Flowlith is an AI voice operations platform that builds Iris — a real-time AI agent that automates calls, conversations, bookings, payments, and operational workflows for businesses.

What is Iris AI by Flowlith?

Iris is Flowlith's AI-powered voice and business automation agent. It handles up to 30 concurrent voice calls, manages bookings, processes payments, updates CRMs, and automates workflows in real-time across multiple languages.

How does Flowlith's AI voice agent work?

Flowlith's Iris agent follows a cognitive pattern: understand → decide → execute → record. It handles inbound and outbound voice calls autonomously, books appointments, processes payments, answers questions, and executes operational workflows without human intervention.

What industries does Flowlith serve?

Flowlith serves businesses across healthcare, hospitality, e-commerce, trading, professional services, and any industry that relies on phone-based operations, bookings, and customer communication in India and the UAE.

Is Flowlith secure and compliant?

Yes. Flowlith's Iris deployments run on isolated, encrypted infrastructure with alignment towards GDPR, HIPAA, and SOC 2 compliance standards. Every client gets their own dedicated environment with no shared infrastructure.

What languages does Iris by Flowlith support?

Iris supports English, Hindi, Malayalam, Tamil, Kannada, Telugu, and Arabic — making it ideal for businesses operating in India and the UAE markets.

Privacy Policy

Last updated: March 2026

FLOWLITH

Privacy Policy

Iris AI Operations Platform — Legal Document

Effective Date: March 12, 2026 | Last Updated: March 12, 2026

1. Introduction

Flowlith ("we," "us," or "our") is deeply committed to protecting the privacy, security, and confidentiality of all personal data we process. This Privacy Policy ("Policy") describes how we collect, use, store, disclose, and protect personal information when you: visit www.flowlith.com; engage with our sales or support team; or use the IRIS AI platform and related services.

This Policy applies to: (a) Clients and their Authorised Users; (b) End-Users whose data is processed through IRIS; (c) Website visitors; (d) Prospective clients and business contacts.

This Policy is designed to comply with: India's Digital Personal Data Protection Act, 2023 ("DPDP Act"); the Information Technology Act, 2000 ("IT Act"); the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"); and, to the extent applicable, the EU General Data Protection Regulation 2016/679 ("GDPR") for EU-based data subjects.

2. Information We Collect

2.1 Information Provided Directly by Clients

Account and registration data: name, company name, email address, phone number, designation, and billing address.
Payment information: billing details processed via Stripe, Razorpay, or PayPal. Flowlith does not store full card numbers — payment data is handled by PCI-DSS compliant payment processors.
Communications: enquiries, support requests, emails, and feedback submitted to Flowlith.
Onboarding data: business workflow information, CRM credentials, integration requirements, and related operational data provided during implementation.

2.2 Information Collected Automatically

Usage and log data: IP addresses, browser type, operating system, pages visited, session duration, referral URLs, and access timestamps.
Device information: device type, unique identifiers, and network information.
Cookie and tracking data: as described in Section 9 below.

2.3 Client Data and End-User Data Processed Through IRIS

Voice call recordings, audio files, transcripts, and call metadata generated by IRIS.
End-User personal data: names, phone numbers, appointment details, order information, payment references, and any other personal data submitted during Client-configured IRIS workflows.
CRM data synced with Zoho, HubSpot, Salesforce, or other integrated platforms.
WhatsApp and messaging interaction data where WhatsApp automation is enabled.

For all End-User data processed through IRIS, Flowlith acts exclusively as a Data Processor. The Client is the Data Fiduciary/Controller. Clients bear full responsibility for having valid legal bases for processing End-User data through the Services.

3. How We Use Your Information

Service Delivery (Contract): To configure, operate, and deliver the IRIS AI platform; manage accounts; process payments; and provide customer support.

Implementation (Contract): To conduct workflow discovery, conversation design, and system integration during onboarding.

AI Operations (Contract): To process voice calls, execute automated workflows, update CRM systems, and perform tasks on the Client's behalf through IRIS.

Billing and Fraud Prevention (Legal Obligation / Legitimate Interest): To process payments, generate invoices, track usage, detect fraud, and comply with financial regulations.

Service Improvement (Legitimate Interest): To monitor platform performance, diagnose issues, and improve IRIS. Data used for improvement purposes is anonymised or aggregated wherever technically feasible.

Communications (Legitimate Interest / Consent): To send transactional emails, service notifications, and — with consent — product updates and marketing communications. Marketing emails include a clear unsubscribe option.

Legal Compliance (Legal Obligation): To comply with applicable laws, respond to lawful authority requests, and enforce our contractual rights.

4. Voice Call Data and Recording

IRIS IS A REAL-TIME VOICE AI AGENT. CALL RECORDINGS AND TRANSCRIPTS CONTAINING PERSONAL DATA ARE PROCESSED AS A CORE FEATURE OF THE SERVICE. THIS SECTION GOVERNS HOW SUCH DATA IS HANDLED.

4.1 What We Process

IRIS processes incoming and outgoing voice calls in real time. Depending on Client configuration, calls may be recorded, transcribed, and stored. Recordings and transcripts may contain names, contact details, financial information, health information, appointment details, and other personal data of End-Users.

4.2 Retention Period — Client-Defined

The retention period for call recordings and transcripts is set by the Client according to their business and legal requirements, and documented in the SOW or Data Processing Agreement. Flowlith will retain recordings only for the period specified by the Client and will delete or return recordings upon the Client's written instruction at the end of the retention period.

4.3 Hosting Options and Data Location

Call recordings and associated data may be hosted: (a) on Flowlith's managed server infrastructure, within an isolated VPS allocated exclusively to the Client — no other Client has access to this environment; or (b) on the Client's own server, if Client-Side Hosting is selected. Clients choosing Client-Side Hosting are responsible for the security and legal compliance of their hosting environment.

4.4 Consent Obligation on Clients

The Client is solely responsible for ensuring all call participants are informed that their calls are being recorded and processed by an AI system, and for obtaining all legally required consents under applicable law. Flowlith provides the recording infrastructure; the legal basis for recording is the Client's responsibility.

5. Data Sharing and Disclosure

Flowlith does not sell, rent, or trade personal data to any third party for marketing or commercial purposes. Personal data is disclosed only in the following circumstances:

Sub-processors and Service Providers: We share data with trusted processors who help us operate the Services, including cloud infrastructure providers, payment processors (Stripe, Razorpay, PayPal), CRM platforms (Zoho, HubSpot, Salesforce), and communications tools. All sub-processors are bound by data processing agreements with appropriate security and confidentiality obligations.

Legal Requirements: We may disclose data where required by law, court order, governmental or regulatory authority, or to protect the rights, property, or safety of Flowlith, its Clients, or the public.

Business Transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to a successor entity, subject to equivalent privacy protections. Affected parties will be notified as required by law.

With Consent: For any other purpose, only with your explicit prior written consent.

6. Data Security

Flowlith implements robust technical and organisational security measures to protect all personal data against unauthorised access, loss, alteration, disclosure, or destruction. Our security measures include:

End-to-end encryption in transit using TLS/SSL for all data transmissions.
Encryption at rest for all stored call recordings, transcripts, and sensitive data.
Isolated VPS architecture ensuring complete data segregation between Clients.
Role-based access controls limiting internal access to personal data to authorised personnel only.
Regular security assessments, vulnerability scans, and penetration testing.
Incident response procedures in compliance with DPDP Act and applicable law.

In the event of a personal data breach that poses a significant risk to data subjects, Flowlith will notify affected Clients and the relevant regulatory authority within the timeframe prescribed by applicable law, and will cooperate fully in breach response and remediation.

7. Data Retention

Account and contract data: retained for the duration of the relationship and for seven (7) years thereafter for legal and accounting compliance.
Call recordings and transcripts: retained as specified by the Client in the SOW. Default: deleted upon Client's written instruction or contract termination.
Payment and billing records: retained for eight (8) years as required under Indian financial regulations.
Website analytics and server logs: retained for up to twelve (12) months.
Support communications: retained for three (3) years.

Upon expiry of the applicable retention period, personal data is securely and permanently deleted or irreversibly anonymised.

8. Your Data Rights

Subject to applicable law, you and your End-Users may exercise the following rights regarding personal data held by Flowlith:

Right of Access: Request confirmation that we process your data and obtain a copy of it.

Right to Correction: Request correction of inaccurate or incomplete data.

Right to Erasure: Request deletion of personal data, subject to legal hold obligations.

Right to Withdraw Consent: Where processing is consent-based, withdraw consent at any time without affecting prior processing.

Right to Data Portability: Receive personal data in a structured, machine-readable format.

Right to Grievance Redressal: Under the DPDP Act 2023, file a grievance with our Data Protection Officer. Unresolved complaints may be escalated to the Data Protection Board of India.

GDPR Rights (EU Subjects): EU data subjects have additional rights including restriction of processing and the right to object. Contact us at legal@flowlith.com to exercise these rights.

To exercise any right, submit a written request to legal@flowlith.com with identity verification. We will respond within thirty (30) days.

9. Cookies and Tracking Technologies

Essential Cookies: Required for core website functionality, session management, and security. Cannot be disabled.

Analytics Cookies: Used to understand website usage and improve user experience (e.g., Google Analytics). Set only with your consent.

Marketing Cookies: Used to deliver relevant content and measure campaign performance. Set only with your consent.

You may manage non-essential cookies through your browser settings or our cookie consent tool. Disabling certain cookies may affect website functionality.

10. WhatsApp and Digital Messaging

Where Clients use IRIS for WhatsApp or other digital messaging automation, the processing of End-User messaging data is governed by Meta's WhatsApp Business Policy and applicable provisions of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Flowlith processes messaging data solely on the Client's instruction. The Client is responsible for ensuring their use of messaging automation complies with all applicable platform policies and regulations.

11. International Data Transfers

Flowlith operates primarily in India. Where personal data is transferred to, processed in, or stored in countries outside India — including through sub-processors — Flowlith ensures appropriate safeguards are in place in compliance with DPDP Act provisions on cross-border transfers, including standard contractual clauses or other approved mechanisms.

12. Children's Privacy

The Services are intended for business use by adults aged eighteen (18) and above. We do not knowingly collect personal data from minors. Under the DPDP Act 2023, processing of children's data requires verifiable parental consent. If we discover that we have inadvertently collected data from a minor without valid consent, we will delete it promptly. Please contact legal@flowlith.com if you believe such data has been collected.

13. Third-Party Links and Integrations

The Services integrate with third-party platforms (Zoho, HubSpot, Salesforce, Stripe, Razorpay, PayPal, and others). Flowlith is not responsible for the privacy practices of these third parties. The Client's use of these integrations is subject to the respective privacy policies and terms of those providers. We encourage you to review them.

14. Data Protection Officer / Grievance Officer

In accordance with the DPDP Act 2023 and the IT Act 2000, Flowlith has designated a Data Protection and Grievance Officer for all privacy-related concerns.

Company: Flowlith

Email: legal@flowlith.com

Support: support@flowlith.com

Website: www.flowlith.com

We acknowledge grievances within three (3) business days and resolve them within thirty (30) days. Unresolved complaints may be escalated to the Data Protection Board of India once constituted under the DPDP Act.

15. Updates to this Policy

We may update this Privacy Policy to reflect changes in our data practices, Services, or legal requirements. Material changes will be communicated to registered Clients by email and posted on our website with an updated effective date, with at least thirty (30) days' notice. Continued use of the Services after the effective date of any updated Policy constitutes your acceptance.

Privacy enquiries: legal@flowlith.com | support@flowlith.com | www.flowlith.com