hiflo/Legal · Privacy Policy

Privacy Policy.

How Dripex Labs Inc., doing business as hiflo, collects, uses, discloses and protects Personal Information across hiflo.io, app.hiflo.io, our applications, APIs, AI features and related services.

26 Jun 2026last updated
18 sec.sections · in this policy
CCPA · POPIAaware · u.s. market
LAST UPDATED · 26 JUNE 2026

This Privacy Policy explains how Dripex Labs Inc., a Delaware corporation doing business as hiflo (“hiflo”, “we”, “us” or “our”), collects, uses, discloses and protects Personal Information when you visit hiflo.io, use app.hiflo.io, access our applications, APIs, AI features, websites, support channels or related services (collectively, the “Services”).

hiflo is an AI-assisted human-resources software-as-a-service platform. Because our Services may be used by organizations to manage employee, contractor, applicant, HR, onboarding, leave, document, survey, skills, performance and related records, this Privacy Policy distinguishes between (1) account, website, billing, marketing and business-contact information that we process for our own business purposes; and (2) Customer Data that we process on behalf of our business customers through the Services.

When we process Customer Data on behalf of a customer, the customer is generally the controller, business or responsible party, and hiflo acts as the processor, service provider, contractor or operator. Our processing of Customer Data is governed by our Terms of Service, our Data Processing Addendum and the customer's instructions.

Are you an employee or applicant? If your information is processed by one of our customers through hiflo, please contact that customer first to exercise privacy rights relating to your HR or employment records. We will assist our customer as required by applicable law and our DPA. This Privacy Policy is intended for the United States market, while also addressing certain international privacy concepts where relevant.
01

Definitions

“Authorized User” means an employee, contractor, administrator, agent or other individual authorized by a customer to access the Services.

“Customer” means the business, organization or legal entity that has created an account, selected a plan, signed an order form or otherwise uses the Services.

“Customer Data” means data, content, documents, files, records, prompts, AI inputs, AI outputs and Personal Information submitted to, stored in or processed through the Services by or on behalf of a Customer or its Authorized Users.

“Personal Information” or “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable individual, household or device.

“Sensitive Personal Information” means Personal Information that applicable law treats as sensitive, including certain government identifiers, account login credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, health information, biometric information, genetic information, contents of communications, sexual orientation, citizenship or immigration status, and children's data.

02

Scope

This Privacy Policy applies to Personal Information we collect or process when you:

  • Visit our public websites;
  • Create or use a hiflo account;
  • Use the Services as a Customer or Authorized User;
  • Communicate with us by email, chat, phone, form, social media or support channels;
  • Subscribe to marketing communications;
  • Attend a webinar, demo or event;
  • Use integrations, APIs or AI features, including Flo; or
  • Otherwise interact with hiflo.

This Privacy Policy does not apply to third-party websites, services, integrations or platforms that we do not control. Those third parties are responsible for their own privacy practices.

03

Information We Collect

3.1 Information you provide directly

We may collect Personal Information you provide directly, including:

  • Account information: name, business email address, phone number, password or authentication details, company name, role, team, plan information and account settings.
  • Organization information: company name, size, billing address, country, tax information, subscription details and administrator details.
  • Billing information: payment status, invoices, transaction records and limited payment metadata. Full payment card details are processed by our payment processor, and we do not intentionally store full card numbers.
  • Communications: emails, support tickets, chat messages, survey responses, demo requests, sales inquiries, feedback and other communications with us.
  • Customer Data: information submitted by Customers or Authorized Users through the Services, including HR, employee, contractor, applicant, onboarding, leave, document, survey, skills, performance, policy and workflow information.
  • AI inputs and outputs: prompts, files, instructions, questions, generated responses, summaries, suggestions and related metadata submitted to or generated by Flo or other AI features.

3.2 Information collected automatically

When you use our websites or Services, we and our service providers may automatically collect:

  • Device and browser information: IP address, device identifiers, browser type, operating system, screen size, language, time zone and similar technical information.
  • Usage data: pages viewed, features used, links clicked, workflows created, errors, access times, referring URLs and interactions with the Services.
  • Log and security data: login history, authentication events, audit logs, session information, API calls, error logs, system activity and security signals.
  • Approximate location: approximate location inferred from IP address or similar technical signals.
  • Cookie and tracking data: information collected through cookies, pixels, SDKs, local storage and similar technologies.

3.3 Information from Customers, Authorized Users and third parties

We may receive Personal Information from:

  • Customers who create accounts, invite Authorized Users or upload Customer Data;
  • Authorized Users who use or administer the Services;
  • Third-party identity providers, single sign-on providers or authentication services;
  • Payment processors, fraud-prevention providers and billing systems;
  • Customer-selected integrations and connected services;
  • Marketing, analytics, enrichment and lead-generation providers;
  • Public sources, such as company websites, professional networks and public business records; and
  • Referral partners, resellers, affiliates, consultants or event organizers.
04

Customer Data and HR Data

Customer Data may include Personal Information about a Customer's employees, contractors, applicants or other workforce-related individuals. Customers decide what Customer Data they submit to the Services and are responsible for providing required notices, obtaining required consents, selecting appropriate configurations, assigning user permissions and complying with employment, labor, privacy and data-protection laws.

For Customer Data, hiflo generally processes Personal Information as a processor, service provider, contractor or operator on behalf of the Customer. We use Customer Data to provide, secure, support, maintain and improve the Services, comply with law, prevent abuse, and as otherwise permitted by the Terms, DPA or Customer instructions.

We do not sell Customer Data. We do not share Customer Data, HR data, employee records, AI prompts or AI outputs for cross-context behavioral advertising. We do not use Customer Data to train third-party foundation models or general-purpose AI models unless the Customer has expressly opted in or agreed in writing.

05

How We Use Personal Information

We may use Personal Information for the following purposes:

  • Provide the Services: create and manage accounts, authenticate users, provide HR workflows, process Customer Data, enable features, deliver AI functionality and maintain the platform.
  • Administer Customers and subscriptions: manage plans, billing, renewals, invoices, payment status, taxes, support and customer communications.
  • Support and communicate: respond to support requests, troubleshoot issues, provide updates, send service notices and deliver administrative messages.
  • Security and reliability: protect accounts, detect fraud, abuse or security incidents, monitor systems, debug errors, prevent unauthorized access and enforce our Terms.
  • AI features: process AI inputs and outputs to provide Flo and related AI features, generate responses, improve safety and prevent misuse.
  • Product analytics and improvement: understand usage, improve workflows, test features, analyze performance, develop new features and improve the Services.
  • Marketing and sales: send product updates, newsletters, event invitations, promotional communications and sales messages, where permitted by law.
  • Website analytics and advertising: measure website performance, understand marketing effectiveness and, where enabled, deliver or measure ads on our public website.
  • Legal and compliance: comply with legal obligations, respond to lawful requests, enforce agreements, resolve disputes and protect rights, safety and property.
  • De-identified and aggregated data: create and use data that does not identify Customers, Authorized Users or individuals to operate, analyze, benchmark, improve and market the Services.
06

AI Features

Flo and other AI features may process Customer Data, prompts, files, instructions, questions and related context submitted by Customers and Authorized Users.

AI outputs may be incomplete, inaccurate, biased, outdated or unsuitable for a particular use. Customers are responsible for human review and for all employment, HR, compliance, disciplinary, compensation, promotion, termination, leave, benefits, hiring, performance-management and other workplace decisions made using or informed by the Services.

Unless a Customer has expressly opted in or agreed in writing, hiflo will not use Customer Data, HR data, AI prompts or AI outputs to train third-party foundation models or general-purpose AI models. We may use aggregated or de-identified data to improve the Services, provided that it does not identify a Customer, Authorized User or individual.

AI features may rely on third-party AI providers acting as subprocessors or service providers. Those providers may process AI inputs and outputs as necessary to provide the AI functionality, subject to contractual restrictions and the DPA.

07

Cookies and Similar Technologies

We and our service providers may use cookies, pixels, local storage, SDKs and similar technologies for:

  • Essential website and application functionality;
  • Authentication, session management and security;
  • Preferences and settings;
  • Analytics and performance measurement;
  • Product improvement;
  • Marketing attribution; and
  • Advertising on our public website, where enabled.

You can control cookies through your browser settings. Where required by law, we will provide a cookie banner, consent tool or privacy choices mechanism. If your browser or device sends a legally recognized opt-out preference signal, such as Global Privacy Control, we will treat it as required by applicable law.

As of the Last Updated date, we do not sell Personal Information for money. We may use analytics and advertising technologies on our public website that could be considered a “sale”, “sharing” or “targeted advertising” under some U.S. state privacy laws. We do not sell or share Customer Data, HR data, employee records, AI prompts, AI outputs or Sensitive Personal Information for cross-context behavioral advertising.

To exercise opt-out rights, email privacy@hiflo.io with the subject line “Privacy Choices” or use any privacy choices mechanism we make available.

08

How We Disclose Personal Information

We may disclose Personal Information to the following categories of recipients:

  • Service providers and subprocessors: hosting, infrastructure, database, storage, AI, analytics, security, email, support, payment, billing, monitoring and other vendors that help us provide the Services.
  • Customers and account administrators: Customers and administrators may access Customer Data, Authorized User activity, settings, audit logs and account information associated with their account.
  • Customer-selected integrations: when a Customer enables an integration or directs us to transmit data to a third-party service.
  • Payment processors: to process payments, prevent fraud, manage subscriptions and issue invoices.
  • Professional advisers: lawyers, auditors, insurers, accountants, bankers and other advisers.
  • Affiliates and contractors: entities or personnel working on our behalf under confidentiality and data-protection obligations.
  • Legal, safety and compliance recipients: courts, regulators, law enforcement, government authorities or other parties where we believe disclosure is required or appropriate to comply with law, enforce agreements, protect rights, prevent harm, investigate fraud or address security issues.
  • Business transaction parties: in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets or similar transaction.
  • With consent or direction: where you or the Customer direct us or consent to the disclosure.

We do not disclose Customer Data to third parties for their independent marketing purposes.

09

Data Retention

We retain Personal Information for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods depend on the type of information and context, including:

  • Account and organization information is generally retained for the duration of the customer relationship and for a reasonable period afterward for legal, tax, accounting, dispute-resolution and business-record purposes.
  • Billing and transaction records are generally retained as needed for tax, accounting, audit and legal purposes.
  • Customer Data is retained according to the Customer's subscription, the Terms, the DPA, Customer instructions, backup cycles and applicable law. After termination, we generally make Customer Data available for export for 30 days, unless the Terms, DPA or a signed agreement states otherwise.
  • Security, audit and system logs are retained as needed to protect the Services, investigate incidents, comply with law and maintain reliability.
  • Marketing contact information is retained until you unsubscribe, request deletion or we determine it is no longer needed.
  • De-identified and aggregated data may be retained without time limitation where permitted by law.

When we no longer need Personal Information, we will delete, de-identify or aggregate it, subject to technical, legal and backup limitations.

10

Security

We maintain commercially reasonable technical and organizational safeguards designed to protect Personal Information and Customer Data. These safeguards may include access controls, encryption, tenant isolation, logging, monitoring, vulnerability management, secure development practices, backup procedures and incident response processes.

No system is completely secure. Customers are responsible for managing Authorized User access, using strong authentication, configuring permissions, protecting their own systems and devices, and ensuring that Customer Data submitted to the Services is appropriate for processing.

If you believe your account or information has been compromised, contact security@hiflo.io immediately.

11

International Transfers

Dripex Labs Inc. is organized in the United States. We and our service providers may process Personal Information in the United States, South Africa and other countries where we or our service providers operate. These countries may have data-protection laws that differ from the laws where you are located.

Where required by applicable law, we will use appropriate safeguards for cross-border transfers of Personal Information.

12

U.S. State Privacy Notice

This section provides additional information for residents of U.S. states with comprehensive privacy laws, including California. Some rights apply only if hiflo is subject to the relevant law and only to certain types of Personal Information.

12.1 Categories of Personal Information

The following table describes categories of Personal Information we may collect, use and disclose. The examples are illustrative and not every category applies to every individual.

CategoryExamplesSourcesPurposesCategories of recipientsSold or shared for cross-context behavioral advertising?
IdentifiersName, business email, phone number, IP address, account ID, company, billing addressYou, Customer, Authorized Users, devices, service providers, public sourcesProvide Services, account management, support, security, billing, marketingService providers, Customers/admins, payment processors, advisers, legal recipients, transaction partiesNot sold for money. Website identifiers may be shared through advertising or analytics technologies where enabled.
Customer records and commercial informationSubscription details, invoices, plan, payment status, support records, transaction historyYou, Customer, payment processor, support systemsBilling, account administration, support, compliance, dispute resolutionService providers, payment processors, advisers, legal recipientsNo
Internet or network activityDevice data, logs, feature usage, pages viewed, cookie IDs, session data, authentication eventsDevices, browsers, cookies, service providersSecurity, analytics, debugging, product improvement, marketing attributionService providers, analytics providers, security providersWebsite activity may be shared through advertising or analytics technologies where enabled.
Approximate geolocationApproximate location inferred from IP addressDevices, browsers, service providersSecurity, localization, analytics, fraud preventionService providers, security providersWebsite data may be shared through advertising or analytics technologies where enabled.
Professional or employment-related informationJob title, employer, department, role, work email, HR records submitted by CustomersYou, Customer, Authorized UsersProvide Services, administer accounts, HR workflows, Customer instructionsService providers, Customers/admins, Customer-selected integrationsNo for Customer Data and HR data
Education, skills and performance informationSkills, training, certifications, performance information or survey data submitted by CustomersCustomer, Authorized UsersProvide Services, HR workflows, analytics at Customer directionService providers, Customers/admins, Customer-selected integrationsNo
CommunicationsEmails, support tickets, chat messages, forms, feedback, call notesYou, Customer, Authorized Users, service providersSupport, sales, troubleshooting, legal compliance, service improvementService providers, advisers, legal recipientsNo
InferencesProduct usage trends, account health, likely interests in hiflo products, marketing segmentsUsage data, website analytics, communicationsProduct improvement, customer success, marketing, salesService providers, analytics providersWebsite marketing inferences may be shared through advertising technologies where enabled.
Sensitive Personal InformationAccount login credentials, contents of communications, and any sensitive data submitted by Customers, such as health, union, citizenship or other sensitive HR dataYou, Customer, Authorized UsersProvide Services, security, Customer instructions, legal complianceService providers, Customers/admins, Customer-selected integrations, legal recipientsNo

We do not use or disclose Sensitive Personal Information to infer characteristics about an individual except where permitted by law or directed by a Customer in connection with the Services.

12.2 Your privacy rights

Depending on your state of residence and the type of Personal Information involved, you may have the right to:

  • Know or confirm whether we process your Personal Information;
  • Access the Personal Information we maintain about you;
  • Request deletion of Personal Information;
  • Request correction of inaccurate Personal Information;
  • Obtain a portable copy of certain Personal Information;
  • Opt out of sale, sharing, targeted advertising or certain profiling;
  • Limit certain uses or disclosures of Sensitive Personal Information;
  • Appeal a denial of a privacy request, where applicable; and
  • Be free from unlawful discrimination or retaliation for exercising privacy rights.

To exercise these rights, email privacy@hiflo.io. Please include your name, email address, state of residence, relationship to hiflo and the right you want to exercise.

If your request relates to Customer Data controlled by one of our Customers, we may direct you to that Customer or process the request on the Customer's instructions.

12.3 Verification and authorized agents

We may verify your identity before fulfilling a request. Depending on the request, we may ask for information that allows us to reasonably verify you are the person about whom we collected Personal Information. We will use verification information only to verify and process the request, except as permitted by law.

You may use an authorized agent where permitted by law. We may require proof of the agent's authority and may require you to verify your identity directly with us.

12.4 Appeals

If applicable law gives you the right to appeal a denied request, you may appeal by emailing privacy@hiflo.io with the subject line “Privacy Appeal”. We will review and respond as required by applicable law.

12.5 No financial incentives

We do not offer financial incentives or price or service differences in exchange for the collection, retention, sale or sharing of Personal Information.

13

California Notice at Collection

For California residents, the categories of Personal Information we may collect, the purposes for collection and use, and the categories of third parties to whom we disclose information are described in Section 12 above.

We collect Personal Information for the business and commercial purposes described in this Privacy Policy, including providing the Services, account administration, billing, support, security, analytics, marketing, legal compliance and business operations.

We retain Personal Information as described in Section 9.

We do not sell Personal Information for money. We may use analytics and advertising technologies on our public website that could be considered a sale or sharing under California law. We do not sell or share Customer Data, HR data, employee records, AI prompts, AI outputs or Sensitive Personal Information for cross-context behavioral advertising.

California residents may exercise the rights described in Section 12 by emailing privacy@hiflo.io.

14

Regulated and Sensitive Data

Unless a written agreement expressly permits it, Customers must not submit to the Services:

  • Protected health information subject to HIPAA;
  • Consumer reports or background-check information subject to the Fair Credit Reporting Act;
  • Payment card data subject to PCI DSS;
  • Biometric identifiers used to identify individuals;
  • Children's data;
  • Government-issued identification numbers;
  • Immigration documents;
  • Authentication secrets; or
  • Other highly sensitive data not required for the applicable hiflo feature.

hiflo is not a HIPAA business associate unless we sign a separate business associate agreement. hiflo is not a consumer reporting agency and the Services are not intended to be used to obtain, provide or make decisions based on consumer reports.

15

Marketing Communications

You may unsubscribe from marketing emails by using the unsubscribe link in the email or by contacting privacy@hiflo.io. We may still send non-marketing messages, such as account, security, billing, legal and service communications.

16

Children’s Privacy

The Services are intended for business use and are not directed to children. Individuals under 18 may not create accounts. We do not knowingly collect Personal Information from children under 13. If you believe a child has provided Personal Information to hiflo, contact privacy@hiflo.io and we will take appropriate steps to delete it.

17

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Services, by email, by posting an updated version or by another reasonable method. The updated Privacy Policy will be effective on the date stated above unless otherwise stated.

18

Contact Us

For privacy questions or requests, contact us at:

  • Dripex Labs Inc.
  • 1908 Thomes Ave STE 12295, Cheyenne, WY 82001, United States
  • Privacy: privacy@hiflo.io
  • Legal: legal@hiflo.io
  • Security: security@hiflo.io
  • Website: https://hiflo.io
Dripex Labs Inc. · 1908 Thomes Ave STE 12295, Cheyenne, WY 82001, United States · hiflo.io · privacy@hiflo.io

Questions about your privacy?

Exercising a privacy right or have a data-protection question? Reach our team at privacy@hiflo.io.

Start free