← Back to home

Privacy Policy

Last updated: 8 April 2026

1. Who we are

Flowgate Systems ("Flowgate", "we", "us", "our") is a trading name operated as a partnership. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller responsible for your personal data.

Contact: info@nextdesignwebsite.com

2. What data we collect

We collect the following categories of personal data:

  • Account information: name, email address, phone number or WhatsApp number.
  • Business information: details about your coaching business, services you offer, target audience, and qualification criteria.
  • Integration credentials: your ManyChat API key (stored encrypted at rest using AES-256).
  • Conversation data: Instagram DM messages processed through ManyChat on your behalf, including lead usernames, message content, and AI-generated qualification notes.
  • Payment data: billing is handled entirely by Stripe. We do not store card numbers or bank details. We retain your Stripe customer ID and subscription status.
  • Usage data: login timestamps, pages visited within the dashboard, and feature usage for service improvement.

3. How we use your data

We process your data under the following lawful bases (Article 6, UK GDPR):

  • Performance of a contract (Art. 6(1)(b)): to provide the Flowgate service, process DM conversations, qualify leads, and send notifications.
  • Legitimate interests (Art. 6(1)(f)): to improve the service, prevent fraud, ensure security, and communicate service updates.
  • Consent (Art. 6(1)(a)): for optional marketing communications. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): to comply with applicable tax, accounting, and regulatory requirements.

4. Third-party processors

We share data with the following third-party processors, all of whom are bound by data processing agreements:

  • Supabase (US/EU): database hosting and authentication.
  • Vercel (US/EU): application hosting and content delivery.
  • DigitalOcean (US/EU): server hosting for backend services.
  • OpenAI (US): AI-powered conversation processing. DM messages are sent to OpenAI for lead qualification. OpenAI does not use API data for model training.
  • ManyChat (US): Instagram DM integration via their official API.
  • Stripe (US/EU): payment processing.

Where data is transferred outside the UK, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and adequacy decisions as required under UK GDPR.

5. Data about Instagram leads

When you connect your ManyChat account, Flowgate processes Instagram DM conversations on your behalf. In this context, you (the coach/client) are the data controller for your leads' personal data, and Flowgate acts as a data processor.

We process lead data solely to provide the agreed service (qualifying leads and booking calls). We do not sell, share, or use lead data for any purpose other than delivering the Flowgate service to you.

You are responsible for ensuring you have an appropriate lawful basis to process your leads' data and for responding to any data subject requests from your leads.

6. Data retention

  • Account data: retained for the duration of your subscription plus 30 days, unless you request earlier deletion.
  • Conversation data: retained for the duration of your subscription. Deleted within 30 days of account closure.
  • Billing records: retained for 6 years as required by UK tax law (HMRC).
  • Encrypted credentials: deleted immediately upon account closure.

7. Your rights

Under UK GDPR, you have the right to:

  • Access your personal data (Subject Access Request).
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"), subject to legal retention requirements.
  • Restrict processing in certain circumstances.
  • Object to processing based on legitimate interests.
  • Data portability: receive your data in a structured, machine-readable format.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email info@nextdesignwebsite.com. We will respond within one calendar month.

8. Security

We take reasonable technical and organisational measures to protect your data, including: encryption of sensitive credentials at rest (AES-256), Row Level Security on all database tables, HTTPS-only communication, and regular security audits.

No system is 100% secure. If you discover a vulnerability, please report it to info@nextdesignwebsite.com.

9. Cookies

See our Cookie Policy for details on cookies and similar technologies used on our website.

10. Children

Flowgate is a business-to-business service intended for users aged 16 and over. We do not knowingly collect data from anyone under 16. If we become aware that a user is under 16, we will take steps to delete their account and associated data.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or a dashboard notification. The "last updated" date at the top reflects the most recent revision.

12. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ico.org.uk/make-a-complaint