
  2. Customer Data may include sensitive data
    • Customers may choose to store or transmit such data within Customer Data. In that case:
    1. the Customer is responsible for ensuring lawful processing; and
    2. Qonflo AI will process such data only as necessary to provide the Services and as instructed by the Customer.

7. How We Share Personal Data

  1. Service providers (sub-processors)
    • We use trusted vendors to help deliver the Services, such as:
    1. cloud hosting and infrastructure
    2. analytics and monitoring
    3. customer support tools
    4. email delivery and communications
    5. payment processing
    6. security tools and fraud prevention
    • These vendors are authorized to process Personal Data only as necessary to provide services to us and are bound by confidentiality and appropriate data protection obligations.
  2. Third-Party Services and integrations you enable
    • If you choose to connect Third-Party Services (including Meta Platforms / WhatsApp), we will share/receive data as required to make the integration work, based on your settings and permissions.
  3. Corporate transactions
    • If we are involved in a merger, acquisition, restructuring, financing, or sale of assets, Personal Data may be transferred as part of that transaction, subject to appropriate safeguards.
  4. Legal and safety reasons
    • We may disclose Personal Data if we believe in good faith that disclosure is necessary to:
    1. comply with law, regulation, court order, or lawful government request;
    2. enforce our Terms, investigate suspected violations, or protect platform integrity;
    3. detect, prevent, or address fraud, abuse, security, or technical issues; or
    4. protect the rights, property, or safety of Qonflo AI, our users, Customers, End Users, or the public.
  5. With your direction or consent
    • We may share data when you direct us to do so or when we have your consent.

8. WhatsApp / Meta Platforms Data (Important)

  • If a Customer connects the Services with the WhatsApp Business Platform (or other Meta services), then:
  1. Meta is a separate platform
    • Meta Platforms controls its services, policies, availability, and enforcement.
  2. Customer is the sender/controller
    • The Customer controls message content, recipients, and purpose.
  3. Data may flow through Meta
    • Message content and metadata may be transmitted to and from Meta Platforms as part of delivering the messaging service.
  4. Policy compliance
    • Customers are responsible for complying with WhatsApp/Meta policies, including consent and opt-out requirements.
  5. Qonflo AI disclosures to Meta
    • Qonflo AI may share limited data, logs, and metadata with Meta Platforms where required to:
    1. enable the integration,
    2. comply with Meta policies,
    3. investigate messaging quality/compliance issues, or
    4. respond to enforcement actions.

9. Cookies and Similar Technologies

  • We use cookies and similar technologies on the Site and, where applicable, within the Services.
  • Cookies may be used for:
  1. Strictly necessary (security, authentication, session management)
  2. Preferences (language, settings)
  3. Analytics (understanding Site/Services usage and performance)
  4. Marketing (where enabled and permitted)
  • You can control cookies through your browser settings. If you disable cookies, some features may not function properly.
  • If your jurisdiction requires cookie consent banners or specific opt-in mechanisms, we will provide them where applicable.

10. Data Retention

  • We retain Personal Data only as long as necessary for the purposes described in this Privacy Policy, including:
  1. to provide the Services and maintain business records
  2. to comply with legal, accounting, and tax obligations
  3. to resolve disputes and enforce agreements
  4. to maintain security logs and prevent abuse
  • Customer Data retention: For Customer Data processed as a Processor, retention is generally controlled by the Customer’s use of the Services, plan settings, and contractual terms. After termination, we may delete Customer Data after a reasonable period, subject to legal obligations and backup cycles.

11. Your Rights and Choices

  • Depending on applicable law (including the PDPL), you may have rights such as:
  1. Right to information about processing activities
  2. Right of access to your Personal Data
  3. Right to correction/rectification
  4. Right to deletion/erasure or destruction (subject to legal exceptions)
  5. Right to withdraw consent (where processing is based on consent)
  6. Right to object to certain processing (e.g., direct marketing)
  7. Right to restrict or delay processing in certain circumstances
  8. Right to data portability (where applicable)
  9. Rights related to automated decision-making (where applicable)
  1. How to exercise your rights
    1. your name and contact details,
    2. the relationship you have with Qonflo AI (Customer user, prospect, etc.),
    3. the request you want to make, and
    4. enough information for us to verify your identity.
  2. End Users receiving messages from Customers
    • If you are an End User and want to exercise rights relating to messages you received from a business using Qonflo AI, please contact that business directly.
    • We may assist Customers in fulfilling requests where applicable and where we are permitted to do so.
  3. Marketing opt-out
    • You can opt out of marketing emails at any time using the unsubscribe link in the email or by contacting us at admin@qonflo.ai.
    • Administrative/service communications (e.g., billing, security notices) are not marketing and may still be sent.

12. Security

  1. Safeguards
    • We implement reasonable administrative, technical, and organizational safeguards designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure.
    • However, no method of transmission or storage is 100% secure.
    • You are responsible for maintaining the confidentiality of your account credentials and using appropriate security controls (e.g., strong passwords, 2FA where available).
  2. Data breach notifications
    • If we become aware of a Personal Data breach, we will assess and take reasonable steps to mitigate it and will notify affected parties and/or regulators as required by applicable law.

13. International (Cross-Border) Transfers

  • Our service providers and infrastructure may be located in multiple countries. As a result, Personal Data may be transferred to and processed in countries other than where you live.
  • Where required by law, we will implement appropriate safeguards for cross-border transfers (for example, contractual protections and other lawful mechanisms).

14. Children’s Privacy

  • The Services are not intended for children, and we do not knowingly collect Personal Data from individuals under 18 (or the age of majority in the relevant jurisdiction).
  • If you believe a child has provided Personal Data to us, contact us at admin@qonflo.ai.

15. Third-Party Links

  • The Site or Services may contain links to third-party websites or services.
  • Their privacy practices are governed by their own policies, not this Privacy Policy.
  • We are not responsible for third-party privacy practices.

16. Changes to This Privacy Policy

  • We may update this Privacy Policy from time to time.
  • We will post the updated version and revise the “Last Updated” date.
  • If changes are material, we may provide additional notice as required by law.
  • Your continued use of the Site/Services after the effective date of an updated Privacy Policy constitutes acceptance to the extent permitted by law.

17. Contact Us

  • If you have questions or requests regarding this Privacy Policy or our privacy practices, contact:
    • Qonflo AI
    • Email: admin@qonflo.ai
    • Address: Intiland Tower, 3rd Floor (Subco), Jl. Panglima Sudirman No. 101–103, Surabaya, East Java 60271, Indonesia