Setflow AI
Legal

Privacy Policy.

Last updated: May 27, 2026

1. Who we are

Setflow AI LLC is a Montana limited liability company located at 1001 S Main Street, STE 600, Kalispell, MT 59901, United States ("Setflow," "we," "us"). We provide AI-powered DM conversion services for online coaching businesses. This Privacy Policy explains how we collect, use, share, and protect personal information.

If you have questions about this Policy, contact us at mohsinkhan@setflowai.net.

2. Scope

This Policy applies to:

  • Our website at setflowai.net (and any predecessor or successor domain).
  • Our AI appointment-setting service operated on behalf of coaching businesses ("Clients") through platforms including the Instagram Messaging API, Instagram Graph API, Messenger Platform, ManyChat, and other Meta-approved messaging integrations.
  • Any individual ("Prospect") who interacts with our system via direct message on a Client's Instagram or Facebook account.

This Policy does not cover a Client's own privacy practices toward their Prospects. For Prospect conversation data, each Client is the data controller; Setflow acts as a data processor on the Client's behalf.

3. Information we collect

From Clients (coaching businesses)

  • Identity and contact: name, email, phone, business name, billing address.
  • Account access: Instagram business account ID, Facebook Page ID, ManyChat workspace, calendar booking tool, payment method.
  • Business context: niche, offer details, target audience, ad spend, conversion metrics, sales data.
  • Communications with us: emails, DMs, calls, support tickets.

From Prospects (leads in Client DMs)

While operating a Client's Instagram or Facebook messaging account on the Client's behalf, we receive:

  • Instagram or Facebook username and public profile information.
  • Message content (text, voice notes, images, video) sent to the Client's account.
  • Timestamps, message status, and conversation metadata.
  • Information Prospects voluntarily share in conversation, for example: name, fitness goals, schedule, budget.

We do not solicit, and do not knowingly process, sensitive categories of personal information (health diagnoses, government IDs, financial account numbers, biometric data). If a Prospect volunteers such information we treat it with additional care and delete it on request.

From our website

  • Standard server and access logs (IP address, browser, pages visited).
  • Cookies for functional purposes only. We do not run advertising or third-party tracking pixels.

4. How we use this information

For Clients

  • Deliver, configure, and operate the Service.
  • Personalize the AI to the Client's voice, offer, and audience.
  • Bill, account-manage, and respond to support requests.
  • Improve performance through internal quality reviews.
  • Comply with legal obligations.

For Prospects (on behalf of the Client)

  • Respond to direct messages as the Client's representative.
  • Qualify leads, answer questions, handle objections, and book calls.
  • Pass conversation outcomes back to the Client (booking notifications, opt-outs, escalations).

We do not sell Prospect data. We do not use Prospect data for any purpose beyond operating the Client's conversion flow. Where AI models are used to generate responses, those models are invoked under no-training agreements with their providers (see Section 5).

5. Third parties we share with (sub-processors)

We rely on the following sub-processors to deliver the Service. None of them are authorized to use the data for their own purposes.

  • Meta Platforms, Inc.: Instagram Messaging API, Instagram Graph API, Messenger Platform. Used to send and receive messages on Client accounts.
  • ManyChat, Inc.: DM automation and message routing.
  • Anthropic, PBC: Claude AI models used to generate conversation responses. Anthropic does not train on data submitted via API.
  • OpenAI, L.L.C.: Fallback language model and audio transcription. Data submitted via OpenAI's API is not used to train OpenAI's models per their API terms.
  • ElevenLabs, Inc.: Optional text-to-speech for voice notes, where enabled by the Client.
  • n8n GmbH: Workflow orchestration platform hosting our automation logic.
  • Redis Ltd.: Short-term conversation cache.
  • Google LLC: Google Sheets for client KPI tracking; Gmail for support communications.
  • Slack Technologies, LLC: Booking notifications and internal alerts.
  • Stripe, Inc.: Payment processing for Client subscriptions.
  • Netlify, Inc.: Website hosting.

We may also disclose information when required by law (subpoena, court order), to protect our rights or the safety of others, or in connection with a sale, merger, or reorganization of Setflow AI LLC.

6. Legal bases (EU/UK users)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract: to provide the Service to Clients.
  • Legitimate interests: to operate, secure, and improve the Service, and to carry out the lawful messaging activity Clients have engaged us to perform.
  • Consent: where required (for example, direct marketing).
  • Legal obligation: for tax, accounting, and compliance.

7. How long we keep your information

  • Client account data: retained while the Client engagement is active and for 30 days after offboarding. Billing records may be retained longer to meet tax and accounting obligations (typically 7 years).
  • Prospect conversation data: retained for the duration of the Client engagement and for 30 days after the Client offboards. After 30 days, conversation history is purged from our Redis cache, ManyChat exports, and internal stores. Aggregated, non-identifying statistics (such as booking-rate counts) may be retained indefinitely.
  • Website logs: retained for up to 90 days.
  • Deletion requests: processed within 30 days per Section 9 and our Data Deletion Instructions.

8. Security

We use access controls, encrypted credentials, scoped API tokens, encrypted-in-transit data flows (HTTPS and TLS), and least-privilege access between sub-processors. No system is 100% secure; we will notify affected parties of any security incident as required by applicable law.

9. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Request deletion of your information.
  • Object to or restrict processing.
  • Receive your information in a portable format.
  • Withdraw consent where processing is consent-based.
  • Lodge a complaint with a supervisory authority.

To exercise these rights, email mohsinkhan@setflowai.net with the subject line "Privacy Request: [your request type]." Prospects may also use our Data Deletion Instructions. We respond within 30 days. We will verify your identity before acting on a request. For Prospects, we may need to coordinate with the Client whose account you messaged.

10. Children's data

The Service is not directed to anyone under 18. We do not knowingly collect information from minors. If you believe a minor has provided us information, contact us and we will delete it.

11. International transfers

Setflow AI is based in the United States. Our sub-processors may operate in the United States, the European Union, and other jurisdictions. Where personal information is transferred out of the EU or UK, we rely on appropriate safeguards (including Standard Contractual Clauses) with our sub-processors.

12. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated to active Clients by email; continued use of the Service after a change constitutes acceptance of the revised Policy.

13. Contact

Setflow AI LLC
1001 S Main Street, STE 600
Kalispell, MT 59901
United States
Email: mohsinkhan@setflowai.net