Legal

Terms of service

Last updated: 11 July 2026. These terms govern your use of Executive Flow (the "Service"). They incorporate our Privacy notice, Cookie notice and Data Processing Addendum, and are designed to be compliant with the UK GDPR, the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK Data Protection Act 2018 and the ePrivacy rules on cookies and electronic communications. Words in [square brackets] must be completed by the operator of this instance before publication and should be reviewed by qualified legal counsel.

1. Parties and definitions

"We", "us" and "our" mean TBC (controller name to be confirmed before go-live), operating in the United Kingdom, acting as the controller of your account data and as processor for content you enter into the Service. "You" means the individual accepting these terms and, where applicable, the organisation you represent. "Personal data", "processing", "controller", "processor", "data subject" and "supervisory authority" have the meanings given in Article 4 UK/EU GDPR.

2. Acceptance and eligibility

By creating an account or using the Service you confirm that you are at least 16 years old (or the applicable digital-consent age in your country) and that you accept these terms. If you use the Service on behalf of an organisation, you confirm that you have authority to bind that organisation.

3. The Service

Executive Flow provides productivity tools including meeting management, email drafting, briefing generation, relationship intelligence, task tracking and other AI-assisted workflows. AI features produce drafts for your review only; nothing is sent, published or downloaded on your behalf without your explicit approval in the preview step.

4. Your account

You are responsible for keeping your credentials secure and for all activity that occurs under your account. You must notify us without undue delay of any suspected unauthorised access, which may constitute a personal-data breach under Article 33 GDPR and trigger our notification obligations.

5. Acceptable use

6. AI-generated content and human oversight

Every AI output in the Service is a draft. You must review each draft in the approval and preview step before sending an email, downloading a document or otherwise acting on it. You remain responsible for anything you approve. The model, inputs used and permissions granted to the AI are surfaced in the preview panel so you can exercise meaningful human oversight consistent with Article 22 GDPR and the transparency principle in Article 5(1)(a).

7. Your content and licence

You retain all rights in the content you create in the Service. You grant us a limited, worldwide, royalty-free licence to host, store, transmit and process that content solely to provide, secure and support the Service. We do not sell your content and do not use it to train third-party AI models.

8. Data protection (GDPR)

8.1 Roles. For your account and billing data we act as controller. For content you enter into the Service (including contacts, meetings, notes and AI prompts), we act as processor on your behalf; you are the controller and determine the purposes and means of processing. The Data Processing Addendum at /dpa forms part of these terms and satisfies Article 28 GDPR.

8.2 Lawful bases. We rely on: performance of this contract (Article 6(1)(b)) to deliver the Service; legitimate interests (Article 6(1)(f)) for security, fraud prevention and product improvement; consent (Article 6(1)(a)) for non-essential cookies and optional AI features; and legal obligation (Article 6(1)(c)) where the law requires us to retain or disclose data.

8.3 Data minimisation and purpose limitation. Executive Flow currently stores your operational data in your browser (local storage). We do not collect personal data beyond what is necessary for the features you use.

8.4 International transfers. Where AI features are used, prompts and drafts are transmitted to the Lovable AI Gateway and its upstream model providers, which may process data outside the UK/EEA. Such transfers rely on the UK International Data Transfer Agreement and/or the EU Standard Contractual Clauses (2021/914), together with any supplementary measures required by Schrems II. Subprocessors are listed in the DPA.

8.5 Retention. Locally stored data persists until you clear it from the Privacy Centre or your browser. Account records we hold are kept only as long as needed for the purpose for which they were collected and, where required, to meet legal obligations.

8.6 Security. We implement appropriate technical and organisational measures under Article 32 GDPR, including encryption in transit, access controls, and logging. No system is perfectly secure; you must also take reasonable steps to protect your devices and credentials.

8.7 Breach notification. If a personal-data breach is likely to result in a risk to individuals we will notify the competent supervisory authority within 72 hours where required (Article 33) and affected individuals without undue delay where the risk is high (Article 34).

9. Your data-subject rights

Under Articles 15–22 GDPR you have the right to access, rectify, erase, restrict, object to processing, port your data, and withdraw consent at any time. You can exercise most of these rights directly in the Privacy Centre (export, delete, revoke AI consent). For other requests contact Amiehg@hotmail.com. You also have the right to lodge a complaint with a supervisory authority — in the UK the Information Commissioner's Office (ico.org.uk) or your local EU authority.

10. Cookies and electronic communications

We only set non-essential cookies with your consent, in line with the ePrivacy Directive (as implemented in the UK by PECR). You can review and change your choices at any time from the Cookie notice.

11. Third-party services

The Service integrates with third-party providers listed in the DPA. Your use of those providers is also governed by their own terms and privacy notices. We are not responsible for their acts or omissions beyond the contractual controls we impose on them as our subprocessors.

12. Availability and changes

The Service is provided on an "as is" and "as available" basis, without warranties of any kind, to the maximum extent permitted by law. We may change or discontinue features at any time and will give reasonable notice of material changes to these terms via the Service or by email.

13. Liability

To the maximum extent permitted by law, our aggregate liability arising out of or in connection with these terms is limited to the greater of (a) the fees you paid us in the 12 months preceding the event giving rise to the claim, or (b) £100. We exclude liability for indirect, incidental or consequential losses, and for loss of profits, revenue, goodwill or data. Nothing in these terms limits or excludes liability that cannot be limited or excluded by law, including liability for death or personal injury caused by negligence, fraud, or statutory liability under UK/EU data-protection law.

14. Termination

Either party may terminate at any time. On termination you can export your data from the Privacy Centre. We will delete or anonymise personal data we hold about you within a reasonable period unless retention is required by law.

15. Governing law and disputes

These terms are governed by the laws of the United Kingdom, with exclusive jurisdiction of the UK courts. Nothing in this clause deprives a consumer of the protection of mandatory rules of the law of their country of habitual residence.

16. Changes to these terms

We will post any updated version on this page with a new "Last updated" date. Continued use of the Service after changes take effect constitutes acceptance of the revised terms.

17. Contact

Operator: TBC (legal name to be confirmed before go-live), United Kingdom. General queries and privacy or data-subject rights requests: Amiehg@hotmail.com. Where required under Article 27 GDPR, our UK/EU representative will be named here once appointed.

These terms are provided as a starting template. They must be reviewed and adapted by qualified legal counsel to reflect your organisation, jurisdiction and processing activities before publication.