Qflo ("we", "us", "our") operates the queue management platform available at qflo.net, the Qflo mobile applications, the Qflo Station desktop application, and related kiosk interfaces (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have regarding your data.
By using the Service you acknowledge that you have read and understood this Privacy Policy. If you are a business using Qflo to manage queues ("Organization"), you are the data controller for the customer data processed through your queues; Qflo acts as a data processor on your behalf.
1. Data We Collect
1.1 Data provided by customers (visitors)
- Name — if entered at the kiosk or when joining a queue online (optional unless required by the business).
- Phone number — if entered for WhatsApp or SMS notifications (optional).
- Email address — if provided for appointment booking or notifications.
- Appointment details — date, time, service selected, and any notes you provide when booking.
1.2 Data generated by the Service
- Ticket data — ticket number, queue position, status (waiting, called, served, no-show), timestamps, assigned desk, and estimated wait time.
- Notification records — delivery status of WhatsApp, Messenger, and push notifications sent to you.
- QR tokens — unique tokens embedded in QR codes for ticket tracking. These do not contain personal information.
- Session identifiers — for WhatsApp and Messenger conversations linked to your ticket.
1.3 Data from business operators (staff)
- Account information — name, email address, and role within the organization.
- Authentication data — securely hashed passwords or third-party OAuth tokens.
- Activity logs — actions taken within the dashboard (calling tickets, completing service, etc.) for audit purposes.
1.4 Automatically collected data
- Device and browser information — browser type, operating system, screen resolution, and language preference.
- IP address — used for security, rate limiting, and approximate geolocation (country/region level only).
- Cookies — essential cookies for authentication and session management only. See Section 7.
2. How We Use Your Data
We use the collected data for the following purposes:
- Queue management — to issue tickets, track positions, assign desks, and manage the flow of visitors.
- Notifications — to send real-time updates about your queue status via WhatsApp, Facebook Messenger, push notifications, or on-screen displays.
- Appointment scheduling — to book, confirm, reschedule, and check in for appointments.
- Analytics and reporting — to provide businesses with aggregated, anonymized statistics about wait times, service duration, and visitor volume.
- Service improvement — to monitor performance, fix bugs, and improve the user experience.
- Security — to prevent fraud, detect abuse, and maintain the integrity of the platform.
We do not use your data for advertising, profiling, or automated decision-making.
3. Messaging & Notifications
Qflo can send queue updates through the following channels, only when you opt in:
- WhatsApp — powered by the WhatsApp Business API (operated by Meta Platforms, Inc.). When you provide your phone number for WhatsApp alerts, we share it with Meta solely to deliver queue notifications. Meta's own privacy policy applies to WhatsApp message delivery.
- Facebook Messenger — when you interact with our Messenger bot, Meta provides us with your Messenger user ID and display name. We use this only to send queue updates. We do not access your Facebook profile, friends list, or any other Facebook data.
- Push notifications — sent via web push or mobile push. You can revoke permission at any time through your browser or device settings.
You can stop receiving messages at any time by not providing your phone number, blocking the WhatsApp number, or unsubscribing from the Messenger bot. Notification preferences are per-ticket and are not stored beyond the lifecycle of your visit.
4. Data Sharing & Third-Party Processors
We do not sell, rent, or trade your personal data. We share data only with the following service providers who process it on our behalf:
| Provider | Purpose | Data shared |
|---|
| Supabase (AWS) | Database hosting, authentication, real-time subscriptions | All service data (encrypted at rest and in transit) |
| Vercel | Web application hosting, edge functions | HTTP request data, server-side logs |
| Meta Platforms | WhatsApp Business API, Messenger Platform | Phone number (WhatsApp), Messenger user ID |
| GitHub | Desktop app auto-updates | App version, OS type (no personal data) |
The business using Qflo to manage their queues may access the data you provide (name, phone, ticket status) through their dashboard. The business is the data controller for this data and their own privacy practices apply.
5. Data Retention
- Ticket and visit data — retained for up to 90 days for reporting purposes, then permanently deleted.
- Appointment data — retained until 30 days after the appointment date.
- Notification records — retained for 30 days.
- WhatsApp/Messenger session data — deleted within 24 hours after the visit is completed or the session expires.
- Staff account data — retained as long as the account is active. Deleted within 30 days of account closure.
- Anonymous analytics — aggregated data with no personal identifiers may be retained indefinitely.
6. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Database access is restricted by row-level security policies.
- Authentication uses industry-standard protocols (bcrypt hashing, JWT tokens).
- Staff access to customer data is limited by role-based permissions.
- We conduct regular security reviews and dependency audits.
No system is 100% secure. If you become aware of any security vulnerability, please contact us immediately at security@qflo.net.
7. Cookies
Qflo uses only essential cookies:
- Authentication cookies — to keep you signed in to the dashboard.
- Language preference — to remember your selected language (en, fr, ar).
- Session cookies — for CSRF protection and security.
We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your data ("right to be forgotten").
- Portability — request your data in a machine-readable format.
- Restriction — request that we limit how we process your data.
- Objection — object to processing of your data for specific purposes.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at privacy@qflo.net. We will respond within 30 days.
If you are in the European Economic Area (EEA), you also have the right to lodge a complaint with your local data protection authority.
9. Children's Privacy
Qflo is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. International Data Transfers
Your data may be processed in countries outside your country of residence, including the United States and the European Union, where our infrastructure providers operate. We ensure that appropriate safeguards are in place (such as Standard Contractual Clauses) for any cross-border data transfers.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.
12. Contact
For privacy-related questions or requests: