Draft — not final. This Privacy Policy is a working draft.

Legal

Privacy Policy

How Fluno collects, uses, stores, and protects personal data — for the hotels who use Fluno and the guests whose conversations pass through it.

Last updated: 31 May 2026 · Effective: on public launch

On this page
  1. Introduction
  2. Who this policy covers
  3. Information we collect
  4. How we use information
  5. Legal bases (DPDP Act)
  6. Where your data is stored
  7. How long we keep it
  8. Sharing & sub-processors
  9. AI & your data
  10. How we secure data
  11. Your rights
  12. Cookies
  13. Children's privacy
  14. Changes to this policy
  15. Contact & grievance officer

1Introduction

Fluno ("Fluno", "we", "us", "our") provides an AI-powered guest-messaging service that hotels connect to channels such as WhatsApp, Instagram, Facebook, web chat, and voice. This Privacy Policy explains what personal data we handle, why, how long we keep it, who we share it with, and the rights you have.

This policy works alongside our Terms of Service. Where this policy and the Terms describe the same topic, they are read together.

2Who this policy covers

Fluno handles two kinds of personal data, in two different roles:

If you are a guest who messaged a hotel using Fluno, please direct data requests to that hotel in the first instance; we will support them in responding.

3Information we collect

a. Hotel account information

Your name, work email, phone number, hotel name and address, and billing details needed to operate your subscription.

b. Guest conversation data

Messages exchanged with guests over connected channels, the contact identifiers those channels provide (e.g. phone number or handle), and booking-related details shared in conversation (dates, room type, guest count).

c. Technical & usage data

Operational telemetry such as latency, error rates, model usage, and aggregated product analytics (no guest PII).

d. What we do not collect

We do not collect or store guest payment-card details — those flow directly through your payment provider. Voice calls are transcribed and the audio is discarded; we keep the transcript only.

4How we use information

We do not use personal data for advertising, and we do not sell it (see §8).

5Legal bases (DPDP Act)

We process personal data under India's Digital Personal Data Protection Act, 2023 — principally on the basis of (a) the hotel's instructions and our contract with the hotel, (b) the consent the hotel obtains from its guests, and (c) our legitimate need to secure, support, and bill the service. Where consent is the basis, it can be withdrawn at any time (see §11).

6Where your data is stored

All guest and hotel data is stored on Amazon Web Services in the Mumbai region (ap-south-1). Databases, conversation logs, and backups stay within India; we do not replicate data outside India. A guest messaging from abroad is still processed in Mumbai and the reply returns by the same path.

7How long we keep it

Data typeRetentionWhy
Conversation messages90 days active · 12 months archiveFollow-up context; audit & dispute resolution
Booking records7 yearsIndian hospitality & tax compliance
Guest contact detailsWhile account activeDeleted within 30 days of account closure
Audio recordingsNot storedTranscript only is kept
AI model logs30 daysDebugging; PII redacted before review
Backups30 days, encryptedDisaster recovery; rolling deletion

8Sharing & sub-processors

We do not sell, rent, or trade personal data, and we do not share one hotel's data with another. We share data only with the sub-processors needed to run the service, each under a signed Data Processing Agreement covering residency, access controls, and breach notification.

Sub-processorPurposeResidency
Amazon Web ServicesInfrastructureMumbai, India
AnthropicLLM inferenceZDR — no data retained
OpenAILLM inference (fallback)ZDR — no data retained
WhatsApp Business APIMessaging gatewayIndia
TwilioSMS fallbackSingapore (encrypted in transit)

We notify customers 30 days before adding a new sub-processor.

9AI & your data

Your guest conversations are never used to train Fluno's models or our LLM providers' models. Our providers have signed Zero Data Retention agreements, so prompts are not retained by them. If we ever offer an optional AI-improvement program, it will be strictly opt-in with clear scope.

10How we secure data

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords are never stored in plain text. Production access is limited to a documented list of engineers reviewed quarterly, protected by single sign-on and hardware security keys, and every access is logged. Support staff can read your data only after you raise a ticket, scoped to your account.

11Your rights

You can, at any time:

Email support@tryfluno.com; we respond within 7 working days.

12Cookies

Our marketing site uses no third-party cookies, no fingerprinting, and no remarketing pixels. The product app uses one essential session cookie (fluno_session) that expires when you log out.

13Children's privacy

Fluno is a business tool for hotels and is not directed at children. We do not knowingly collect data from anyone under 18; if we learn we have, we delete it.

14Changes to this policy

We may update this policy as the service evolves or the law changes. Material changes will be notified by email or in-dashboard before they take effect, and the "last updated" date above will change.

15Contact & grievance officer

All privacy & data requests: support@tryfluno.com

Data Protection Officer (DPO): Paras Khushalani

Postal: Fluno, c/o RPK Agrotech Exports Pvt Ltd, Plot No 351, Sector No 1/A, Gandhidham — 370201, Gujarat, India

We aim to respond to privacy inquiries within 2 working days. You also have the right to complain to the Data Protection Board of India.

← Back to tryfluno.com