Legal
Flow Advisory Group is a registered business name of NAASH CONSULTING PTY LTD, ABN 82 611 761 981 ("we", "us", "our"). We are a boutique management consulting practice based in Melbourne, Australia, offering AI governance software, diagnostic assessment tools, and consulting services to mid-market organisations.
This Privacy Policy governs the collection, use, storage, and disclosure of personal and organisational information across all Flow Advisory Group digital platforms, including:
This policy complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where our operations involve data subjects in the European Economic Area, we apply GDPR-compatible standards as a matter of good practice.
When you create an account on any of our SaaS platforms, we collect: full name and work email address, company or organisation name, ABN (AI Governance Platform only), password (stored as a one-way bcrypt hash; we cannot recover it), subscription tier selection, and IP address and browser user agent at time of registration.
Payment processing is handled entirely by Stripe, Inc. We do not collect, store, or have access to your credit card number, CVV, or full card details. Stripe returns a customer ID and subscription ID to our systems. Your card details remain in Stripe's PCI-DSS compliant vault. Stripe's privacy policy is available at stripe.com/au/privacy.
On the AI Governance Platform, we store data you enter including: AI vendor records, control evidence, incident logs, regulatory reference mappings, board pack configurations, and org notes. This data is stored in our PostgreSQL database on DigitalOcean Sydney infrastructure and is accessible only to users in your organisation.
On the diagnostic platforms, we collect and process your responses to assessment questions, calculated scores, ROI projections, and session metadata. Assessment responses relate to your organisation's operational metrics, not to individual employees.
When you contact us via booking forms or email, we collect: name, email address, phone number (if provided), company name, and the nature of your enquiry.
We automatically collect IP address, browser type, operating system, pages visited, authentication events, and error logs. Website analytics on flowadvisorygroup.com are collected via Google Analytics 4. GA4 data is processed under Google's Privacy Policy.
We use your information to: create and manage your account, process payments and manage subscription status, deliver platform features and diagnostic results, send transactional emails (verification, password reset, billing), maintain audit logs for security and compliance, respond to enquiries, and improve our products using anonymised, aggregated data.
We send marketing communications only with your explicit consent, always with an unsubscribe option.
Contract performance: Processing necessary to deliver services you have purchased. Legitimate interests: Platform security, fraud prevention, product improvement, and aggregated benchmarking. Consent: Marketing communications and optional analytics. Legal obligation: Tax records, regulatory compliance, and responding to lawful authorities.
We use the following third-party services, each processing data only as necessary and under contractual data processing agreements:
| Provider | Purpose | Data location |
|---|---|---|
| Stripe | Payment processing and subscription management | United States (EU-US DPF compliant) |
| Resend | Transactional email delivery | Tokyo, Japan (ap-northeast-1) |
| DigitalOcean | Cloud infrastructure for all SaaS backends and databases | Sydney, Australia (syd1) |
| Google Analytics 4 | Website analytics on flowadvisorygroup.com only | United States |
| Hostinger | Marketing website hosting | European Union |
| Calendly | Appointment booking for consultation calls | United States |
We do not sell, rent, or share your personal information with third parties for their own marketing purposes under any circumstances.
Our SaaS platforms use JSON Web Token (JWT) authentication with a 7-day expiry. Tokens are validated server-side on every request. Passwords are hashed using bcrypt (work factor 12). All data in transit is encrypted via TLS 1.2+. All data at rest is stored in encrypted PostgreSQL databases on DigitalOcean Sydney. Database credentials and API keys are stored as server-side environment variables, never in source code. GitHub repositories are private. Server access is restricted to SSH key authentication.
Our platforms maintain audit logs of authentication and write events. Audit logs are retained for 12 months.
| Data type | Retention period | Basis |
|---|---|---|
| Account data (name, email, company) | Duration of account + 3 years | Contract / legal obligation |
| Platform data (vendor register, controls, incidents) | Duration of account + 3 years | Contract performance |
| Assessment responses and scores | Duration of account + 3 years | Contract performance |
| Payment records (Stripe transaction IDs) | 7 years | Australian tax law |
| Audit logs | 12 months | Security / legitimate interests |
| Contact form submissions | 3 years or until deletion request | Legitimate interests |
| Server logs (IP, access) | 90 days | Security monitoring |
Under the Privacy Act 1988 and the Australian Privacy Principles, you have the right to access personal information we hold about you (within 30 days of request), request correction of inaccurate or incomplete information, request deletion of your account and associated personal data (subject to legal retention obligations), withdraw consent for marketing communications at any time, and lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.
We request that you contact us at privacy@flowadvisorygroup.com first to give us the opportunity to resolve your concern directly.
Essential (session): JWT authentication tokens in browser localStorage, required for platform functionality. Analytics: Google Analytics 4 on flowadvisorygroup.com only. Not used on SaaS platforms. Draft save: Assessment responses saved locally during an active session to prevent data loss.
We do not use advertising cookies, Facebook Pixel, LinkedIn Insight Tag, session recording tools, or cross-site tracking.
Our services are directed exclusively at business professionals and organisations. We do not knowingly collect personal information from individuals under 18 years of age.
Some service providers (Stripe, Resend, Google Analytics) process data outside Australia. We ensure providers maintain adequate data protection standards under APP 8. DigitalOcean stores all SaaS platform data in Sydney, Australia. There is no international transfer for primary platform data.
Data you enter into our platforms remains yours. We use it solely to deliver your results and reports. We may use anonymised, aggregated, non-attributable data to improve our scoring benchmarks and produce industry reports. Such aggregated data cannot be used to identify you or your organisation.
The AI Governance Platform's scoring methodology, control frameworks, clause library, and board pack templates are proprietary intellectual property of NAASH CONSULTING PTY LTD. See our Terms of Service for full IP provisions.
We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible data breach likely to cause serious harm, we will notify affected individuals as soon as practicable and notify the OAIC within 30 days.
We may update this Privacy Policy to reflect changes in our products, data practices, or legal requirements. We will notify registered users of material changes by email at least 14 days before the changes take effect.
Privacy Officer, NAASH CONSULTING PTY LTD (trading as Flow Advisory Group)
Email: privacy@flowadvisorygroup.com
General: hello@flowadvisorygroup.com
Melbourne, Victoria, Australia
We aim to respond to all privacy enquiries within 5 business days and to resolve requests within 30 days.