How Dripex Labs Inc., doing business as hiflo, collects, uses, discloses and protects Personal Information across hiflo.io, app.hiflo.io, our applications, APIs, AI features and related services.
This Privacy Policy explains how Dripex Labs Inc., a Delaware corporation doing business as hiflo (“hiflo”, “we”, “us” or “our”), collects, uses, discloses and protects Personal Information when you visit hiflo.io, use app.hiflo.io, access our applications, APIs, AI features, websites, support channels or related services (collectively, the “Services”).
hiflo is an AI-assisted human-resources software-as-a-service platform. Because our Services may be used by organizations to manage employee, contractor, applicant, HR, onboarding, leave, document, survey, skills, performance and related records, this Privacy Policy distinguishes between (1) account, website, billing, marketing and business-contact information that we process for our own business purposes; and (2) Customer Data that we process on behalf of our business customers through the Services.
When we process Customer Data on behalf of a customer, the customer is generally the controller, business or responsible party, and hiflo acts as the processor, service provider, contractor or operator. Our processing of Customer Data is governed by our Terms of Service, our Data Processing Addendum and the customer's instructions.
“Authorized User” means an employee, contractor, administrator, agent or other individual authorized by a customer to access the Services.
“Customer” means the business, organization or legal entity that has created an account, selected a plan, signed an order form or otherwise uses the Services.
“Customer Data” means data, content, documents, files, records, prompts, AI inputs, AI outputs and Personal Information submitted to, stored in or processed through the Services by or on behalf of a Customer or its Authorized Users.
“Personal Information” or “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable individual, household or device.
“Sensitive Personal Information” means Personal Information that applicable law treats as sensitive, including certain government identifiers, account login credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, health information, biometric information, genetic information, contents of communications, sexual orientation, citizenship or immigration status, and children's data.
This Privacy Policy applies to Personal Information we collect or process when you:
This Privacy Policy does not apply to third-party websites, services, integrations or platforms that we do not control. Those third parties are responsible for their own privacy practices.
We may collect Personal Information you provide directly, including:
When you use our websites or Services, we and our service providers may automatically collect:
We may receive Personal Information from:
Customer Data may include Personal Information about a Customer's employees, contractors, applicants or other workforce-related individuals. Customers decide what Customer Data they submit to the Services and are responsible for providing required notices, obtaining required consents, selecting appropriate configurations, assigning user permissions and complying with employment, labor, privacy and data-protection laws.
For Customer Data, hiflo generally processes Personal Information as a processor, service provider, contractor or operator on behalf of the Customer. We use Customer Data to provide, secure, support, maintain and improve the Services, comply with law, prevent abuse, and as otherwise permitted by the Terms, DPA or Customer instructions.
We do not sell Customer Data. We do not share Customer Data, HR data, employee records, AI prompts or AI outputs for cross-context behavioral advertising. We do not use Customer Data to train third-party foundation models or general-purpose AI models unless the Customer has expressly opted in or agreed in writing.
We may use Personal Information for the following purposes:
Flo and other AI features may process Customer Data, prompts, files, instructions, questions and related context submitted by Customers and Authorized Users.
AI outputs may be incomplete, inaccurate, biased, outdated or unsuitable for a particular use. Customers are responsible for human review and for all employment, HR, compliance, disciplinary, compensation, promotion, termination, leave, benefits, hiring, performance-management and other workplace decisions made using or informed by the Services.
Unless a Customer has expressly opted in or agreed in writing, hiflo will not use Customer Data, HR data, AI prompts or AI outputs to train third-party foundation models or general-purpose AI models. We may use aggregated or de-identified data to improve the Services, provided that it does not identify a Customer, Authorized User or individual.
AI features may rely on third-party AI providers acting as subprocessors or service providers. Those providers may process AI inputs and outputs as necessary to provide the AI functionality, subject to contractual restrictions and the DPA.
We may disclose Personal Information to the following categories of recipients:
We do not disclose Customer Data to third parties for their independent marketing purposes.
We retain Personal Information for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
Retention periods depend on the type of information and context, including:
When we no longer need Personal Information, we will delete, de-identify or aggregate it, subject to technical, legal and backup limitations.
We maintain commercially reasonable technical and organizational safeguards designed to protect Personal Information and Customer Data. These safeguards may include access controls, encryption, tenant isolation, logging, monitoring, vulnerability management, secure development practices, backup procedures and incident response processes.
No system is completely secure. Customers are responsible for managing Authorized User access, using strong authentication, configuring permissions, protecting their own systems and devices, and ensuring that Customer Data submitted to the Services is appropriate for processing.
If you believe your account or information has been compromised, contact security@hiflo.io immediately.
Dripex Labs Inc. is organized in the United States. We and our service providers may process Personal Information in the United States, South Africa and other countries where we or our service providers operate. These countries may have data-protection laws that differ from the laws where you are located.
Where required by applicable law, we will use appropriate safeguards for cross-border transfers of Personal Information.
This section provides additional information for residents of U.S. states with comprehensive privacy laws, including California. Some rights apply only if hiflo is subject to the relevant law and only to certain types of Personal Information.
The following table describes categories of Personal Information we may collect, use and disclose. The examples are illustrative and not every category applies to every individual.
| Category | Examples | Sources | Purposes | Categories of recipients | Sold or shared for cross-context behavioral advertising? |
|---|---|---|---|---|---|
| Identifiers | Name, business email, phone number, IP address, account ID, company, billing address | You, Customer, Authorized Users, devices, service providers, public sources | Provide Services, account management, support, security, billing, marketing | Service providers, Customers/admins, payment processors, advisers, legal recipients, transaction parties | Not sold for money. Website identifiers may be shared through advertising or analytics technologies where enabled. |
| Customer records and commercial information | Subscription details, invoices, plan, payment status, support records, transaction history | You, Customer, payment processor, support systems | Billing, account administration, support, compliance, dispute resolution | Service providers, payment processors, advisers, legal recipients | No |
| Internet or network activity | Device data, logs, feature usage, pages viewed, cookie IDs, session data, authentication events | Devices, browsers, cookies, service providers | Security, analytics, debugging, product improvement, marketing attribution | Service providers, analytics providers, security providers | Website activity may be shared through advertising or analytics technologies where enabled. |
| Approximate geolocation | Approximate location inferred from IP address | Devices, browsers, service providers | Security, localization, analytics, fraud prevention | Service providers, security providers | Website data may be shared through advertising or analytics technologies where enabled. |
| Professional or employment-related information | Job title, employer, department, role, work email, HR records submitted by Customers | You, Customer, Authorized Users | Provide Services, administer accounts, HR workflows, Customer instructions | Service providers, Customers/admins, Customer-selected integrations | No for Customer Data and HR data |
| Education, skills and performance information | Skills, training, certifications, performance information or survey data submitted by Customers | Customer, Authorized Users | Provide Services, HR workflows, analytics at Customer direction | Service providers, Customers/admins, Customer-selected integrations | No |
| Communications | Emails, support tickets, chat messages, forms, feedback, call notes | You, Customer, Authorized Users, service providers | Support, sales, troubleshooting, legal compliance, service improvement | Service providers, advisers, legal recipients | No |
| Inferences | Product usage trends, account health, likely interests in hiflo products, marketing segments | Usage data, website analytics, communications | Product improvement, customer success, marketing, sales | Service providers, analytics providers | Website marketing inferences may be shared through advertising technologies where enabled. |
| Sensitive Personal Information | Account login credentials, contents of communications, and any sensitive data submitted by Customers, such as health, union, citizenship or other sensitive HR data | You, Customer, Authorized Users | Provide Services, security, Customer instructions, legal compliance | Service providers, Customers/admins, Customer-selected integrations, legal recipients | No |
We do not use or disclose Sensitive Personal Information to infer characteristics about an individual except where permitted by law or directed by a Customer in connection with the Services.
Depending on your state of residence and the type of Personal Information involved, you may have the right to:
To exercise these rights, email privacy@hiflo.io. Please include your name, email address, state of residence, relationship to hiflo and the right you want to exercise.
If your request relates to Customer Data controlled by one of our Customers, we may direct you to that Customer or process the request on the Customer's instructions.
We may verify your identity before fulfilling a request. Depending on the request, we may ask for information that allows us to reasonably verify you are the person about whom we collected Personal Information. We will use verification information only to verify and process the request, except as permitted by law.
You may use an authorized agent where permitted by law. We may require proof of the agent's authority and may require you to verify your identity directly with us.
If applicable law gives you the right to appeal a denied request, you may appeal by emailing privacy@hiflo.io with the subject line “Privacy Appeal”. We will review and respond as required by applicable law.
We do not offer financial incentives or price or service differences in exchange for the collection, retention, sale or sharing of Personal Information.
For California residents, the categories of Personal Information we may collect, the purposes for collection and use, and the categories of third parties to whom we disclose information are described in Section 12 above.
We collect Personal Information for the business and commercial purposes described in this Privacy Policy, including providing the Services, account administration, billing, support, security, analytics, marketing, legal compliance and business operations.
We retain Personal Information as described in Section 9.
We do not sell Personal Information for money. We may use analytics and advertising technologies on our public website that could be considered a sale or sharing under California law. We do not sell or share Customer Data, HR data, employee records, AI prompts, AI outputs or Sensitive Personal Information for cross-context behavioral advertising.
California residents may exercise the rights described in Section 12 by emailing privacy@hiflo.io.
Unless a written agreement expressly permits it, Customers must not submit to the Services:
hiflo is not a HIPAA business associate unless we sign a separate business associate agreement. hiflo is not a consumer reporting agency and the Services are not intended to be used to obtain, provide or make decisions based on consumer reports.
You may unsubscribe from marketing emails by using the unsubscribe link in the email or by contacting privacy@hiflo.io. We may still send non-marketing messages, such as account, security, billing, legal and service communications.
The Services are intended for business use and are not directed to children. Individuals under 18 may not create accounts. We do not knowingly collect Personal Information from children under 13. If you believe a child has provided Personal Information to hiflo, contact privacy@hiflo.io and we will take appropriate steps to delete it.
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Services, by email, by posting an updated version or by another reasonable method. The updated Privacy Policy will be effective on the date stated above unless otherwise stated.
For privacy questions or requests, contact us at:
Exercising a privacy right or have a data-protection question? Reach our team at privacy@hiflo.io.