Privacy Policy

1. Who We Are — Data Controller Identity

Al Kays International LLC is the owner and operator of the FlowJuice AI brand and platform. We provide AI-powered business automation software and services to businesses in Oman and across the Gulf Cooperation Council (GCC) region.

For the purposes of the PDPL and this Privacy Policy:

• Registered name: Al Kays International LLC
• Trading name / brand: FlowJuice AI
• Website: https://flowjuice.ai
• Privacy contact email: info@flowjuice.ai
• VAT registration: Al Kays International LLC, Oman

When we collect or determine the purpose and means of processing personal data relating to our direct clients ("Business Clients") and visitors to our website, we act as the Data Controller.

When our Business Clients use the FlowJuice platform to process the personal data of their own end-customers (for example, managing CRM records or sending automated messages), we act as a Data Processor on behalf of those Business Clients. In that capacity, we process personal data strictly according to the instructions of the Business Client.

2. What Personal Data We Collect

We collect personal data in the following categories:

2.1 Business Client Data

Information provided to us when a business registers for or uses the FlowJuice platform:

• Full name and job title of the account holder or authorised representatives
• Business email address and phone number
• Company name, address, and commercial registration details
• Billing information (invoiced amounts; payment processing is handled by our payment provider and we do not store full card numbers)

2.2 End-Customer Data (Processed on Behalf of Business Clients)

When our Business Clients use the FlowJuice platform to operate their own customer-facing workflows, the platform may process the following personal data of their end-customers:

• Names, phone numbers, and email addresses stored in the CRM
• WhatsApp IDs and messaging history generated through WhatsApp Business API integrations
• Appointment and booking data including dates, times, and service details
• Conversation transcripts from AI chatbot interactions (web-based and WhatsApp)
• Voice call recordings from AI Voice interactions (inbound and outbound calls) — see Section 8 for important disclosures
• Custom data fields created by the Business Client within the platform

2.3 Website Visitor Data

When you visit https://flowjuice.ai, we may automatically collect:

• IP address and approximate geographic location
• Browser type, device type, and operating system
• Pages visited, time spent, and referring website (analytics data)
• Cookie identifiers — see Section 12 for full cookie details

2.4 Communication Data

If you contact us directly (e.g., via email, web form, or support ticket), we collect the content of your communication and any contact information you provide.

3. How We Collect Personal Data

We collect personal data through the following means:

• Directly from Business Clients — when signing up, configuring the platform, or contacting us
• Through the FlowJuice platform — when end-customers interact with automations, chatbots, booking calendars, or AI Voice features set up by a Business Client
• Via the FlowJuice website — through cookies, analytics tools, and any inquiry or contact forms
• Via Meta's WhatsApp Business API — messages sent to or from WhatsApp numbers connected to the platform are routed through Meta's infrastructure; see Section 9
• Via AI Voice calls — inbound calls answered by the AI, and outbound calls initiated by the AI on a Business Client's behalf, are processed and may be recorded; see Section 8

4. Why We Collect Personal Data — Legal Basis

Under the PDPL, we must have a lawful basis to process personal data. We rely on the following bases:

5. Cross-Border Data Transfer

FlowJuice operates using technology infrastructure provided by an upstream service provider whose servers are located in the United States of America. As a result, personal data processed through the FlowJuice platform — including CRM data, conversation transcripts, voice recordings, and appointment data — is transferred to and stored on servers in the United States.

We address this cross-border transfer through the following safeguards:

• Data Processing Agreements (DPAs) are in place with our upstream infrastructure provider, incorporating contractual protections for personal data
• Our upstream provider maintains industry-standard security certifications (including SOC 2 Type II compliance)
• Data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access to personal data held by the infrastructure provider is restricted to authorised personnel on a need-to-know basis

By using the FlowJuice platform, Business Clients acknowledge and consent (on behalf of themselves and, where applicable, as data controllers for their end-customers' data) to this cross-border transfer, subject to the safeguards described above.

We do not transfer personal data to any other country outside of the processing described in this section without appropriate safeguards and, where required, the consent of the data subject.

6. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Privacy Policy, or as required by applicable law. The retention periods below are general defaults; Business Clients may request shorter retention periods for end-customer data by contacting us at info@flowjuice.ai.

When data is no longer required, it is securely deleted or anonymised. Where deletion is not immediately technically feasible (e.g., in backup archives), the data is isolated and protected from further active processing and deleted as soon as possible.

7. Your Rights Under the Oman PDPL

The Oman Personal Data Protection Law (Royal Decree 6/2022) grants individuals the following rights in relation to their personal data:

7.1 Right of Access

You have the right to request a copy of the personal data we hold about you and information about how it is processed.

7.2 Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

7.3 Right to Erasure (Right to be Forgotten)

You have the right to request that we delete your personal data, where there is no legitimate reason for us to continue processing it, or where you have successfully exercised your right to object to processing.

7.4 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances (e.g., while the accuracy of data is being contested).

7.5 Right to Object

You have the right to object to processing based on legitimate interests, including profiling, where we cannot demonstrate compelling legitimate grounds that override your interests and rights.

7.6 Right to Data Portability

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.

7.7 Rights Related to Automated Decision-Making

Where we make decisions about you using solely automated processing (including AI) that produce significant effects on you, you have the right to request human review of that decision.

To exercise any of these rights, please submit a written request to: info@flowjuice.ai. We will respond within 30 calendar days. In complex cases, we may extend this period by a further 30 days and will notify you if this applies.

Note for end-customers of Business Clients: If you are an end-customer of a business that uses the FlowJuice platform, your rights should primarily be exercised directly with that business (the Data Controller for your data). However, we will cooperate with and assist Business Clients in meeting their obligations to their end-customers.

8. Voice Recordings — AI Voice Calls

FlowJuice provides AI Voice capabilities that enable Business Clients to:

• Deploy AI agents to answer inbound telephone calls on their behalf
• Initiate outbound AI voice calls to their customers or prospects

In connection with these AI Voice features:

• Calls may be recorded — the full conversation may be captured as an audio recording
• Calls are transcribed — voice content is converted to text for processing and storage
• Transcripts may be used for quality assurance, training, dispute resolution, and to improve service delivery
• Voice recordings are stored on servers in the United States (see Section 5 — Cross-Border Data Transfer)
• Voice recordings are retained for up to 12 months and then permanently deleted, unless a shorter period is requested or a legal obligation requires a different period

Business Clients are responsible for:

• Informing callers at the start of any AI Voice call that the call is handled by an AI and may be recorded
• Obtaining any required consents from their customers or call recipients in accordance with applicable law
• Including appropriate disclosures in their own privacy policies

If you believe your voice was recorded without proper disclosure, please contact the business that operated the AI Voice service, or contact us at info@flowjuice.ai if you need further assistance.

9. WhatsApp Business API Data

FlowJuice integrates with the WhatsApp Business API to enable Business Clients to send and receive automated messages, deploy AI chatbots, and manage customer conversations via WhatsApp.

When WhatsApp integration is active:

• Messages sent to or from a WhatsApp Business number connected to the FlowJuice platform are transmitted via Meta Platforms' infrastructure under Meta's WhatsApp Business Terms of Service
• Message content and associated metadata (e.g., sender phone number, timestamp, message status) are stored within the FlowJuice platform on behalf of the Business Client
• FlowJuice does not independently access or use end-customer WhatsApp messages for any purpose other than delivering the service to the Business Client
• Opt-in and opt-out consent for WhatsApp communications is the responsibility of the Business Client, in accordance with WhatsApp Business policies and applicable law

Meta's privacy practices governing WhatsApp are available at https://www.whatsapp.com/legal/privacy-policy. FlowJuice is not responsible for Meta's data practices.

10. Third-Party Data Sharing

We do not sell, rent, or trade personal data. We share personal data only in the limited circumstances described below:

10.1 Upstream Technology Infrastructure Provider

Personal data processed through the FlowJuice platform is hosted on the infrastructure of our upstream technology platform partner, which provides the core CRM, automation, and communication engine that powers FlowJuice. This provider acts as a sub-processor under appropriate contractual arrangements. We do not identify this provider by name in this policy to maintain commercial confidentiality, but we are happy to provide further details to Business Clients upon request under a Data Processing Agreement.

10.2 Payment Processing

Billing and payment transactions are processed by our payment service provider(s). We share only the information necessary to complete a transaction. We do not store full card numbers.

10.3 Meta (WhatsApp Business API)

Message routing via WhatsApp involves transmission through Meta's infrastructure, as described in Section 9.

10.4 Legal Obligations

We may disclose personal data to competent Omani or other governmental authorities where required to do so by law, court order, or regulatory direction. We will inform the data subject of any such disclosure unless prohibited by law.

10.5 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our business, personal data may be transferred to the acquirer. We will notify affected parties and, where required, seek consent.

11. Security Measures

We take the security of personal data seriously and implement technical and organisational measures appropriate to the risk, including:

• Encryption in transit: all data transmitted between users and our platform is encrypted using TLS 1.2 or higher
• Encryption at rest: stored data is encrypted using AES-256 encryption
• Access controls: role-based access controls (RBAC) restrict access to personal data to authorised personnel only
• Authentication: multi-factor authentication (MFA) is available and encouraged for all platform accounts
• Audit logs: platform access and data processing activities are logged and monitored
• Infrastructure security: our upstream technology partner maintains SOC 2 Type II certification and undergoes regular independent security audits
• Incident response: we maintain a documented data breach response procedure and will notify affected parties and, where required, the relevant Omani authority, within the timeframes required by the PDPL

No system is completely secure. While we strive to protect your data, we cannot guarantee absolute security. If you believe your account or data has been compromised, please contact us immediately at info@flowjuice.ai.

12. Cookies and Website Analytics

When you visit https://flowjuice.ai, we use cookies and similar tracking technologies to operate and improve the website.

12.1 What Are Cookies?

Cookies are small text files placed on your device by a website. They allow the website to recognise your browser and remember certain information about your preferences and behaviour.

12.2 Types of Cookies We Use

12.3 Managing Cookies

You can manage or delete cookies through your browser settings. Please note that disabling cookies may affect the functionality of our website. You may also withdraw consent for non-essential cookies at any time via our cookie consent banner (displayed on your first visit).

12.4 Analytics Tools

We use web analytics services to understand how visitors use our site. Analytics data is aggregated and does not directly identify individuals. Analytics data is retained for up to 26 months.

13. How to Contact Us

For all privacy-related matters — including exercising your PDPL rights, raising a concern, or making a complaint — please contact us:

We will acknowledge your request within 5 working days and aim to provide a substantive response within 30 calendar days. If we need additional time, we will let you know.

If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection authority in the Sultanate of Oman.

14. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, applicable law, or best practices. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Post the revised policy on our website at https://flowjuice.ai/privacy-policy
• Notify Business Clients by email at the address registered to their account, for changes that significantly affect their rights or our data processing activities

We encourage you to review this policy periodically. Continued use of the FlowJuice platform or website after the effective date of a revised policy constitutes your acceptance of the changes.

15. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the Sultanate of Oman, including the Personal Data Protection Law (Royal Decree 6/2022) and any regulations issued thereunder.

Any disputes arising from or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts of the Sultanate of Oman.

To the extent that our services are used by individuals in other GCC jurisdictions, we are committed to respecting applicable local data protection requirements.