Privacy Policy

Flinq Copilot Agent — Last updated: June 17, 2026

1. Introduction

This privacy policy explains how Flinq Ltd ("we", "us", "our") handles your data when you use the Flinq Agent for Microsoft 365 Copilot (the "Agent"). The Agent allows you to query your Flinq financial data through Microsoft Copilot using natural language.

2. Data We Access

When you use the Agent, it may access the following data from your Flinq account on your behalf:

• Office and workspace information
• Balance entries and account balances
• Transaction records
• Bank account details
• Interest pool information
• Payment run data
• Fixed term deposit instructions
• Statement summaries

The Agent only accesses data that you have permission to view within your Flinq account. Your existing access controls and office-based permissions apply.

3. How Data Flows

When you ask the Agent a question:

1. Microsoft Copilot sends your query to the Flinq gateway (app.flinq.io)
2. The gateway routes your request to your specific Flinq instance using your authenticated session
3. Your Flinq instance processes the query and returns the relevant data
4. The data passes back through the gateway to Copilot, which formats and presents the response to you

4. Data Storage and Retention

• Gateway (app.flinq.io): Stores only your authentication token (encrypted) and basic profile information (name, email, workspace) to maintain your session. No financial data is stored on the gateway.
• Microsoft Copilot: Processes your queries and responses in accordance with Microsoft's privacy policy. Flinq financial data is not permanently stored by Copilot.
• Your Flinq instance: Your data remains on your dedicated, isolated Flinq environment at all times. The Agent reads from it but does not modify or copy it elsewhere.

5. Data Isolation

Each Flinq client operates on a completely separate, dedicated infrastructure. The gateway routes requests based on your workspace identifier but does not have visibility into other clients' data or infrastructure. Your financial data never leaves your isolated environment except in direct response to your authenticated queries.

6. Third-Party Disclosure & Sub-processors

Your data is shared only with Microsoft as necessary to power the Copilot Agent interaction, and with a small number of infrastructure providers strictly required to operate the service (hosting, transactional email, error monitoring).

A complete, up-to-date list of these sub-processors — including their purpose, the categories of data they handle, and their location — is published at app.flinq.io/legal/sub-processors. We notify customers with a signed Data Processing Agreement by email at least thirty (30) days before engaging a new sub-processor.

We do not sell, trade, or otherwise transfer your data to any other third parties. Microsoft's handling of data transmitted through Copilot is governed by their own privacy policies and your organisation's Microsoft 365 agreements.

7. Your Rights (GDPR)

Under the UK General Data Protection Regulation (UK GDPR), you have the right to:

• Access: Request a copy of any personal data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data from the gateway
• Restriction: Request restriction of processing
• Portability: Request transfer of your data
• Objection: Object to processing of your data

To exercise any of these rights, contact us using the details below.

8. Security

We protect your data through:

• Encrypted authentication tokens (AES-256)
• HTTPS-only communication between all components
• OAuth 2.0 authorization with scoped access tokens
• No storage of financial data on the gateway
• Regular security scanning and monitoring

9. Disconnecting

You can revoke the Agent's access to your Flinq data at any time by:

• Removing the Flinq agent from your Copilot settings
• Asking your organisation's Microsoft 365 administrator to uninstall the Agent
• Contacting us to delete your gateway account

10. Contact & Data Protection

For privacy enquiries, to exercise your data rights, or to request a Data Processing Agreement, please contact our Data Protection Team:

Flinq Ltd — Data Protection Team
Email: data@flinq.io (monitored)
General support: support@flinq.io
Website: flinq.io

Initial acknowledgement is provided within five (5) business days; substantive responses to data-subject rights requests are provided within thirty (30) days as required by UK GDPR Article 12.

Under UK GDPR Article 37, Flinq is not required to appoint a named Data Protection Officer because its processing does not constitute systematic monitoring on a large scale or the large-scale processing of special-category data. The Data Protection Team performs the equivalent role for accountability, rights requests, and regulator liaison.

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local data protection authority.

11. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the Agent after changes constitutes acceptance of the revised policy.