This Security Policy is incorporated into and made a part of the written agreement between Fluincy and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Policy, this Security Policy shall govern.
‍
Risk Management
‍
Until Fluincy obtains its SOC 2 Type II audit, Fluincy will adopt or maintain a substantially equivalent, industry-recognized framework. Fluincy is not obligated to conduct security reviews or assessments through any platform (including customer or third party platforms).
‍
Access Controls
‍
Authentication
‍
Overview: Fluincy requires authentication for access to all application pages on the Service, except for those intended to be public.
‍
Secure Communication of Credentials: Fluincy currently uses encrypted requests to transmit authentication credentials to the Service.

Auth0 and Google Social Login:

In our commitment to maintain the highest level of privacy and security for our users, we utilize Auth0 as our identity provider to facilitate a seamless and secure login process. As part of this process, we offer the option to sign in using Google Social Login, leveraging Google user data to enhance your user experience. You access this by going through the sign in process at https://dashboard.getfluincy.com and clicking Sign In

Google Data Access and Usage
When you choose to log in using your Google account, we request access to specific information from your Google profile to authenticate you and provide a personalized experience on our platform. We strictly access and use this information in accordance with this privacy policy and Google's privacy standards.

The scope of the data access includes:
‍Email Address: We access your primary Google Account email address. This information is used to create or associate your user account on our platform, verify your identity, and facilitate communication with you regarding your account and our services.
‍
‍Profile Information: We access your personal information, including any details you have made publicly available, such as your name and profile picture. This data helps us to personalize your experience on our platform.

Purpose and Consent
By choosing to log in with Google, you consent to allow us to access and use your Google user data as specified above. The purpose of accessing this information is to ensure a secure login process, improve your user experience by personalizing our services, and communicate with you effectively about your account and our services.

Data Privacy and Security
We take your privacy and data security seriously. We implement robust security measures to protect your information from unauthorized access, disclosure, alteration, or destruction. Your data is only used as outlined in this privacy policy and in accordance with our data protection practices.

Data Sharing
We do not share your Google user data with third parties without your explicit consent, except as necessary to provide our services or as required by law.

Data Retention
We retain your Google user data only for as long as necessary to provide our services to you, comply with our legal obligations, resolve disputes, and enforce our agreements.

Your Rights
You have the right to access, correct, or delete your personal information held by us. You can manage your data through your account settings or by contacting us directly. Additionally, you can revoke our access to your data via Google's security settings at any time.

Microsoft Enterprise Login

Overview:To support secure, enterprise-grade authentication, Fluincy offers the option to sign in using your organization’s Microsoft account through Microsoft Enterprise Login (Microsoft Entra ID / Azure Active Directory). This login method enables users to authenticate using existing corporate credentials, improving security, compliance, and ease of access.

Secure Authentication Process:When you choose to sign in with Microsoft, Fluincy uses industry-standard OAuth 2.0 and OpenID Connect (OIDC) protocols to authenticate your identity. Credentials are never shared with or stored by Fluincy; authentication occurs directly between your organization’s identity provider and our identity management layer (Auth0 or equivalent).

Microsoft Data Access and Usage:
If you elect to log in using your Microsoft account, Fluincy requests only the minimum necessary information required to authenticate you and create or associate your platform account. The scope of this data typically includes:Email Address: Used to uniquely identify your account, facilitate login, and enable communication about your use of the Service.

‍Name and Profile Information: Used to personalize your Fluincy experience and associate your identity within your organization’s Fluincy workspace.

Organization/Directory ID (when applicable): Used to validate your organization for enterprise authentication and ensure secure, domain-based access control.

Fluincy does not request access to emails, calendars, contacts, files, or any other Microsoft 365 content.
‍
Purpose and Consent:By choosing to authenticate with Microsoft Login, you consent to Fluincy accessing and using the above information solely for:

Secure authentication
Account creation or association
Personalizing your experience
Enabling enterprise access controls and permissions

No additional Microsoft data is accessed, processed, or retained beyond these purposes.

Data Privacy and Security:Fluincy implements robust security protocols aligned with modern identity standards to help protect your account information, including:

Encrypted transmission of all authentication data
Strict scope limitations to only required identity fields
No storage of Microsoft passwords or credentials

Enforcement of your organization’s MFA and conditional access policies, when configured

Fluincy does not share Microsoft login data with third parties except as required to provide the Service or comply with the law.

Data Retention:We retain identity attributes associated with your login (such as your name and email) only as long as your account remains active or as needed to comply with our legal obligations. You may request deletion or correction of your personal information at any time.

Revoking Access:You may revoke Fluincy’s access to your Microsoft account at any time through your Microsoft security and account settings. Revoking access may impact your ability to log in until another authentication method is configured.

Compliance with Microsoft Requirements:Fluincy’s use and handling of Microsoft login data adheres to the Microsoft identity platform policies and all applicable security and privacy standards required for enterprise authentication

Google Drive Data (Optional)

Optional Use of Google Drive API:Our application offers enhanced features and functionality through integration with the Google Drive API. However, connecting your Google account is entirely optional and not required for the core functionality of our application.

Access (If Opted-In):If you choose to enable this feature, our application will request permission to access your Google Drive account. This includes the ability to view files and folders within Drive, which is necessary to enable specific functions, such as transcript analysis.

Use of Google Data (If Opted-In):If granted access, data from your Google Drive will be used solely to support features within the application — such as reading file metadata or analyzing Google Meet transcripts stored in user-specified folders.We do not use any Google Workspace data to develop, improve, or train generalized artificial intelligence (AI) or machine learning (ML) models.All processing is purpose-bound, limited in scope, and designed to enhance your partner workflow automation experience.

No Mandatory Storage or Sharing:We do not store your Google Drive data on our servers. Transcript files are accessed and processed only as needed, then purged from our systems. We never retain or share your Google data with third parties, unless explicitly authorized by you.

Security and Privacy Commitment:We employ industry-standard safeguards to protect your data and maintain your privacy. While we strive to secure all information, please be aware that no method of transmission or storage can be guaranteed 100% secure.

User Consent and Agreement:By choosing to connect your Google Drive account, you acknowledge and consent to the access and use practices described above.

Compliance with Google Policies:Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Zoom Data (Optional)

Our application integrates with the Zoom API to provide certain features and functionality to our users. In order to deliver these services, our application requires access to and use of Zoom user data, specifically data associated with Zoom meetings and recordings.

‍Access: Our application will request permission to access your Zoom account, including the ability to view your recorded meetings and associated data. This access is necessary for our application to perform the intended functions and provide the requested services.

‍Use: The data accessed from your Zoom account will only be used for the purposes of enabling specific features and functionality within our application. This may include, but is not limited to, transcript reading and analyzing Zoom meeting recordings that are stored within your Zoom account. We do not use or access any data outside the scope of our application's functionality.

‍Storage: Our application does not store or retain any Zoom user data on our own servers or systems. All data accessed and used by our application is processed in real-time and directly within the Zoom environment. We do not maintain a separate copy of your data outside of Zoom.

‍Sharing: Our application does not share any Zoom user data with third parties or external services. We do not transfer, sell, or disclose any user data accessed from Zoom to any external entities unless explicitly authorized and initiated by the user for the purpose of integrations with other services.

We are committed to safeguarding the privacy and security of your data. We adhere to industry-standard security measures to protect against unauthorized access, loss, or alteration of data. However, please note that the security of data transmitted over the internet or stored within Zoom cannot be guaranteed completely.

By using our application and granting access to your Zoom account, you acknowledge and agree to the access, use, storage, and sharing practices described in this privacy policy. For more information about how Zoom handles user data, please refer to Zoom's Privacy Policy.

Gong Data (Optional)

Our application integrates with the Gong API to provide certain features and functionality to our users. In order to deliver these services, our application requires access to and use of Gong user data, specifically data associated with Gong call recordings and transcripts.

Access: Our application will request permission to access your Gong account, including the ability to retrieve call transcripts and associated metadata. This access is necessary for our application to perform the intended functions and provide the requested services.

Use: The data accessed from your Gong account will only be used for the purposes of enabling specific features and functionality within our application. This may include, but is not limited to, analyzing call transcripts to identify key insights and partner-related opportunities. We do not use or access any data outside the scope of our application’s functionality.

Storage: Our application does not store or retain any Gong user data on our own servers or systems. All data accessed and used by our application is processed in real-time and directly within the Gong environment. We do not maintain a separate copy of your data outside of Gong.

Sharing: Our application does not share any Gong user data with third parties or external services. We do not transfer, sell, or disclose any user data accessed from Gong to any external entities unless explicitly authorized and initiated by the user for the purpose of integrations with other services.

We are committed to safeguarding the privacy and security of your data. We adhere to industry-standard security measures to protect against unauthorized access, loss, or alteration of data. However, please note that the security of data transmitted over the internet or stored within Gong cannot be guaranteed completely.

By using our application and granting access to your Gong account, you acknowledge and agree to the access, use, storage, and sharing practices described in this privacy policy. For more information about how Gong handles user data, please refer to Gong’s Privacy Policy.
‍
Password Management

Fluincy has processes designed to enforce minimum password requirements for the Service. 
Password Storage. User account passwords are not stored on the Service.
‍
Session Management
‍
Overview 

Each time a User signs in, the Service assigns them a new, unique session identifier.
Session Timeout. All sessions are designed to have a hard timeout. 

Sign Out 

When signing out, the Service is designed to delete the session cookie from the User’s system and to invalidate the session identifier on Fluincy servers.

Network and Transmission Controls

Fluincy monitors and updates its communication technologies periodically with the goal of providing network security.

Network Security

Fluincy regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.

Infrastructure Security

Fluincy uses  security monitoring tools on the production servers hosting the Service. 

Data Flow via the Pandium Integration Platform as a Service (iPaaS)

Usage of Pandium iPaaS:When utilizing our services, data may flow through or be processed by the Pandium Integration Platform as a Service (“Pandium iPaaS”). Pandium is a third-party service that we utilize to facilitate OAuth authentication, integration setup, and secure data exchange between Fluincy and various external platforms.

Data Security:While data is transmitted or processed through Pandium iPaaS, we take all reasonable precautions to ensure its security and confidentiality. This includes applying security protocols and standards recommended by Pandium, as well as implementing additional measures we deem necessary to protect user data.

Data Processing Scope:Pandium handles integration authentication, connection management, and secure pass-through of customer data as needed for the operation of connected integrations. Pandium does not have access to or store customer transcript data processed by Fluincy unless such access is explicitly required and authorized to maintain integration functionality.

Data Retention:Any data transmitted through Pandium iPaaS is not stored longer than necessary for the intended integration purpose. Fluincy adheres to its established data retention practices and policies, which are designed to protect customer information and comply with relevant regulations. Pandium maintains its own retention practices for metadata necessary to support integration functionality.

Third-party Responsibilities:While we take steps to ensure the safety and security of your data, Pandium is an independent third-party service. Although we select reputable partners, we cannot assume liability for breaches or data losses that occur solely within Pandium’s infrastructure. We recommend reviewing Pandium’s own Terms of Service and Privacy Policy to understand their data-handling practices.

Data Transfer:Customers acknowledge that data processed by Pandium iPaaS may flow through servers or data centers operated by Pandium, potentially spanning multiple jurisdictions. We endeavor to work with infrastructure that adheres to globally recognized data protection standards.

Notification:In the unlikely event of a breach or vulnerability affecting data transmitted via Pandium iPaaS, Fluincy will notify affected customers as required by applicable laws and take appropriate steps to mitigate potential harm.
‍
Use of OpenAI and Anthropic APIs for Data Processing
To enhance the quality of our services, Fluincy integrates advanced AI capabilities using either the OpenAI or Anthropic API. This section explains our approach to processing customer-provided data through these APIs, ensuring data privacy and security while delivering valuable insights.

Purpose of Data Processing
‍Both the OpenAI and Anthropic APIs are utilized to improve Fluincy’s capacity to interpret and extract relevant insights from customer-provided transcripts. These AI tools allow us to efficiently analyze conversational data, identify key topics, and capture contextual information, enabling us to tailor our services to your specific needs.

Nature of the Data Processed
‍Fluincy processes textual data from transcripts or other similar customer communications through either the OpenAI or Anthropic API. This data is used solely to extract pertinent information and insights that support your interactions with our platform.

Data Confidentiality and Security
‍We place the highest priority on data confidentiality and employ stringent security measures for any data processed through the OpenAI or Anthropic APIs. Access is controlled and monitored, with usage limited strictly to the purposes outlined here. We do not retain, store, or use your data beyond what is necessary to achieve these objectives.

Compliance with Data Protection Laws
‍Our application of either the OpenAI or Anthropic API is compliant with applicable data protection laws and regulations. Fluincy is committed to maintaining rigorous privacy standards and ensuring all data processing practices adhere to both legal and ethical frameworks.

Customer Consent
‍By using our services and providing transcripts, you consent to the processing of this data through either the OpenAI or Anthropic API under the terms described in this policy. Customers retain the right to withdraw consent at any time, as outlined in our general privacy policy.

Policy Updates
‍To reflect advancements in technology or changes in data privacy standards, we may amend this section to update our data processing practices. Any substantial modifications impacting data processing will be communicated to customers.

Data Retention, Removal, and Storage Policy for Slack Integration
‍
Data Retention
Fluincy only transmits data to Slack and does not receive any data from Slack. We do not retain any data related to our users’ Slack workspace, ensuring that no Slack-related information is stored within our systems. The data sent to Slack is ephemeral and is used solely for the purpose of facilitating communication between Fluincy and Slack.
‍
Data Removal
Since Fluincy does not store any data related to Slack, there is no data to be removed from our systems. However, any data shared via Slack is subject to Slack’s own data retention policies. We encourage users to review Slack’s privacy and data retention policies for information on how Slack manages and deletes data.
‍
Data Storage
As Fluincy does not store any Slack data, there are no storage considerations required within our systems for data originating from Slack. All interactions with Slack are conducted in real-time and are not persisted within Fluincy’s infrastructure.

Any request regarding Slack data can be sent to support@fluincy.ai

Microsoft Teams Integration and Data Use

Purpose of the Microsoft Teams Integration
Fluincy integrates with Microsoft Teams to deliver real-time notifications and actionable insights directly into a user’s Teams environment. This integration allows Fluincy to send bot messages to individuals or channels for the purpose of surfacing partner opportunities, contextual insights derived from customer conversations, or workflow-related updates.

Fluincy’s Teams integration is send-only and does not access or read any user content from Teams.

Data Access
Fluincy uses the Microsoft Bot Framework and/or Microsoft Graph API to request only the minimum permissions required to deliver outbound messages. Fluincy does not request or access:

Teams messages or message history
Chat metadataChannel membership or roster information
Files, recordings, transcripts, or shared content
User or tenant data beyond what is strictly required for message delivery

Fluincy does not read, listen to, or monitor any user activity within Teams.

Data Usage
Fluincy only transmits outbound bot messages into Teams. These messages may include:
Partner recommendations
Contextual insights related to opportunities
Integration or workflow–related notifications
Fluincy does not retrieve or process any data from Microsoft Teams and does not ingest any Teams content.

Data Storage
Fluincy does not store Teams messages, channel information, or content.Fluincy maintains only the authorization information necessary to send bot messages (such as bot credentials or tokens), and no Teams user-generated content is stored within Fluincy’s infrastructure.
All messages sent into Teams are subject to the retention policies of the customer’s Microsoft 365 tenant.

Data Retention and Removal
Because Fluincy does not store any Teams data, there is no Teams-related content for Fluincy to delete. Any data or messages transmitted into Microsoft Teams are controlled and retained according to the Microsoft 365 retention settings configured by the customer’s organization.

Compliance with Microsoft Policies
Fluincy’s use of Microsoft Teams adheres to:
Microsoft Bot Framework policies
Microsoft Graph API data access requirements
Microsoft 365 and Azure security and privacy standards

Fluincy does not use any Microsoft Teams data for model training, analytics, or any purpose outside delivering outbound notifications.

Data Subject Access Rights

At Fluincy, we recognize and respect your data protection rights. Depending on where you reside, you may have the following rights:

‍Right to Access: You have the right to request details about the specific data we hold about you and how we process it.

‍Right to Rectification: If you believe that personal data we hold about you is inaccurate or incomplete, you have the right to request its correction.

‍Right to Erasure (‘Right to be Forgotten’): In certain circumstances, you can request the deletion of your personal data from our records.

‍Right to Data Portability: You have the right to receive your personal data in a structured, commonly-used, and machine-readable format, and you have the right to transmit that data to another data controller.

‍Right to Object: In specific situations, you have the right to object to the processing of your personal data.

‍Right to Restrict Processing: You can ask us to suspend the processing of your personal data in certain scenarios, e.g., if you want us to establish its accuracy or the reason for processing it.

‍Right to Withdraw Consent: If we're processing your personal data based on your consent, you have the right to withdraw that consent at any time.

If you wish to exercise any of these rights or have questions about them, please contact us using the contact details provided in this policy. We're committed to responding to your requests in a timely manner.

Please note that these rights may be limited, for instance, where fulfilling your request would adversely affect the rights and freedoms of others, where there are overriding public interest reasons, or if we're legally required to retain your data.

Data Confidentiality and Job Controls

Internal Access to Data

Access to Customer Data is restricted within Fluincy to employees and contractors who have a need to know this information to perform their job function, for example, to provide Support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers).

Job Controls

Fluincy has implemented several employee job controls designed to help protect Customer Data stored on the Service. 

Availability Controls

Disaster Recovery

The infrastructure for the Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes.

Features include:
‍
Data replication: To help ensure availability in the event of a disaster, Fluincy replicates Customer Data across multiple data centers.

Backups: Fluincy performs backups of Customer Data stored on the Service.

Incident Response

Fluincy has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.

Segregation Controls

Data SegregationThe Service is designed to logically separate Customer’s Customer Data from that of other customers. Fluincy’s application logic is designed to enforce this segmentation by permitting each User access only to accounts to which that User has been granted access. 

User Roles

User roles specify different levels of permissions that Customer can use to manage its Users. Customer can invite Users to its Service account without giving all Users the same levels of permissions. 

Liability for Data Sharing
Fluincy provides a platform that enables customers to identify and share insights with their partners based on customer conversations. While Fluincy facilitates these interactions, the decision to share any data with partners or third parties rests solely with the customer.
‍
By using Fluincy, you acknowledge that Fluincy is not responsible or liable for how a partner or third party accesses, uses, or processes any information you choose to share. Customers are responsible for managing their data-sharing settings and ensuring compliance with their internal policies and any applicable laws or regulations. We encourage customers to establish appropriate agreements with their partners regarding data usage and confidentiality.