Flow-Through
Book a call

Privacy policy

Dated 2 July 2026 · Flow Through Logic Pty Ltd · ABN 15 697 017 842

Our automations run inside your accounts, so this policy is specific about what we access, what we send in your name, and how you switch it all off.

The short version

We connect to the accounts an automation needs, such as your email or your accounting platform (for example Xero), only after you click the provider's own consent screen. That access runs the automations you pay for and nothing else. Every run is logged so you can see exactly what happened, and you can revoke our access in your own account settings at any time.

1. Who we are

Flow Through Logic Pty Ltd (ABN 15 697 017 842, ACN 697 017 842), trading as Flow-Through, is a Canberra software company. We build and run productised automations for Australian small businesses: enquiry replies, quote follow-ups, invoice reminders, review requests, appointment reminders and onboarding packs, each connected to the business's own accounts.

This policy explains how we handle personal information across this website and the automation service, in line with the Australian Privacy Principles under the Privacy Act 1988 (Cth). Privacy questions reach us at service@flow-through.com.au.

2. What this website collects

The information you type into a form is the information the site collects:

  • Booking details. Your name, business name, email address, mobile number, a line about what your business does, and who referred you if someone did. Collected when you book a call.
  • Correspondence. Emails you send us and notes from calls with you.

The site runs without tracking cookies and without third-party analytics. Your browsing here stays your business.

3. What an automation can access

When you buy an automation, you connect the accounts it needs through the provider's own consent screen. You grant the access, the consent screen names every permission before you click, and the connection is visible in your provider's settings from day one. Depending on the automation, that access covers:

  • Email (Microsoft 365, Outlook or Gmail). The automation reads messages that match its job, such as new enquiries or quote threads, and sends replies in your name using wording you approved.
  • Calendar (Microsoft 365 or Google Calendar). The automation reads upcoming bookings so it can send reminders at the right moment.
  • Accounting platform (for example Xero). The automation reads invoice and quote status so it can send reminders while money is owed and stop the moment payment lands.

Each automation asks for the narrowest access that does its job. Access granted for one automation is used for that automation alone.

4. Sending on your behalf

Automations send messages in your business's name, with your consent and using wording you approved on your onboarding call. For the Spam Act 2003 (Cth), these are commercial electronic messages sent with your authority and on behalf of your business: each one identifies your business and carries your contact details.

Messages go to people your business already deals with, your own customers and enquirers. Every automation stops contacting a person the moment the reason for contact ends, for example when a reply arrives or an invoice is paid. Where a message type calls for an unsubscribe route, the automation carries one, and opt-outs are honoured immediately.

5. Every run is logged

Every automation execution is recorded: what came in, what was checked, what went out, and when. The log exists so you can verify exactly what the automation did in your name, and it feeds your monthly numbers email. Run logs are available to you for the life of your subscription.

6. Your customers' information

Running your automations means processing information about your customers: names, email addresses, phone numbers, invoice details and message content. We process that information as your service provider, on your instructions, for the sole purpose of running your automations.

It stays inside the systems listed in section 7 and is deleted on the schedule in section 8. It stays out of marketing lists, out of AI model training and out of any third party's hands. Your customers remain your customers.

7. Where data lives

We run on a short list of infrastructure providers:

  • Supabase (database). Stores automation configuration, run logs and connection tokens, encrypted at rest.
  • Railway (application hosting). Runs the automation engine and this website.
  • Microsoft (email and calendar infrastructure). Where your business runs on Microsoft 365, your mail and calendar data continues to live inside your own Microsoft tenancy; we access it through the connection you granted.
  • Resend (email delivery). Delivers transactional email such as booking confirmations, and processes recipient email addresses to do it.

Your own platforms, such as your Google account or your accounting platform, stay under your ownership and control. We connect to them; we avoid copying them wholesale.

Some of this infrastructure operates in the United States. Where information crosses borders, we take reasonable steps under APP 8 to ensure it is handled consistently with the Australian Privacy Principles.

8. Retention

  • Run logs and outcome events. Kept while your subscription is active, then deleted within 12 months of cancellation.
  • Connection tokens (the OAuth credentials that let an automation reach your account). Deleted within 30 days of cancellation, and immediately on request.
  • Booking and enquiry details. Kept for 12 months after our last contact with you.
  • Payment records. Kept for 5 years, as Australian tax law requires.

9. Revoking access

The access belongs to you, and it switches off from your side at any time:

  • Microsoft 365: remove Flow-Through under your account's app permissions, or through your admin centre.
  • Google: remove Flow-Through under Security, then Third-party access, in your Google Account.
  • Accounting platform: disconnect Flow-Through in your platform's connected apps settings. In Xero, for example, that lives under Settings, then Connected apps.

Revoking access stops the automation on the spot. You can also email us and we disconnect from our side within one business day.

10. Security

Connection tokens are encrypted at rest. Data in transit travels over TLS. Automations hold the narrowest OAuth scopes their job requires, and access to client information is restricted to authorised personnel of Flow Through Logic Pty Ltd and the operational systems that run the service.

11. Data breach notification

If a data breach likely to result in serious harm occurs, we follow the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). We assess suspected breaches promptly and notify the Office of the Australian Information Commissioner and affected people as soon as practicable. Notifications spell out what happened and what to do in response.

12. Your rights

Under the Privacy Act 1988 (Cth), you can:

  • Access the personal information we hold about you.
  • Correct anything inaccurate or out of date.
  • Request deletion, subject to the legal retention periods in section 8.
  • Complain to the Office of the Australian Information Commissioner if you believe your information has been mishandled.

Email service@flow-through.com.au to exercise any of these. We respond within one business day.

13. Changes to this policy

Updates appear on this page with a new date at the top. Material changes are emailed to active clients before they take effect. Our terms of service sit alongside this policy.

14. Contact

Flow Through Logic Pty Ltd, Canberra ACT, Australia. Questions about this policy reach us at service@flow-through.com.au.

The fastest way to get a straight answer about your data is to ask on the call.

Book your 15-minute call