FosterFlow

Privacy Policy

Last updated: March 26, 2026

1. Introduction

FosterFlow ("we," "us," or "our") operates the FosterFlow platform at fosterflow.app and related subdomains. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service.

We take your privacy seriously. We collect the minimum data necessary to provide the Service and we do not sell personal information.

2. Information We Collect

Information you provide directly

  • Account information: Organization name, admin name, email address, hashed password, subdomain, EIN (optional), website URL (optional), city, and state — provided during signup.
  • Rescue data: Pet records, medical information, foster assignments, adoption applications, donor information, volunteer records, and other operational data you create within the Service.
  • Payment information: Billing details collected and processed by Stripe. We do not store full credit card numbers — Stripe handles all payment processing.
  • Communications: Messages you send us through the contact form or email.

Information collected automatically

  • Log data: IP addresses, browser type, pages visited, timestamps, and error logs, collected when you access the Service.
  • Cookies: Session cookies required for authentication. We do not use tracking cookies or advertising cookies.

3. How We Use Your Information

We use the information we collect to:

  • Provision and operate your FosterFlow instance
  • Process subscription payments through Stripe
  • Send transactional emails (account provisioning, trial reminders, subscription receipts)
  • Respond to support requests and contact form submissions
  • Monitor service health and diagnose technical problems
  • Comply with legal obligations

We do not use your data for advertising, profiling, or any purpose not listed here.

4. Rescue Organization Data (Tenant Data)

Each rescue organization using FosterFlow manages its own set of data ("Tenant Data"), including adopter information, applicant information, donor information, and pet records. This data belongs to the rescue organization (the Tenant), not to FosterFlow.

As the Tenant, you are the data controller for all personal information you collect from your adopters, fosters, volunteers, and donors. You are responsible for obtaining any necessary consents and complying with applicable privacy laws with respect to that data.

FosterFlow acts as a data processor for Tenant Data — we store and process it only as directed by the Tenant and only to provide the Service.

5. Third-Party Service Providers

We share data with the following third parties as necessary to provide the Service:

  • Stripe: Payment processing for subscriptions. Stripe's privacy policy applies to payment data. See stripe.com/privacy.
  • Email provider (SMTP): Transactional emails are sent through a configured SMTP provider. Email content is limited to account-related notifications.
  • Infrastructure providers: Hosting, database, and server infrastructure. These providers are contractually bound to protect data in accordance with applicable laws.

We do not share data with data brokers, advertising networks, or analytics platforms.

6. Cookies

We use only session cookies required for authentication. These cookies are deleted when you log out or when your session expires. We do not use persistent tracking cookies, analytics cookies, or advertising cookies.

If you block session cookies in your browser, you will not be able to log in to the Service.

7. Data Retention

  • Active accounts: Data is retained for as long as your account is active.
  • Cancelled accounts: Data is retained for 30 days after cancellation to allow for export. After 30 days, all data is permanently deleted.
  • Expired trials: Trial account data is deleted 14 days after trial expiration if no subscription is started.
  • Contact form submissions: Retained for up to 1 year.

8. Data Security

We implement industry-standard security measures including:

  • TLS encryption for all data in transit
  • Encrypted passwords using Argon2id
  • Isolated per-tenant databases
  • Daily automated backups
  • Access controls limiting employee access to production data

No system is 100% secure. In the event of a data breach, we will notify affected users within 72 hours of becoming aware, as required by applicable law.

9. Your Rights (GDPR/CCPA)

Depending on your location, you may have the following rights with respect to your personal data:

  • Access: Request a copy of personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data, subject to legal retention obligations.
  • Portability: Request your data in a machine-readable format. FosterFlow provides CSV exports for all data.
  • Objection: Object to certain processing activities.

To exercise these rights, contact us at hello@fosterflow.app. We will respond within 30 days.

California residents: Under the CCPA, you have the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale (we do not sell personal information).

10. Children's Privacy

The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us immediately.

11. International Data Transfers

FosterFlow is operated from the United States. If you access the Service from outside the US, your information may be transferred to and processed in the US. By using the Service, you consent to this transfer.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before they take effect. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact

For privacy-related questions, requests, or concerns, contact us at: hello@fosterflow.app.