Services Privacy Policy

FloQast Services Privacy Policy

Effective Date: July 1, 2020

This policy describes how FloQast, Inc. collects and handles personal information that customers provide through or in conjunction with the FloQast Services that link to this policy (“FloQast Services”). It also describes your choices regarding use, access and correction of your personal information.

This policy refers to FloQast, Inc. as “we,” “us” and “our.” References to “you” and “your” are to the owners of the data input into the FloQast Services. This generally is our customers, the companies and organizations that have subscribed to the FloQast Services, and their licensed users.  If you are an individual license user whose data is provided to us, controlled by a customer of ours and input into the FloQast Services by such customer, please direct your privacy-related inquiries to the company or organization that has subscribed to the FloQast Services, as more fully described in “Data Access and Choice” below.

Information Provided by You

You provide us with several kinds of information: Customer Data, Administrative and Personal Data and Billing Data.

Customer Data is the information submitted into the FloQast Services when you use the FloQast Services or when you receive customer support. This includes accounting Customer details such as Customer name, address, fiscal year end and ERP used, Customer accounting details provided pursuant to the provision of the FloQast Services, as well as information derived by the operation of the FloQast Services from such submissions, such as reports and checklists. Customer Data may be submitted directly by you.

The FloQast Services are designed to centralize aspects of Customer financial and accounting practices.  As part of this functionality, our software interacts with several Storage Provider platforms, Google Drive, OneDrive, Box, Dropbox, and Egnyte. In order to facilitate communication between each integration our software makes use of the OAuth 2.0 protocol in order to interact with each subsequent storage provider on behalf of the user. FloQast never has access to user passwords during the OAuth process and is only able to access resources each user has given FloQast explicit permission to access. Storage Provider data we collect includes an access token and refresh token obtained on behalf of the user from the OAuth process, storage provider specific folder and file identifier, storage provider file data, and a storage provider specific user identifier.

In order to centralize financial and accounting practices, the FloQast services interact with General Ledger platforms, Netsuite and Intacct. The FloQast Services use OAuth 1.0 as well as credential based authentication in order to interact with Netsuite or Intacct. General Ledger data we collect includes an access token obtained from the OAuth process used to interact with authorized APIs within the General Ledger provider, credential sets provided by the Customer used to interact with authorized APIs within the General Ledger provider, and high level accounting details as explicitly provided by the Customer for the provision of the FloQast Services.

Our system processes Customer Data strictly on your behalf in order to provide you the FloQast Services and perform our contractual obligations to you. We restrict our employees’ access to Customer Data to (1) support, client services and technical staff, who with your consent may have access to your Customer Data to provide customer support, technical troubleshooting and professional services, and (2) a limited number of operations personnel, who may have controlled access to Customer Data for troubleshooting and system maintenance. We use Customer Data to provide you the FloQast Services and to address customer support requests and technical problems.

Our servers automatically record certain information about how a person uses the FloQast Services (we refer to this information as “Log Data”), including both site visitors and users of the FloQast software (either, a “User”). Log Data we collect includes the User’s IP Address, browser User agent, operating system, the web page a user was visiting before accessing our services, pages or features within the FloQast Services to which a User browsed and links within the FloQast Services in which a user clicked on.

Administrative and Personal Data is information you provide during set-up, purchase or administration of the FloQast Services. This includes Customer name, Customer business address, email and phone number, and individual users’ names, emails, phone numbers, IP addresses, account credentials and professional title to the extent this information is provided by Customer.

We collect, store and use Administrative and Personal Data to perform our contractual obligations to you and/or for our legitimate business interests. Specifically, we use Administrative and Personal Data to provide the FloQast Services to you, administrate your account, provide customer support and professional services, keep a records of our dealings with you, notify you of new product offerings and of changes, updates and availability of the FloQast Services, understand your experience using the FloQast Services (for example, by sending you surveys), conduct research, improve the FloQast Services, plan and host events, contact you with marketing communications, and identify and prevent fraud.

Billing Data is financial qualification and billing information you provide as our customer when you purchase, subscribe for, renew or expand the FloQast Services. This includes name, billing address, credit card information, credit references and other financial data.

We use Billing Data for our legitimate business interests: to process or collect payment for your transactions with us, keep a record of our dealings with you, and prevent fraud. We store Billing Data for use in your future transactions with us.

Information Collected by Us

In relation to the use of the FloQast Services, we collect the following information for our legitimate business purposes: Our product uses cookies and similar technologies. Cookies are small data files that websites associate with visitors to facilitate the proper, efficient or secure operation of the website. The FloQast services use the following types of cookies:

Type Description Expiration Timing
Session Identification (Required) These cookies are required to access the FloQast Services. When a user logs in, a cookie is generated with encrypted information tied to the user account, which is placed onto the browser. These cookies allow us to identify the user when he/she is logged in to perform online requests. One required cookie is also used to prevent the same user from logging into the FloQast Services from multiple browsers at the same time. When browser is closed, or after a session timeout, user logout or when you clear cookies from your browser.

Cookies are essential for the proper operation of the FloQast Services. We do not provide an opt out for cookies identified above. In your browser, you can opt out of or delete the other cookies. We do not recommend opting out of cookies, as this will adversely impact the functionality of, and your access to, the FloQast Services.

In addition, we use Pendo.io for certain pages on our product website. This tool helps us understand how often users visit our product website and what pages they visit. We use this information to analyze how our website is used and for website and product development and improvement. You can opt out of Pendo.io by disabling cookies on your browser.

IP Addresses: We collect the Internet Protocol (IP) address of the computer used to access the FloQast Services. We use IP addresses for added security of the FloQast Services and to optimize the performance of the FloQast Services. A security feature of the FloQast Services allows a client’s administrator to review the list of IP addresses from which the client’s FloQast account has been accessed. We do not provide an opt-out option for IP addresses.

Statistical Data: When you use the FloQast Services, we may collect statistical information (metadata), such as server log files, usage patterns and frequency. Such statistical information does not include Customer Data. We may use this statistical information for product improvement.

Data Retention

We retain Customer Data for the duration of your subscription to the FloQast Services. After your subscription expires, we retain Customer Data for at least 30 days and may store it for up to an additional 30 days, unless Customer specifically requests immediate return or deletion of such Customer Data. Customer Data may be retained beyond that period in data backups, which may be stored for up to 1 year. Customer Data is deleted using secure deletion methods including digital shredding of encryption keys and hardware destruction in accordance with relevant guidelines.  We retain Customer Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

We keep Administrative or Personal Data and Billing Data as part of our business and accounting records for the duration of your relationship with us and thereafter for so long as necessary for our legitimate business purposes.

Please, refer to the table above for information on cookie expiration. We currently do not delete IP addresses, Statistical Data and Anonymous Data.

Disclosure of Information

We will disclose your data to third parties only as directed by you, as described in your agreements with us and in this policy, or as required by law.

  • We may contract with other companies to provide services or functionality on our behalf. If we do so, we may share Customer Data and/or Administrative and Personal Data with such providers to the extent necessary for their engagement. In such cases, we will require such providers to maintain the confidentiality of your information and to use it only for the purposes of their engagement by us. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and our agreements with you.
  • We store encrypted copies of our database backups in facilities provided by Amazon Web Services and MongoDB. These third parties do not have the right to access such data.
  • Anonymous Data does not identify you or your users and, therefore, we may disclose it to third parties as appropriate to support our business needs.

We also may disclose your information if we believe in good faith that it is necessary to (1) respond to a subpoena or request by government authorities or comply with any law, regulation, legal process, administrative or other government proceeding, (2) protect against misuse or unauthorized use of the FloQast Services, (3) prevent or address fraud; (4) enforce our rights, policies and agreements or defend ourselves in legal or government proceedings; or (5) protect our rights, property or safety, or those of third parties.

Unless we are prohibited by law, we will attempt to notify you of any request to disclose your Customer Data to the authorities or any other party and, where appropriate, refer such requests directly to you.

We may transfer some or all of our assets, including data, in connection with a merger, acquisition, or sale of assets, or if we dissolve, reorganize our business, or cease operating as a going concern (for example, in the event of a bankruptcy).

Information Security

We maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of your Customer Data that are consistent with industry standards. Our data security measures include (but are not limited to):

  • Integration of application security into the agile product development lifecycle with both manual and automated controls to address static testing and dynamic code analysis;
  • Regular internal and external penetration testing against both our application and associated supporting infrastructure;
  • Intrusion detection systems monitoring both network and hosts;
  • Data encryption in transit to and from us;
  • Hashing/salting of passwords;
  • Physical security measures;
  • Multiple levels of backup data protection;
  • Fully redundant backup data center capability and failover recovery covered by our SLA;
  • SSAE16 SOC1 Type II externally audited at least once per year by a third-party Report on Compliance;
  • Mandatory FloQast-internal security controls, including: multi-factor authentication; password complexity; protocols to prevent brute-force authentication attempts.

Information Location and Transfers

We store Customer Data, Administrative and Personal Data and Billing Data in the United States. In some cases, storage of information may be based on the European Commission’s Standard Model Clauses for transfers of personal data outside the European Economic Area (EEA).

Data Access and Choice

We are a data processor of Customer Data, which is controlled by you, our customers. You are responsible for complying with all privacy laws and regulations applicable to you as a user of the FloQast Service and controller of your own Customer Data. We have no direct relationship with the individuals whose personal data we process as part of Customer Data. We acknowledge that the individuals have the right to access their personal information. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct his query to you, our customer (the data controller). If requested to remove the data, we will respond to the individual within reasonable timeframe and direct the request to our customer.

Upon request we will provide you with information about whether we hold any of your personal information in Administrative and Personal Data or Billing Data. If you want to edit and/or change any Administrative or Personal Data or Billing Data (other than Customer ID or user ID, which cannot be changed without creating a new account and/or new user) you can do so at any time by using your Customer ID, user ID, and password to access your account. Please contact  legal@floqast.com  for further instructions about deleting or deactivating your FloQast account.

You can opt out from our marketing messages by clicking on the “unsubscribe” link included in them or by contacting your FloQast account executive. Such opt out will not extend to transactional or relationship messages

Rights of EEA Residents

If you are based within the EEA or another jurisdiction with similar data protection laws, in certain circumstances you have the following rights: to be told how your information is used and obtain access to your information; to have your information rectified or erased or place restrictions on processing your information; to object to the processing of your information (e.g. for direct marketing purposes); to have the information you provided on an automated basis returned to you in a structured, commonly used and machine-readable format, or sent directly to another company, where technically feasible (“data portability”); where the processing of your information is based on your consent, the right to withdraw that consent subject to legal or contractual restrictions; to object to any decisions based on the automated processing of your personal data, including profiling; and to file a complaint with the applicable supervisory authority responsible for data protection matters.

Changes to This Policy

We may update this policy to reflect changes to our information practices. If we make any material changes, we will notify you by email (sent to the email address of your FloQast subscription representative on record with us), by notice posted to our publicly accessible website (www.floqast.com) or by a notice posted in the FloQast Services prior to the change becoming effective. We encourage you to periodically review this page for the latest information about our privacy practices.

Contact Us

You may direct questions regarding our Privacy Policy to legal@floqast.com, or by telephone to FloQast’s legal department at (818) 647-1168, or via mail to FloQast, Inc., 14721 Califa St, Los Angeles, CA 91411 USA.