Privacy policy for the FRA Flow website and app.

UK GDPR and EU GDPR rights and obligations are split between controllers (who decide why and how data is processed) and processors (who handle data on behalf of a controller).

For Customer Data, individuals exercising data-subject rights should usually approach the customer organisation that controls the data. We’ll support the customer in responding, as required by Article 28.

3.1 Information you provide directly. Account data (name, email, optional professional registration field, workspace organisation, role assignments, sign-in events handled by Clerk). Customer Data (uploaded to the App by you or your colleagues; your organisation is the controller). Billing data (when paid tiers go live, via Stripe). Marketing-site contact data (name, email, message content if you contact us).

3.2 Information collected automatically. First-party Site analytics: page views, route, referrer, anonymised IP, browser and device characteristics. We use Vercel Analytics (first-party, no third-party cookies) across the marketing website and the App.

On the marketing website only, we also run Google Analytics 4 (measurement ID G-KV9PV79FG5) once you click Accept on the cookie banner. Until you do, every Consent Mode storage flag defaults to denied, so no GA cookie is set and no hit is sent. We use IP anonymisation and do not enable Google Signals or remarketing. We do not use Meta Pixel, LinkedIn Insight Tag, Mixpanel, Hotjar, Amplitude, or any cross-site advertising tracker.

App usage analytics: feature-usage counters, sign-in events, error logs (with stack traces but no Customer Data payloads), performance traces. The authenticated App (app.fraflow.com) does not run Google Analytics.

3.3 Information from third parties. Authentication identity from Clerk when you sign in (email, name, optional avatar). Marketing referrers from search engines or other sites in our first-party logs. We do not purchase data from data brokers, do not enrich customer records with third-party datasets, and do not run social-login bridges.

3.4 AI inference data.When an assessor clicks Generate in the App, the structured evidence (observation descriptions, location labels, voice-note transcripts, risk ratings, BS 9792 section context) is sent to our AI sub-processor (Anthropic Claude, accessed via OpenRouter pre-pilot and Anthropic’s EU instance post-pilot) to generate narrative paragraphs. Voice notes are transcribed by AssemblyAI (EU) when uploaded.

We do not, and our AI sub-processors do not, use Customer Data to train, fine-tune, or otherwise improve generally available AI models. Customer Data is used to generate output for that specific inference and is not retained by the AI sub-processor beyond the period necessary to return that output, subject to the AI sub-processor’s standard processing logs.

Every AI-drafted paragraph in the App carries an audit row recording the model version, prompt hash, declared inputs, and evidence cited. This audit data is part of your Customer Data.

We balance our legitimate interests against your rights and freedoms before relying on Article 6(1)(f). You can object to processing on this basis at any time — see clause 9.

Sub-processors. The current list is also published at /security/.

We will give reasonable notice before adding a new sub-processor that handles Customer Data.

Other recipients. Legal authorities (where we receive a valid legal request), successors (in the event of a merger, acquisition, or restructure), and professional advisers (lawyers, accountants, auditors, all bound by confidentiality).

We do not sell personal data; share personal data with advertising networks, data brokers, or for cross-context behavioural advertising; or use Customer Data to train AI models, and our AI sub-processors do not either.

Our primary processing locations are the United Kingdom and the European Economic Area. The primary Postgres database (Neon) is hosted in the UK / EU. Object storage (Cloudflare R2) is configured to UK / EU regions. AI inference moves to Anthropic’s EU instance post-pilot; pre-pilot we route via OpenRouter, which may use multiple regions. Voice transcription (AssemblyAI) is on the EU endpoint. Asynchronous jobs (Inngest) run on the EU region. Hosting (Vercel) is configured to EU regions for our deployment, with a global edge cache for static assets only.

Where a cross-border transfer is unavoidable, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses (SCCs), or an adequacy decision where one applies.

The marketing-website cookie banner defaults Google Consent Mode v2 to denied for every storage flag (analytics, ads, ad personalisation, functionality, personalisation). Google Analytics 4 only fires after you click Accept. We use IP anonymisation and do not enable Google Signals or remarketing audiences.

We do not use Meta Pixel, LinkedIn Insight Tag, Hotjar, Mixpanel, Amplitude, or similar tools. There is no third-party advertising script anywhere on the Site or the App.

Manage your cookie preferences

You can change your analytics cookie choice here at any time. Withdrawing consent is as easy as giving it.

We will not retain personal data longer than necessary. Where you ask for erasure under Article 17, we will erase except where retention is required by law.

If you are in the UK or the European Economic Area, you have the following rights under UK GDPR / EU GDPR:

• Right of access (Article 15): a copy of the personal data we hold about you, plus the information in this policy.
• Right to rectification (Article 16): correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17):deletion in certain circumstances (the “right to be forgotten”).
• Right to restriction (Article 18): freeze processing in certain circumstances.
• Right to data portability (Article 20): your data in a structured, machine-readable format.
• Right to object (Article 21): to processing based on legitimate interests.
• Right to withdraw consent (Article 7(3)): where processing is based on consent, withdraw it at any time.
• Right to lodge a complaint (Article 77): with the Information Commissioner’s Office (ICO) if you are in the UK, or your local supervisory authority if you are in the EEA.

How to exercise: email hello@fraflow.com with a description of your request. We will respond within 30 days (extendable by a further two months for complex requests, with notice).

Customer Data routing: where your personal data appears in Customer Data uploaded by a customer organisation, the customer is the controller. We will route your request to them and assist as required by Article 28.

• Right to know what personal information we collect, the sources, purposes, and recipients.
• Right to delete your personal information, subject to legal exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing for cross-context behavioural advertising. We do not sell or share personal information for cross-context behavioural advertising.
• Right to limit use of sensitive personal information beyond what is necessary to provide the Service.
• Right to non-discrimination for exercising any of these rights.

To exercise these rights: email hello@fraflow.com. We will respond within 45 days (extendable to 90 with notice).

We take appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+).
• Encryption at rest for the primary database and object storage.
• Role-based access controls within the App (assessor / reviewer / admin).
• Tenant scoping at the database query layer.
• Audit logging of significant events.
• Sub-processor due diligence.
• Backup and disaster recovery for the primary database.
• Secret management with rotation when needed.

Pre-pilot caveats: we have not yet completed external certifications such as SOC 2, ISO 27001, or Cyber Essentials Plus. We will publish updates to /security/ as our posture matures.

In a breach: we will notify you and (where required) the ICO without undue delay, and in any case within the 72-hour window required by UK GDPR Article 33.

The App is a business-to-business service intended for use by qualified fire risk assessors and the organisations that employ them. Users must be at least 18. We do not knowingly collect personal data from anyone under 16 or under 13. If you believe a child has submitted personal data, please contact hello@fraflow.com and we will delete it.

The App uses AI to draft narrative paragraphs from structured evidence. The AI does not make final decisions about a fire risk assessment; the assessor and reviewer are the decision-makers and hold professional responsibility for the signed report.

We do not perform automated decision-making (UK GDPR Article 22) that produces legal or similarly significant effects on you. We do not profile you for marketing, advertising, credit, or employment decisions.

We may send you transactional emails about your account (sign-in alerts, billing, sign-off notifications, password resets). Transactional emails do not require marketing consent because they are necessary for the Service.

We will only send marketing emails to you with your prior consent (UK GDPR Article 6(1)(a) and PECR). You can withdraw consent at any time by clicking the unsubscribe link in any marketing email or by emailing hello@fraflow.com.

Where FRA Flow processes Customer Data on behalf of a customer organisation, the relationship is governed by a written Data Processing Agreement (DPA). The DPA covers description of processing, the customer’s documented instructions, confidentiality obligations, security measures, the list of approved sub-processors and notice requirements, assistance with data-subject requests, breach notification, return or deletion of Customer Data on termination, and audit rights.

The DPA is available to all customers on request (hello@fraflow.com). It is automatically incorporated for paid tiers and available to Free-tier customers on the same terms on request.

We may update this Privacy Policy from time to time. The “Last Updated” date at the top reflects the date of the most recent change.

Material changes will be notified by email and a prominent Site / App notice at least 30 days before they take effect. Non-material changes (typos, clarifications, sub-processor list updates) take effect immediately on publication.