Privacy Policy

1. Who We Are

Flow Advisory Group is a registered business name of NAASH CONSULTING PTY LTD, ABN 82 621 961 985 ("we", "us", "our"). We are a boutique management consulting practice based in Melbourne, Australia, offering diagnostic assessment tools and consulting services to mid-market organisations.

This Privacy Policy governs the collection, use, storage, and disclosure of personal and organisational information across all Flow Advisory Group digital platforms, including:

• flowadvisorygroup.com, marketing website, free assessment tools, contact forms
• flow-health.flowadvisorygroup.com, Flow ROI Diagnostic SaaS platform
• ai-roi.flowadvisorygroup.com, AI Operational ROI Diagnostic SaaS platform

This policy complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where our operations involve data subjects in the European Economic Area, we apply GDPR-compatible standards as a matter of good practice.

2. Information We Collect

2.1 Account and Registration Information

When you create an account on our SaaS platforms, we collect:

• Full name and work email address
• Company or organisation name
• Password (stored as a one-way cryptographic hash using bcrypt, we cannot recover your password)
• Tier selection (Starter, Growth, or Enterprise)
• IP address and browser user agent at time of registration

2.2 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not collect, store, or have access to your credit card number, CVV, or full card details at any time. When you complete a payment:

• Stripe returns a customer ID and subscription ID to our systems
• We store the Stripe customer ID to manage your subscription status
• Your card details remain in Stripe's PCI-DSS compliant vault

Stripe's privacy policy is available at stripe.com/au/privacy.

2.3 Assessment and Diagnostic Data

When you complete a diagnostic assessment, we collect and process:

• Your responses to assessment questions (numeric values, scale selections, binary yes/no answers)
• Calculated dimension scores and overall health scores
• ROI projections generated from your inputs
• Timestamp and session metadata for each assessment run
• Any consultant observations added to your assessment (consulting-led engagements only)

2.4 Free Tool Data

The free Flow Health Score (flowadvisorygroup.com/flow-health-score.html) and AI Readiness Snapshot (flowadvisorygroup.com/ai-readiness-snapshot.html) are processed entirely in your browser. We do not collect, transmit, or store your responses to these free tools. No account or registration is required.

2.5 Contact and Communication Data

When you contact us via the book-a-call form, email, or enterprise enquiry form, we collect:

• Name, email address, phone number (if provided)
• Company name and the nature of your enquiry
• Any content you include in your message

2.6 Technical and Usage Data

When you use our platforms, we automatically collect:

• IP address and approximate geographic location
• Browser type, operating system, and device type
• Pages visited, time on page, and navigation paths
• Authentication events (login, logout, password reset)
• Error logs and system performance data

This data is collected via Google Analytics 4 (GA4) and server-side application logs. GA4 data is processed under Google's Privacy Policy.

3. How We Use Your Information

3.1 To Provide Our Services

• Create and manage your account on our diagnostic platforms
• Process your payment and manage your subscription status
• Deliver assessment results, scored dashboards, and PDF reports
• Send transactional emails: account verification, password reset, payment confirmation
• Maintain your assessment history and enable before/during comparison (Growth and Enterprise tiers)

3.2 To Improve Our Products

• Analyse aggregated, anonymised assessment data to improve scoring benchmarks
• Monitor platform performance and diagnose technical issues
• Develop industry benchmark datasets (anonymised, never attributable to individual organisations)

3.3 To Communicate With You

• Respond to support enquiries and booking requests
• Send service-related notifications (billing, expiry, product updates)
• Marketing communications, only with your explicit consent, and always with an unsubscribe option

3.4 Legal and Compliance

• Maintain audit logs for security and fraud prevention
• Comply with applicable Australian law, including tax obligations
• Respond to lawful requests from regulatory authorities

4. Legal Basis for Processing

We process your information on the following lawful grounds:

• Contract performance: Processing necessary to deliver the services you have purchased
• Legitimate interests: Platform security, fraud prevention, product improvement, and aggregated benchmarking
• Consent: Marketing communications and optional analytics
• Legal obligation: Tax records, regulatory compliance, and responding to lawful authorities

5. Third-Party Services and Data Processors

We use the following third-party services to operate our platforms. Each processes data only as necessary and under contractual data processing agreements:

5.1 Stripe (Payment Processing)

Purpose: Secure payment collection and subscription management. Data shared: email, payment card (tokenised), subscription status. Location: United States (EU-US Data Privacy Framework compliant). Privacy policy: stripe.com/au/privacy

5.2 Resend (Transactional Email)

Purpose: Delivery of account verification, password reset, and notification emails. Data shared: recipient email address and email content. Location: Tokyo, Japan (ap-northeast-1). Privacy policy: resend.com/privacy

5.3 DigitalOcean (Cloud Infrastructure)

Purpose: Hosting of all SaaS platform backends and databases. All data is stored in the Sydney, Australia data centre (syd1). Data shared: all platform data stored within the infrastructure. Privacy policy: digitalocean.com/legal/privacy-policy

5.4 Google Analytics 4

Purpose: Website analytics and user behaviour tracking on flowadvisorygroup.com. Data shared: anonymised usage data, IP address (anonymised). Location: United States. You can opt out at: tools.google.com/dlpage/gaoptout. Privacy policy: policies.google.com/privacy

5.5 Hostinger (Website Hosting)

Purpose: Hosting of the flowadvisorygroup.com marketing website. Data shared: web server logs including IP addresses. Location: European Union. Privacy policy: hostinger.com/privacy-policy

5.6 Calendly (Appointment Booking)

Purpose: Scheduling of consultation and scoping calls via the book-a-call page. Data shared: name, email address, and selected time slot. Privacy policy: calendly.com/privacy

We do not sell, rent, or share your personal information with third parties for their own marketing purposes under any circumstances.

6. Authentication and Security

6.1 Authentication Architecture

Our SaaS platforms use JSON Web Token (JWT) authentication. Upon login, a signed token is issued with a 7-day expiry. This token is stored in your browser's local storage and transmitted via HTTPS on each API request. Tokens are validated server-side on every request.

Password reset tokens are single-use, expire within 1 hour, and are invalidated immediately upon use.

Email verification tokens issued on account creation expire within 24 hours.

6.2 Data Security Measures

• All data in transit is encrypted via TLS 1.2+ (HTTPS enforced on all endpoints)
• All data at rest is stored in encrypted PostgreSQL databases on DigitalOcean Sydney infrastructure
• Passwords are hashed using bcrypt with a work factor of 12, industry standard, not reversible
• Database credentials, API keys, and JWT secrets are stored as server-side environment variables, never in source code
• GitHub repositories are private and access-controlled
• Server access is restricted to SSH key authentication

6.3 Audit Logging

Our platforms maintain an audit log of authentication events (login, password reset) associated with user accounts. Audit logs are retained for 12 months.

7. Data Retention

Data Type	Retention Period	Basis
Account data (name, email, company)	Duration of account + 3 years	Contract / legal obligation
Assessment responses and scores	Duration of account + 3 years	Contract performance
Payment records (Stripe transaction IDs)	7 years	Australian tax law
Audit logs	12 months	Security / legitimate interests
Contact form submissions	3 years or until request to delete	Legitimate interests
Server logs (IP, access)	90 days	Security monitoring
Pending registrations (unverified)	24 hours then auto-deleted	System integrity

8. Your Rights Under Australian Privacy Law

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the following rights:

8.1 Right of Access

You may request a copy of the personal information we hold about you. We will provide this within 30 days of receiving your request. We may charge a reasonable fee for providing access if the request is complex or voluminous.

8.2 Right to Correction

If you believe information we hold about you is inaccurate, incomplete, or out of date, you may request that we correct it. We will respond within 30 days.

8.3 Right to Deletion

You may request deletion of your account and associated personal data. We will comply within 30 days, subject to our obligation to retain records required by law (see Section 7). Anonymised assessment data that has been incorporated into aggregate benchmarks cannot be removed as it is no longer attributable to you.

8.4 Right to Withdraw Consent

Where processing is based on consent (marketing communications, optional analytics), you may withdraw consent at any time. This does not affect the lawfulness of processing prior to withdrawal.

8.5 Right to Complain

If you believe we have mishandled your personal information, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• GPO Box 5218, Sydney NSW 2001

We request that you contact us first at privacy@flowadvisorygroup.com to give us the opportunity to resolve your concern directly.

9. Cookies and Tracking

9.1 Cookies We Use

• Essential (session): JWT authentication tokens stored in browser localStorage, required for platform functionality. Cannot be disabled without preventing login.
• Analytics (Google Analytics 4): Used on flowadvisorygroup.com only to measure traffic and page performance. Not used on the SaaS platforms.
• Draft save (localStorage): Assessment draft responses are saved locally in your browser during an active session to prevent data loss. Cleared on submission or browser cache clear.

9.2 What We Do Not Use

• No advertising cookies or third-party tracking pixels
• No Facebook Pixel, LinkedIn Insight Tag, or similar advertising trackers
• No session recording tools (Hotjar, FullStory, etc.)
• No cross-site tracking

10. Children's Privacy

Our services are directed exclusively at business professionals and organisations. We do not knowingly collect personal information from individuals under 18 years of age. If you believe a minor has provided us with personal information, please contact us immediately at privacy@flowadvisorygroup.com.

11. International Data Transfers

Some of our service providers (Stripe, Resend, Google Analytics) process data outside Australia. Where this occurs:

• We ensure providers maintain adequate data protection standards under APP 8
• Stripe and Google operate under US-EU Data Privacy Framework and equivalent mechanisms
• DigitalOcean stores all SaaS platform data in Sydney, Australia (no international transfer for primary platform data)

12. Diagnostic Data and Intellectual Property

Assessment responses you submit to our platforms remain your data. We use your responses solely to generate your scored results and report. We may use anonymised, aggregated, non-attributable data derived from all assessments to improve our scoring benchmarks and produce industry reports. Such aggregated data cannot be used to identify you or your organisation.

13. Disclaimer of Warranties

The diagnostic assessments and reports produced by our platforms are provided for informational and commercial decision-support purposes only. They do not constitute:

• Legal, financial, accounting, or regulatory advice
• A guarantee of any particular business outcome
• Professional advice within the meaning of any applicable professional standards legislation

Diagnostic results are based on the responses you provide. The accuracy, completeness, and reliability of results depend entirely on the accuracy of your inputs. We are not liable for decisions made on the basis of diagnostic results.

ROI projections use published industry benchmarks and conservative recovery assumptions. They are indicative only and do not constitute a financial forecast or investment recommendation.

14. Limitation of Liability

To the maximum extent permitted by Australian Consumer Law and other applicable legislation:

• Our total aggregate liability to you for any claim arising from or related to our services is limited to the fees you paid us in the 12 months preceding the claim
• We are not liable for indirect, consequential, incidental, special, or punitive damages, including loss of revenue, loss of profit, loss of business, or loss of data
• We are not liable for service interruptions, data loss caused by third-party infrastructure, or security incidents arising from your failure to maintain credential security

Nothing in this policy limits rights you may have under the Australian Consumer Law that cannot be excluded by agreement.

15. Data Breach Notification

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible data breach that is likely to result in serious harm, we will:

• Notify affected individuals as soon as practicable
• Notify the OAIC within 30 days of becoming aware of the breach
• Provide details of the breach and recommended steps to mitigate risk

16. Business Transfers

If Flow Advisory Group or NAASH CONSULTING PTY LTD is acquired, merged, or undergoes a change of ownership, your data may be transferred to the acquiring entity as part of that transaction. We will notify you by email or platform notification prior to your data being transferred and becoming subject to a different privacy policy.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in our products, data practices, or legal requirements. We will notify registered users of material changes by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of our services after the effective date constitutes acceptance of the updated policy.

18. Contact Us

For all privacy enquiries, access requests, correction requests, or complaints: