Privacy Policy

Last updated: June 2026

FoundFlow (“the App”, “we”, “us”) is a private, internal Lost & Found management platform for hotels. This policy explains what data we process, why, and how we protect it. FoundFlow is an operational tool for hotel staff and administrators; it is not a guest-facing service.

1. Information We Collect

We do not require or intentionally collect guest personal data.

2. How We Use Data

We do not sell personal data or use it for advertising.

3. Security & Hotel Data Separation

FoundFlow is multi-tenant: each hotel's data is strictly isolated and scoped server-side. Passwords, PINs, and security answers are stored only as one-way cryptographic hashes (Argon2). Access uses signed session tokens with expiry, login attempts are rate-limited, and transport is encrypted over HTTPS.

4. Data Retention

Records are retained while the hotel account is active. When a hotel account is deleted, its users, records, and photos are removed.

5. Data Deletion Requests

Any signed-in user can request deletion of their account and personal data in the app via Settings/Profile → “Request account deletion”, or by emailing us. Because accounts are organization-managed, we verify each request with the hotel before removal. Verified requests are actioned within 30 days. Requests: admin@foundflow.net.

6. Third-Party Services

We use a transactional email provider (Resend) to deliver admin invitations and password-reset links. Only the recipient email address and message content are shared for this purpose.

7. Children

FoundFlow is a workplace tool intended for hotel staff and is not directed to children.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be reflected by the “Last updated” date.

9. Contact

Questions about privacy: admin@foundflow.net