Privacy policy
1. Introduction
MysticFlo Technologies (operating as "MystFlo," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and Chrome extension ("MystFlo WhatsApp Connector").
MystFlo is a virtual assistants platform that provides automation workflows and AI agents for solo founders and small business owners. Our platform enables you to connect your business applications and activate virtual assistants to automate business processes.
By using MystFlo, you agree to the collection and use of information in accordance with this Privacy Policy.
2. Information we collect
2.1 Account information
When you create a MystFlo account, we collect:
- Email address (required)
- Name (optional)
- Authentication credentials (hashed, never stored in plain text)
- Account preferences and settings
2.2 Connected app credentials
When you connect third-party services (WhatsApp Business, Google, Stripe, etc.), we collect API access tokens, refresh tokens, account identifiers, and OAuth authorization codes.
All credentials are encrypted using AES-256-GCM encryption before storage. We never store credentials in plain text. Credentials are decrypted only server-side when needed to execute your assistants, and are never exposed to the frontend or logged.
2.3 Chrome extension data
The MystFlo WhatsApp Connector extension collects WhatsApp Business API credentials and session tokens for authentication. The extension does NOT collect browsing history, personal messages, cookies, or any data outside of Meta Business Suite pages.
2.4 Usage data
We automatically collect feature usage analytics, error logs (without sensitive data), session metrics, assistant execution counts, and billing metrics.
2.5 Payment information
Payment processing is handled by Stripe. We store payment method identifiers (card last 4 digits, expiration, brand), billing address, and transaction history. We do not store full credit card numbers or CVV codes.
3. How we use your information
We use collected information to provide services, secure your account, process payments, improve our platform, provide customer support, and send important updates.
We do NOT sell your personal data, use your data for advertising, share credentials with unauthorized parties, or access the content of messages processed by your assistants.
4. Data storage and security
- All API credentials encrypted at rest using AES-256-GCM
- Data in transit protected via TLS 1.3
- Data stored on Supabase (PostgreSQL) with Row Level Security
- Infrastructure compliant with SOC 2 Type II standards
- Multi-tenant isolation ensures users can only access their own data
- Regular security audits and penetration testing
5. Third-party services
MystFlo integrates with Supabase (database/auth), n8n (workflow automation, self-hosted), Stripe (payments), Meta/WhatsApp (messaging), Google (OAuth/workspace), and OpenAI (AI capabilities). Each service has its own privacy policy.
6. Data retention
- Account data: Retained while active, deleted within 30 days of closure
- Credentials: Deleted immediately upon disconnecting an integration
- Usage logs: Retained for 90 days, then anonymized or deleted
- Billing records: Retained for 7 years as required by financial regulations
- Extension data: Session tokens expire after 15 minutes
7. Your rights
You have the right to access, correct, delete, and export your data. You can disconnect integrations and revoke access at any time. To exercise these rights, contact privacy@mystflo.com. We respond within 30 days.
8. Chrome extension disclosures
The extension requests storage (session tokens), activeTab (credential extraction from Meta pages), and tabs (domain detection) permissions. It only accesses business.facebook.com, *.mystflo.com, and *.supabase.co. No automatic data collection occurs — all actions require explicit user interaction.
9. Children's privacy
MystFlo is not intended for users under 18. We do not knowingly collect information from children. Contact privacy@mystflo.com if you believe a child has provided us data.
10. International data transfers
Your data may be processed outside your country of residence. We ensure appropriate safeguards including Standard Contractual Clauses, Data Processing Agreements, and compliance with GDPR, CCPA, and applicable data protection laws.
11. Changes to this policy
We may update this policy periodically. Material changes will be communicated via email or platform notification. Continued use after changes constitutes acceptance.
12. Contact
- Email: privacy@mystflo.com
- Support: support@mystflo.com
- Location: Malaysia