Data Handling Disclosures

Last Updated: May 3, 2026

1. Purpose

This Internal Data Handling Policy defines how Flowambe founders, employees, contractors, advisors, support personnel, testers, and other authorized personnel must handle customer, event, beta, product, operational, and personal data.

The purpose of this policy is to protect customer trust, reduce privacy and security risk, maintain confidentiality, and ensure that Flowambe’s actual practices match its public statements.

2. Scope

This policy applies to all Flowambe personnel and contractors who access, process, store, transmit, discuss, test, debug, analyze, export, or otherwise handle Flowambe data.

This includes data from:

  • website forms;
  • waitlists;
  • beta programs;
  • planner collaborations;
  • real events;
  • demos or tests in Nigeria;
  • demos or tests in the United States;
  • mobile app tests;
  • event workspaces;
  • WhatsApp, email, push, or SMS communications;
  • support requests;
  • bug reports;
  • analytics;
  • logs;
  • backups;
  • product research;
  • customer interviews;
  • internal documents.

3. Data Categories

Flowambe data should be treated according to the following categories.

3.1 Public Data

Information approved for public release, such as published website copy, approved marketing language, public screenshots, public product descriptions, and public company information.

3.2 Internal Data

Non-public company information, such as product plans, internal notes, roadmaps, designs, workflows, internal metrics, financial planning, contractor assignments, and operational documents.

3.3 Customer/Event Data

Information relating to customers, planners, hosts, vendors, guests, staff, assistants, events, timelines, venues, tasks, dependencies, communications, status updates, execution logs, or beta observations.

Customer/Event Data must be treated as confidential.

3.4 Sensitive Customer/Event Data

Information that could create heightened risk if exposed, including guest lists, family details, VIP information, precise private locations, security information, financial details, dispute notes, health or accessibility information, children’s information, religious/cultural ceremony details, or other sensitive event context.

Sensitive Customer/Event Data requires extra caution and should be minimized.

3.5 Credentials and Secrets

Passwords, API keys, tokens, private keys, database credentials, cloud credentials, environment variables, WhatsApp/email provider credentials, app store credentials, and similar secrets.

Credentials and secrets must never be shared casually, pasted into chat, stored in personal notes, or included in screenshots.

4. Core Rules

All Flowambe personnel and contractors must follow these rules:

  1. Access only the data needed to perform assigned work.
  2. Use company-approved tools and accounts where available.
  3. Do not share Customer/Event Data outside Flowambe unless authorized.
  4. Do not copy Customer/Event Data into personal devices, personal cloud drives, personal email, personal messaging apps, or unauthorized tools.
  5. Do not paste Customer/Event Data into AI tools unless it has been anonymized or specifically approved.
  6. Do not take screenshots of Customer/Event Data unless necessary for support, debugging, documentation, or approved product work.
  7. Do not post Customer/Event Data in public channels, social media, portfolios, or marketing materials.
  8. Do not use real Customer/Event Data for demos unless authorized and appropriate.
  9. Use test data or anonymized data whenever possible.
  10. Report suspected data exposure, unauthorized access, lost devices, credential compromise, or policy violations immediately.

5. Access Control

Access to Customer/Event Data must be limited based on business need and role.

Flowambe should maintain a basic access list for each beta event or pilot showing:

  • event name or identifier;
  • authorized Flowambe personnel and contractors;
  • their role;
  • access level;
  • reason for access;
  • date access was granted;
  • date access was removed.

Access should be removed when no longer needed, including when a contractor leaves, changes role, or completes their assignment.

6. Contractor Rules

Contractors may access Customer/Event Data only when necessary for assigned Flowambe work.

Contractors must:

  • agree to confidentiality obligations;
  • follow this policy;
  • use approved accounts and tools;
  • avoid storing Customer/Event Data locally unless necessary and authorized;
  • delete or return Customer/Event Data when work ends or access is revoked;
  • report any suspected data incident immediately;
  • avoid sharing Customer/Event Data with other clients, employers, friends, family, subcontractors, or external parties.

Subcontracting is not allowed without Flowambe’s prior written approval.

7. AI Tool Use

Customer/Event Data may not be pasted, uploaded, transcribed, or submitted into ChatGPT, Claude, Gemini, Copilot, Perplexity, Notion AI, or similar AI tools unless:

  • the data has been anonymized so individuals, events, vendors, guests, clients, venues, and private circumstances cannot reasonably be identified; or
  • Flowambe has approved the specific AI tool, use case, account, data type, and safeguards.

Examples of prohibited AI use:

  • uploading a real guest list to summarize attendees;
  • pasting a real wedding timeline with names and phone numbers into an AI model;
  • asking an AI tool to rewrite support notes containing identifiable customer details;
  • uploading screenshots of live event workspaces containing names or contact information.

Examples of potentially acceptable AI use:

  • using fake/sample event data;
  • using anonymized task names without identifiable people or venues;
  • asking for generic UI copy without customer data;
  • summarizing a synthetic test event.

8. Communications Data

WhatsApp, email, push notification, SMS, or similar communication data must be handled carefully.

Personnel and contractors must not:

  • send event messages to unauthorized recipients;
  • use event participant contact information for personal reasons;
  • use event contact information for unrelated marketing;
  • export contact lists unless necessary and authorized;
  • add event participants to unrelated groups or lists;
  • forward customer messages outside approved support or operational workflows.

Communication features should be used for event coordination, service operation, support, testing, or authorized product purposes.

9. Children’s Data

Flowambe is not intended for unsupervised use by children, as defined by applicable law in the relevant jurisdiction. Customer/Event Data relating to a child should not be collected, stored, or processed unless necessary for event coordination and properly authorized by a parent, guardian, or other person with legal authority.

Personnel and contractors should avoid collecting, exporting, screenshotting, or discussing children’s personal information unless necessary for approved Flowambe work.

10. Data Minimization

Collect and retain only what is reasonably necessary.

When setting up a beta event or pilot, ask:

  • Do we need this data to coordinate the event?
  • Can we use a role or alias instead of a full name?
  • Do we need a phone number, or is an email enough?
  • Do we need guest-level data at all?
  • Can we remove sensitive notes after the event?
  • Can we use sample data for testing instead of production data?

Unnecessary sensitive information should not be collected.

11. Storage and Approved Locations

Customer/Event Data should be stored only in approved Flowambe systems, such as the Flowambe application, approved cloud services, approved databases, approved project tools, approved support tools, or approved document repositories.

Customer/Event Data should not be stored in:

  • personal Google Drive, Dropbox, OneDrive, iCloud, or similar accounts;
  • personal email accounts;
  • personal WhatsApp chats;
  • unsecured local folders;
  • public repositories;
  • unapproved note-taking apps;
  • unapproved AI tools;
  • screenshots saved casually to personal devices.

12. Screenshots, Recordings, and Demos

Screenshots, screen recordings, demo videos, and training materials may expose Customer/Event Data.

Before creating or sharing any screenshot or recording, personnel must verify that:

  • the data is fake, anonymized, or approved for the intended use;
  • names, phone numbers, emails, venues, guest details, and sensitive notes are removed or obscured unless needed;
  • the file is stored in an approved location;
  • sharing is limited to authorized people.

Public marketing materials may not include identifiable customer/event details without written permission.

13. Support and Debugging

Support and debugging access should be limited to the minimum data needed to resolve the issue.

When documenting bugs:

  • use event IDs or anonymized descriptions where possible;
  • avoid including full names, phone numbers, emails, or guest details unless necessary;
  • redact screenshots where possible;
  • document the issue without overexposing customer information.

14. Retention and Deletion

Flowambe should define a retention period for beta event data before each pilot.

Recommended default: retain identifiable beta event data for [Insert Retention Period, e.g., 90 days after the event] for debugging, product improvement, security, and recordkeeping, then delete or de-identify it unless continued retention is approved.

Deletion requests should be logged and handled in coordination with the event organizer and legal/operational requirements.

Backups and logs may have separate deletion timelines.

15. Incident Reporting

Any suspected or confirmed data incident must be reported immediately to legal@flowambe.com or another designated Flowambe security/privacy contact.

Examples include:

  • unauthorized access;
  • accidental sharing of event data;
  • sending a message to the wrong recipient;
  • lost or stolen device containing Flowambe data;
  • exposed credentials;
  • data pasted into an unauthorized AI tool;
  • public screenshot containing customer data;
  • contractor retaining data after work ends;
  • suspicious account activity;
  • cloud storage misconfiguration.

Incident reports should include:

  • what happened;
  • when it happened;
  • what data may be affected;
  • who may be affected;
  • who has been notified internally;
  • what steps have been taken.

Do not conceal incidents. Early reporting reduces harm.

16. Mobile App Testing

Mobile app testers and contractors must avoid using real customer data in development or staging environments unless specifically authorized.

Where possible:

  • use test accounts;
  • use synthetic event data;
  • limit production access;
  • avoid sending real notifications from test environments;
  • verify push, email, WhatsApp, and SMS test messages are sent only to approved test recipients;
  • avoid screenshots of production event data in bug reports.

17. Payment Data

If Flowambe begins accepting payments, payment information must be handled through approved payment processors. Personnel should not collect, store, request, or transmit card numbers, bank details, or payment credentials through informal channels such as WhatsApp, email, screenshots, or chat.

18. Confidentiality

Customer/Event Data, product logic, technical architecture, non-public workflows, beta observations, and internal documents are confidential unless approved for public release.

Personnel and contractors must not disclose confidential information to external parties without authorization.

19. Violations

Violations of this policy may result in access removal, termination of contractor relationship, termination of employment, legal action, or other appropriate measures.

20. Policy Review

This policy should be reviewed and updated before:

  • onboarding real beta events;
  • launching mobile apps;
  • accepting payments;
  • expanding WhatsApp, email, SMS, or push notification use;
  • adding new contractors;
  • entering a new country or market;
  • changing data retention practices;
  • adding analytics or AI features;
  • engaging enterprise or high-value customers.