Privacy Policy

ChaseFlow Pte Ltd ("ChaseFlow", "we", "us", or "our") operates the ChaseFlow platform at chaseflow.com and the ChaseFlow application at app.chaseflow.com, including related APIs, integrations, and communication channels (collectively, the "Service").

This Privacy Policy explains what personal data we collect, why we collect it, how we process and protect it, and your rights regarding your data. It applies to all users of our Service — whether you are a business customer, a counterparty contacted through our platform, or a visitor to our website.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

The data controller responsible for your personal data is:

Where we process personal data on behalf of our business customers (e.g., counterparty contact details uploaded to the platform), we act as a data processor. The customer is the data controller and is responsible for ensuring they have a lawful basis to share that data with us.

• Service delivery: operate the platform, process invoices, send follow-up communications on your behalf, generate reports.
• Account management: create and manage accounts, authenticate identity, process payments.
• Communication: transactional emails, service updates, and — with consent — marketing.
• Voice and messaging: outbound calls and messages to counterparties, including AI-assisted voice agents as described in our Trust page.
• Analytics and improvement: understand usage, monitor performance, improve features.
• Legal compliance: comply with laws, regulations, or enforceable governmental requests.
• Security and fraud prevention: detect, prevent, and address fraud, abuse, security risks.

• Contract performance: processing necessary to provide the Service.
• Legitimate interests: analytics, security, fraud prevention, product improvement.
• Consent: marketing communications, non-essential cookies, certain messaging.
• Legal obligation: tax, accounting, AML, or other regulatory requirements.

Where we act as processor on behalf of our customers, the customer is responsible for establishing the appropriate legal basis for processing counterparty data.

We do not sell your personal data. We may share data with:

• Service providers and sub-processors: cloud hosting, email delivery, voice/SMS infrastructure, payment processing, and analytics — bound by data processing agreements.
• Accounting integrations: data synced back to your connected accounting software as instructed by you.
• Legal and regulatory authorities: when required by law, court order, or regulatory obligation.
• Business transfers: in connection with a merger, acquisition, or sale of assets.

ChaseFlow is headquartered in Singapore and operates globally. Your data may be transferred to and processed in countries outside your jurisdiction. Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses, adequacy decisions, and binding data processing agreements with sub-processors.

We use essential cookies (authentication, security), analytics cookies (with consent), and functional cookies (preferences). You can manage cookie preferences through your browser. Disabling essential cookies may impair the Service.

• Account data: retained for the duration of your account.
• Invoice and counterparty data: retained for audit, reporting, and historical reference, unless you request deletion.
• Communication logs: retained for compliance, dispute resolution, and reporting purposes.
• Analytics: aggregated and anonymised data may be retained indefinitely.

You can delete your data at any time via your ChaseFlow dashboard. Once deleted, data is permanently removed within 30 days, except where retention is required by law.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls with multi-factor authentication.
• Regular security assessments and vulnerability scanning.
• Incident response with 72-hour breach notification (GDPR).
• Sub-processor due diligence and binding DPAs.

You may have rights to access, rectify, erase, restrict, port, or object to processing of your personal data, and to withdraw consent at any time.

To exercise these rights, contact privacy@chaseflow.com. We respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Some outbound calls and messages sent through the Service are AI-assisted. Recipients are informed in line with applicable law, and may request to speak with a human or to opt out at any time. See our Trust page for full transparency on how AI is used in customer communications.

The Service is not directed to individuals under 18. We do not knowingly collect data from children. If we become aware of such collection, we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on the Service at least 30 days before they take effect.