Privacy Policy

1. Who we are

Flo With Anup (“Flo With Anup,” “we,” “us,” or “our”) is a movement-education service operated by Anup, based in New Jersey, United States, with technology infrastructure hosted in the United States and India.

This Privacy Policy explains what personal information we collect when you use our website, mobile experience, classes, programs, and related services (collectively, the “Service”), how we use that information, who we share it with, and the rights you have over your data.

Questions about this policy can be sent to privacy@flowithanup.com.

2. What we collect

We collect the following categories of personal data:

• Account data — email address, name, country / timezone, profile photo (if you upload one), and account password (stored as a salted hash, never in plaintext).
• Subscription and billing data — your plan, billing cycle, payment method type, the last four digits of your card, billing history, and invoice records. We do not store full card numbers; those are held by our payment processors.
• Usage data — class attendance, live-class check-ins, video watch progress, streak counts, intake questionnaire answers, and program enrolment status.
• Communications — messages you send through our contact, intake, support, and waitlist forms, and any replies we send back to you.
• Device and browser metadata — IP address, browser user-agent, approximate geolocation (country and region only, derived from IP), referrer URL, and request timestamps. Used for security, fraud detection, and currency / language defaults.

3. Why we collect it

We use the data above to:

• Deliver the Service you signed up for — class access, video playback, progress tracking, schedule reminders, and account management.
• Process payments, manage subscriptions, send receipts, and respond to billing disputes.
• Recommend relevant content (for example, surfacing the next lesson in a program based on what you have already watched).
• Detect and prevent abuse, fraud, and unauthorised access to your account or our platform.
• Provide customer support and respond to questions about your account, billing, or class experience.
• Comply with legal obligations — for example, retaining payment records for the period required by tax authorities.

4. Data processors we share with

We use the following third-party processors to run the Service. Each is bound by a written data-processing agreement and may only use your data on our instructions:

• Razorpay — Payment processing (India, INR transactions). Privacy policy: razorpay.com/privacy
• Stripe — Payment processing (international, USD/EUR/GBP transactions). Privacy policy: stripe.com/privacy
• Supabase — Database + authentication hosting (US, AWS us-east-1). Privacy policy: supabase.com/privacy
• Vercel — Web hosting + global content delivery network. Privacy policy: vercel.com/legal/privacy-policy
• Bunny.net — Video content delivery network. Privacy policy: bunny.net/privacy
• Resend — Transactional email delivery (US). Privacy policy: resend.com/legal/privacy-policy
• Cal.com — Booking + calendar scheduling (international). Privacy policy: cal.com/privacy

We do not sell your personal information. We share data with these processors only to the extent needed to deliver the Service.

5. Per-region rights

European Union and United Kingdom (GDPR & UK GDPR)

If you are located in the EU, the EEA, or the United Kingdom, you have the following rights under the General Data Protection Regulation and the UK GDPR:

• The right to access the personal data we hold about you.
• The right to rectification of inaccurate data.
• The right to erasure (the “right to be forgotten”).
• The right to data portability — receiving a copy of your data in a machine-readable format.
• The right to restriction of processing.
• The right to object to processing based on our legitimate interests.
• The right to withdraw consent at any time, where processing is based on consent.
• The right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@flowithanup.com or use the data-export and account-deletion tools under Settings → Privacy in your dashboard. We respond within 30 days.

California (CCPA & CPRA)

California residents have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• The right to know what personal information we collect, use, disclose, and sell or share.
• The right to delete personal information we have collected from you.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information. We do not sell personal information; if our practices change, you may opt out at flowithanup.com/legal/ccpa-opt-out.
• The right to non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a CCPA right.

India (Digital Personal Data Protection Act 2023)

If you are a data principal located in India, you have the following rights under the Digital Personal Data Protection Act, 2023:

• The right to access your personal data.
• The right to correction and completion of your data.
• The right to erasure of your data.
• The right to grievance redressal — contact privacy@flowithanup.com as our designated grievance officer.
• The right to nominate another individual to exercise these rights in the event of death or incapacity.

If we cannot resolve your concern, you may approach the Data Protection Board of India.

6. Retention

We keep personal data only as long as we need it:

• Account data — retained while your account is active and for 30 days after you request deletion (soft-delete grace period, so you can recover the account if you change your mind).
• Class attendance and video progress — retained for 24 months from the most recent activity, for product analytics and to keep your streak data intact.
• Payment records — retained for 7 years to comply with tax and accounting statutes in India and the United States.
• Support communications — retained for 24 months for quality and audit purposes.
• Server access logs — retained for 90 days for security and fraud investigation.

7. International transfers

Because our processors and infrastructure span the United States, the European Union, and India, your personal data may be transferred outside your country of residence.

When EU or UK personal data is transferred to India or the United States, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism, together with supplementary technical safeguards (encryption in transit and at rest, RLS-enforced tenant isolation).

If you want a copy of the SCCs we rely on, email privacy@flowithanup.com.

8. Children’s data

The Service is not directed to children under the age of 13 in the United States (per the Children’s Online Privacy Protection Act), and is not directed to children under 16 in the European Union. We do not knowingly collect personal data from children below these ages.

If you believe a child has provided us with personal data, please contact privacy@flowithanup.com and we will delete the data promptly.

9. Security

We protect your data using:

• TLS 1.2+ encryption for all data in transit between your device and our servers.
• Encryption at rest for all stored personal data, including database tables and object-storage buckets.
• Row-level security policies in our database to enforce multi-tenant isolation — each user can only access their own rows.
• Salted password hashing using industry-standard algorithms; we never see or store your password in plaintext.
• Regular dependency auditing, security advisories, and least-privilege access controls for our team.

No system is 100 % secure. If you suspect a security incident affecting your account, contact us immediately at privacy@flowithanup.com.

10. Contact

For any privacy-related question, request, or complaint, email us at privacy@flowithanup.com. We aim to acknowledge within 5 business days and resolve within 30 days.

11. Changes to this policy

We may update this Privacy Policy from time to time as our Service, processors, or legal obligations change. The “Last updated” date at the top of this page reflects the most recent revision.

For material changes that affect your rights or the ways we use your data, we will notify you in advance by email and via a banner in the Service. Continued use of the Service after the effective date constitutes acceptance of the revised policy.