Flowella is committed to protecting your data with robust security and privacy measures. In practice, this means storing only the information needed to run your WhatsApp flows, securing everything with strong encryption, and hosting all infrastructure in a trusted UK-based cloud environment. Flowella is fully GDPR compliant, retaining data only as long as necessary and honouring all individual rights requests to ensure your customers’ data stays private and protected.Documentation Index
Fetch the complete documentation index at: https://knowledge.flowella.io/llms.txt
Use this file to discover all available pages before exploring further.
Key security properties
Encryption
All data stored in Flowella’s databases is encrypted at rest using AES-256. All data in transit — including WhatsApp messages, API calls, and web traffic — is secured using TLS/HTTPS.
Access controls
Access to production systems is restricted to a small number of authorised team members, and only for legitimate operational reasons. Flowella uses role-based access control, requires multi-factor authentication for administrative access, and maintains audit logs of all administrative actions.
Data residency
All of Flowella’s infrastructure runs in Microsoft Azure’s UK South region (London). Flowella does not use any third-party processors for messaging or infrastructure — everything runs on its own isolated Azure environment, including direct communication with WhatsApp’s official Business API.
GDPR compliance
Flowella is built around GDPR principles: data minimisation, purpose limitation, and transparency. Personal data is never sold, shared with third parties, used for profiling, or used for Flowella’s own marketing. All GDPR-defined individual rights are supported.
Data handling and storage
Flowella practices data minimisation — it only collects and stores what is necessary to provide the service. What is stored:- WhatsApp phone numbers (and basic identifiers such as profile names) are stored to manage conversations and opt-outs. This allows Flowella to recognise returning users, maintain context, and honour opt-out requests. This data is held securely and can be deleted or anonymised when it is no longer needed.
If your connected platform does not provide adequate message storage, Flowella can store message content on your behalf as a fallback. A common example is logging WhatsApp conversations into HubSpot when your subscription does not support custom channels in the Conversations Inbox. Custom channels in HubSpot are only available on Sales Hub Professional/Enterprise and Service Hub Professional/Enterprise. If you are on a lower tier and still need reliable message history, you can enable message storage in Flowella. In that case, messages are encrypted, retained only as long as needed for your operational and compliance requirements, and can be deleted on request.
Infrastructure and data residency
All of Flowella’s infrastructure is hosted in Microsoft Azure’s UK South region (London), keeping your data within the United Kingdom in an enterprise-grade cloud environment. Flowella maintains full control over its platform and does not use any third-party processors for messaging or infrastructure. Flowella communicates directly with WhatsApp’s official Business API without relying on external messaging gateways. By keeping all data and operations self-contained in Azure, Flowella reduces exposure to outside parties and ensures consistent security and compliance.Encryption
All stored data is encrypted at rest using AES-256. All data in transit — including WhatsApp messages, API calls, and web traffic between Flowella, WhatsApp, and your devices — is secured using TLS/HTTPS. Whether your data is being saved or transmitted, it is always encrypted and protected from unauthorised access.Access controls
Access to your data within Flowella is tightly restricted:- Only a small number of authorised Flowella team members (select engineers or support staff) can access production systems or databases, and only for legitimate operational reasons such as troubleshooting an issue you reported.
- Role-based access control ensures each team member has only the minimum permissions necessary.
- Multi-factor authentication is required for all administrative access.
- All administrative access to servers and databases is logged and audited.
- Staff are trained in confidentiality and data protection best practices.
Data retention and deletion
Flowella retains personal data only for as long as necessary to serve its intended purpose:- WhatsApp contact information (phone numbers) is stored only while needed for active flows and customer interactions.
- Message content is not stored beyond the moment of processing by default.
- When a contact is no longer required or you stop using Flowella, that contact’s data is deleted or anonymised as part of regular clean-ups or upon your request.
- If you cancel your Flowella account, all personal data held about your account and your WhatsApp contacts is securely removed from Flowella’s systems, except for data Flowella is legally required to retain (such as minimal billing records).
GDPR compliance
Flowella is designed and operated to fully comply with the General Data Protection Regulation (GDPR) and similar data privacy laws. Key commitments:- Data minimisation — only the data needed to deliver the service is collected and processed.
- Purpose limitation — data is only processed for the specific purpose of delivering the Flowella service. It is never used for profiling, Flowella’s own marketing, or any other secondary purpose.
- No third-party sharing — personal data is never sold or shared with third parties.
- Individual rights — Flowella supports all GDPR-defined rights: access, rectification, erasure, restriction of processing, data portability, and objection. You and your end-users can exercise these rights and Flowella will assist in fulfilling them quickly and transparently.
- Lawful processing — personal data is handled lawfully, fairly, and transparently at all times.