Privacy Policy

Last updated: 28 May 2026

This policy describes what information Boatflow collects, how we use it, where it lives, and what control you have over it. It applies to the Boatflow marketing site (boatflow.in), the Boatflow management app, and the customer booking sites we host on behalf of our tenants.

1. Who we are

"Boatflow" / "we" / "us" refers to the operators of boatflow.in. We are based in India. You can reach us at hello@boatflow.in.

2. Information we collect

We collect three categories of information.

2.1 Account information you give us

  • Name, email and phone number used to sign up
  • Business / agency name, optional GST number, optional business address
  • Password (stored as a one-way hash — we never see the plain text)
  • Profile photo, logo and branding assets you upload
  • Razorpay credentials you enter to enable payment links (encrypted at rest)

2.2 Operational information you put into the app

  • Boats, agents, bookings, leads and the documents attached to them
  • Customer contact details and booking history you record
  • WhatsApp conversations routed through the Meta WhatsApp Business API
  • Notes, audit logs, attendance and break records for your team

2.3 Information we collect automatically

  • Device type, browser, IP address and approximate location (for security + abuse prevention)
  • Pages viewed and actions taken inside the app (for product improvement and bug diagnosis)
  • For agent accounts: precise GPS location while the app is open, used to confirm field attendance

3. How we use it

  • To provide the platform — sign-in, bookings, payments, notifications, reports
  • To enforce tenant isolation so one customer cannot see another customer's data
  • To send transactional emails and push notifications you've opted into
  • To detect abuse, prevent fraud, and respond to legal requests
  • To improve the product — aggregated, never personally identifiable

We do not sell your data. We do not run ads. We do not share your data with third parties for marketing.

4. Where it lives

Your data is stored on servers in India, in an encrypted MySQL database with daily snapshot backups. Files (photos, documents) are stored on Amazon S3 (Mumbai region). Payment information is processed directly by Razorpay — we never store full card numbers.

5. Sub-processors

Boatflow uses the following sub-processors. Each handles a narrow purpose:

  • Razorpay — payment links, webhooks and payout processing
  • Meta WhatsApp Business API — WhatsApp messaging and inbox sync
  • Fast2SMS — phone OTP delivery
  • Amazon Web Services (S3, Mumbai) — file storage
  • SMTP provider — transactional email delivery

6. Your rights

  • Access — request a copy of all data we hold about you
  • Export — download your bookings, customers and reports as CSV
  • Correction — edit any field directly in the app, or ask us
  • Deletion — close your account; we permanently remove your tenant data within 30 days
  • Object / restrict — opt out of non-essential notifications from app settings

Email hello@boatflow.in to exercise any of these. We aim to respond within 7 working days.

7. Cookies and similar technologies

The marketing site uses no third-party analytics or advertising cookies. The Boatflow management app uses a session token (stored in your browser's localStorage) and a service worker for the installable PWA experience.

8. Children

Boatflow is a B2B platform. We do not knowingly collect information from anyone under 18. If you believe a minor has provided us information, email us and we will delete it.

9. Customer data on a tenant's booking site

When a customer fills in the booking form on a tenant's customer-facing site (e.g. bookings.youragency.com), the resulting lead and contact details belong to that tenant under their privacy policy — we are a processor on the tenant's behalf. The tenant is the data controller for their bookings.

10. Security

Sanctum bearer tokens with revocation, single-device login enforcement, role-based access control, multi-tenant isolation at the ORM level, TLS for all traffic, automated dependency scanning. We will notify affected users within 72 hours of any confirmed breach.

11. Changes to this policy

We update this page when material changes happen. We will notify active accounts via email when the changes affect your data rights. The "Last updated" date at the top reflects the latest revision.

12. Contact

Questions? Email hello@boatflow.in.

Note: This policy is written in plain language for clarity. It is not a substitute for advice from a lawyer about your specific situation.