Effective Date: 1 July 2026 · Version: 1.0 · Last Updated: 1 July 2026
EntityFlo Pty Ltd
ABN: 12 692 755 614
Level 2/14 Edgewater Court, Robina QLD 4226, Australia
Email: privacy@entityflo.com
EntityFlo provides a cloud-based corporate governance, entity-management and compliance platform (the "Platform"). This Privacy Policy explains how we collect, hold, use, disclose and protect personal information, and the rights and choices available to individuals whose personal information we handle.
This policy is written to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and — where they apply to our handling of personal information — the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the New Zealand Privacy Act 2020, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA) and comparable laws in the jurisdictions in which the Platform operates. Region-specific terms are set out in Sections 16–18; if those terms conflict with the rest of this policy for an individual in the relevant region, the region-specific terms prevail.
EntityFlo handles personal information in two capacities, and the distinction governs which rules apply:
The remainder of this policy concerns personal information we handle as controller, except where stated.
The categories of personal information we collect as controller include:
We do not seek to collect sensitive information (as defined in the Privacy Act, e.g. health, racial or political information) about our users as controller. We may incidentally hold sensitive or special-category information that appears within Customer Data; that is handled under the DPA, not this policy.
We collect personal information: directly from you (when you register, configure an account, contact us, attend an event or subscribe); from the customer organisation that authorises your access; automatically through your use of the Platform and website (cookies, logs); and from third parties such as our resellers, referral partners, and publicly available business sources.
Where it is reasonable and practicable, we collect personal information directly from the individual concerned (APP 3).
We use personal information we hold as controller to: provide, administer, secure and support the Platform and user accounts; authenticate users and manage access and permissions; process billing and manage the customer relationship; respond to enquiries and provide support; maintain the security, integrity and availability of our systems and detect and prevent fraud, misuse and security incidents; improve and develop our products and services; send service, administrative and (where permitted) marketing communications; and comply with our legal, regulatory and audit obligations.
Where the GDPR or UK GDPR applies, we rely on the following lawful bases: performance of a contract (to provide the Platform to account-holders and administer the customer relationship); legitimate interests (to secure, support, improve and market our services, and to run our business, balanced against your rights); consent (for certain marketing and non-essential cookies, which you may withdraw at any time); and legal obligation (to meet tax, accounting, security-disclosure and regulatory duties). Where we rely on legitimate interests, you may ask for details of the balancing assessment.
The Platform includes AI-assisted features (including FloSec AI / Flo) that draft resolutions, minutes, filings, reports and similar outputs from a customer's entity data, and a compliance engine that scores obligations and renewals. These features operate on Customer Data, under the customer's control and at the customer's direction, to produce drafts and prompts for human review. They are decision-support tools: EntityFlo does not use them to make decisions producing legal or similarly significant effects about individuals on its own account. These features are optional — the Platform's core functionality operates without them, and a customer that does not wish to send data to an AI provider can choose not to use them.
Where they are used, the necessary Customer Data is processed by our AI provider in the United States as a sub-processor (see Section 6 and Section 7).
We do not subject individuals to solely automated decisions that produce legal or similarly significant effects without human involvement (GDPR Art 22). Customers configuring AI features within their own workflows are responsible, as controller, for any automated decision-making they implement.
Australian transparency note (commencing 10 December 2026). From 10 December 2026, APP 1.7 (introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth)) requires APP entities that use computer programs to make, or do a thing substantially and directly related to making, decisions that could reasonably be expected to significantly affect an individual's rights or interests, to describe that use in their privacy policy. Where any EntityFlo feature falls within APP 1.7 as in force, this Section will set out the kinds of personal information used and the kinds of decisions made. We are reviewing our AI features against APP 1.7 ahead of commencement and will update this Section accordingly.
We disclose personal information as controller to:
We do not sell personal information, and we do not disclose it for third-party direct marketing.
EntityFlo hosts and processes the personal information it holds in Australia — on Amazon Web Services infrastructure in the Sydney region (ap-southeast-2), with immutable (write-once) backups held within Australia. Some of our service providers process limited personal information overseas on our behalf, currently: application performance and error monitoring in the European Union, and AI-assisted features through a provider in the United States. Our sub-processor list ( Section 6) identifies each provider and its location.
Before disclosing personal information overseas, we take steps reasonable in the circumstances to ensure the overseas recipient handles it consistently with the APPs (APP 8), including through contractual data-protection commitments.
Where personal information protected by the GDPR or UK GDPR is transferred outside the EEA or UK to a country without an adequacy decision, we rely on appropriate safeguards — the EU Standard Contractual Clauses and, for the UK, the International Data Transfer Agreement / UK Addendum — together with any transfer risk assessment required. A copy of the relevant safeguards is available on request ( Section 19).
We maintain technical and organisational security measures appropriate to the risk, including: encryption of data in transit (TLS enforced end-to-end) and at rest (using managed, regularly-rotated encryption keys); single-sign-on identity management with multi-factor authentication and no static access keys; role-based access controls and logical tenant isolation; network segmentation with an isolated data tier and a web application firewall; immutable audit logging and network-traffic logging; immutable (write-once) backups; and personnel confidentiality obligations. EntityFlo is building towards SOC 2 and ISO 27001 and is not yet certified; further detail on our security posture is available to customers on request. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; users must keep their credentials confidential and notify us of any suspected compromise.
We maintain a data-breach response plan. Where an eligible data breach occurs that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by the Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988). Where the GDPR or UK GDPR applies, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours, and affected individuals where the breach is likely to result in a high risk to their rights and freedoms. For breaches affecting Customer Data, our notification obligations to the customer are governed by the DPA, which generally requires us to notify the customer (as controller) without undue delay so that the customer can meet its own obligations.
We keep personal information only for as long as necessary for the purposes for which it was collected, to provide the Platform, to meet legal, tax, accounting and regulatory retention requirements, and to resolve disputes and enforce our agreements. When no longer required, we de-identify or securely destroy it. Retention of Customer Data (including on termination, with return and deletion timeframes) is governed by the Terms of Service and DPA.
Subject to the applicable law and to verification of your identity, you may:
Individuals in the EEA, the UK and California have additional rights set out in Sections 16–18.
To exercise a right, contact us using Section 19. We will respond within the time required by the applicable law (generally 30 days under the APPs; one month under the GDPR/UK GDPR). We may decline a request where the law permits, and will give reasons. There is no fee to make a request, though we may charge a reasonable, cost-based fee for access in limited circumstances permitted by law.
Where your request concerns personal information held within Customer Data, we will refer you to the relevant customer organisation as controller and assist that customer to respond.
Within the Platform, we use only strictly necessary cookies and similar technologies — for example to keep you logged in, maintain security and remember your preferences. These are required for the Platform to function.
On our public website (entityflo.com), we use strictly necessary cookies together with Google Analytics, which sets cookies to help us understand how visitors use the site and to improve it. Google Analytics collects information such as your IP address and online identifiers, handled in accordance with Google's privacy terms.
You can accept or decline non-essential cookies (including Google Analytics) through the cookie-preferences control on our website, and change your choice at any time. You can also control or delete cookies through your browser settings, and opt out of Google Analytics using Google's browser opt-out add-on ( tools.google.com/dlpage/gaoptout). Where the law in your location requires your consent before we set non-essential cookies, we obtain it. Disabling some cookies may affect website functionality.
We may send you marketing about our products and services where permitted by law. Each marketing message includes an unsubscribe facility, and we comply with the Spam Act 2003 (Cth) and equivalent laws. We do not use sensitive information for marketing. You can opt out at any time without affecting the services you receive.
The Platform is a business tool not directed to children, and we do not knowingly collect personal information from individuals under 16. If you believe a child's information has been provided to us, contact us and we will delete it.
Our website and Platform may link to third-party sites and services we do not control. This policy does not apply to those services; please review their privacy notices.
Where the GDPR or UK GDPR applies to our handling of your personal information as controller, you have the right to: access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; objection to processing based on legitimate interests or to direct marketing; and to withdraw consent (without affecting prior lawful processing). You also have the right to lodge a complaint with a supervisory authority ( Section 20). Our lawful bases are set out in Section 4, our international-transfer safeguards in Section 7. EntityFlo has no establishment in the EEA or the UK. If and when our processing becomes subject to the GDPR or UK GDPR — for example, when we begin offering the Platform to, or monitoring, customers or data subjects in those regions — we will appoint an Article 27 representative in the relevant region and publish its details here.
Where the New Zealand Privacy Act 2020 applies, you have rights of access to and correction of your personal information, and may complain to the Office of the New Zealand Privacy Commissioner. We comply with the Information Privacy Principles, including IPP 12 in relation to any disclosure of personal information outside New Zealand.
If you are a California resident, you have the right to: know the categories and specific pieces of personal information we have collected, the sources, purposes and categories of recipients; request deletion; request correction; and not be discriminated against for exercising your rights. We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA, and we do not use or disclose sensitive personal information for purposes requiring an opt-out. The categories of personal information we collect, and the purposes for which we use them, are described in Section 2 and Section 4. You may exercise your rights via Section 19; you may use an authorised agent, and we will verify your request as the law requires.
For any privacy question or to exercise a right, contact our Privacy Officer:
EntityFlo Pty Ltd
ABN: 12 692 755 614
Privacy Officer
Level 2/14 Edgewater Court, Robina QLD 4226, Australia
Email: privacy@entityflo.com
If you are concerned about how we have handled your personal information, please contact our Privacy Officer first ( Section 19) so we can try to resolve it. We will acknowledge your complaint and respond within a reasonable time, generally 30 days. If you are not satisfied, you may complain to the relevant regulator:
We may update this policy from time to time. The current version is always posted at entityflo.com/privacy-policy with the effective date above. Where changes are material, we will take reasonable steps to notify account-holders. Continued use of the Platform after an update takes effect constitutes acknowledgement of the updated policy.
We use cookies to improve your experience. Essential cookies are always active. You can accept all cookies or choose essential only.