Last updated · 2026-05-26
Privacy Policy
What Flosq collects, what we do with it, and what we promise we'll never do.
Overview
Flosq is a managed local-search visibility platform operated by Flosq, a sole proprietorship registered in California ("Flosq," "we," "our"). This policy explains what data we collect from you and from the third-party services you connect to Flosq — including Google, Microsoft Bing, and others — how we use that data, and the commitments we make about how we will not use it.
If you have any questions, write to sunil@flosq.com. We respond within two business days.
Data we collect
From you, directly:
- →Your name, email, and contact information.
- →Practice information you enter or upload (practice name, address, services, brand voice notes).
- →Billing information processed by our payment provider (Stripe). Flosq does not store full payment card numbers.
From third-party services you connect:
- →Google Business Profile: business location data, performance metrics (calls, direction requests, website clicks, search impressions), posts, reviews, Q&A, and photos.
- →Google Analytics: aggregate website traffic and conversion data for the properties you authorize.
- →Google Search Console: search query, click, impression, and position data for the properties you authorize.
- →Microsoft Bing Webmaster and Bing Places: business listing data and search performance.
- →OAuth refresh tokens scoped exactly to the access required for the integration. We do not request scopes we do not actively use.
Google user data — specific commitments
Flosq's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- →We use Google user data only to provide and improve the user-facing features of Flosq.
- →We do not use Google user data to develop, improve, or train any generalized machine-learning or artificial-intelligence models.
- →We do not transfer Google user data to third parties except as necessary to provide or improve the features visible to you (for example: routing a draft to an approval interface you operate), to comply with applicable law, or as part of a merger, acquisition, or sale of assets, with notice to you.
- →We do not sell Google user data, and we do not use it for advertising purposes.
- →Humans at Flosq access Google user data only (a) with your explicit consent, (b) for security purposes including investigating abuse, (c) to comply with applicable law, or (d) when the data is aggregated and used for internal operations in accordance with applicable privacy laws.
How we use the data
- →To generate drafts (Google Business posts, review replies, Q&A answers, schema, blog content) that you review and explicitly approve before they are published anywhere.
- →To produce visibility audits, weekly digests, and monthly PDF reports delivered to you.
- →To track your search and AI-surface visibility over time so we can show you what has changed.
- →To run our own product analytics on aggregate, non-personal usage of Flosq itself.
The human-approval invariant
Every action Flosq takes that publishes content under your name — a Google Business post, a review reply, a Q&A answer, a schema deploy, a blog post — requires an explicit human approval click inside Flosq before it is published. We do not auto-publish. This is a product invariant, not a configurable setting.
No protected health information
Flosq is scoped to public business marketing data only. Aggregate counts of reviews, search clicks, and similar aggregate metrics are in scope. We do not request, store, or process any patient-identifiable information or other Protected Health Information (PHI) as defined under HIPAA. If you connect a source that would result in PHI flowing into Flosq, we will reject the data at intake and notify you.
Storage & security
- →Data is stored in databases hosted by reputable providers in the United States. Backups are encrypted.
- →OAuth refresh tokens are encrypted at rest.
- →Access is scoped per customer with row-level security; one customer's data is never visible to another.
- →We follow industry-standard practices for credential handling, dependency hygiene, and incident response.
Retention
We retain data for as long as your account is active and for a reasonable period thereafter to comply with our legal obligations and to operate the service. You may request deletion of your account and the data we hold about your practice at any time. We process deletion requests within thirty days. Backups age out within ninety days.
Your rights
Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data, and to revoke consent at any time. To exercise any of these rights, write to sunil@flosq.com. You may also revoke Flosq's OAuth access to any connected Google account at any time via your Google Account permissions page.
Sub-processors
We use a small number of vendors to operate Flosq. Each vendor receives only the data necessary to perform its function, and each is bound by its own privacy commitments.
- →Vercel — hosting
- →Neon — managed Postgres database
- →Clerk — authentication
- →Inngest — background job execution
- →Resend — transactional email
- →Cloudflare R2 — file and report storage
- →Stripe — billing
- →Anthropic — large-language-model inference (Anthropic does not train models on Flosq data per their commercial terms)
- →DataForSEO, Perplexity Sonar, Brave Search — search-engine and AI-surface data feeds
- →Sentry, Axiom — error and log monitoring
Changes to this policy
We will update this policy as Flosq evolves. Material changes will be announced by email to active customers at least fourteen days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.
Contact
Flosq · Menlo Park, California, United States · sunil@flosq.com