Privacy Policy

1. Information We Collect

1.1 Account Information

When you sign in to the Platform or Extension, we collect:

• Your email address
• Your name and profile picture (when signing in with Google or Microsoft)
• Your user ID
• Authentication tokens (used to keep you signed in)

1.2 Data You Extract Using the Extension

The Extension allows you to create field-mapping templates and extract logistics and shipping data from websites you visit. Depending on how you configure your templates, the data you extract may include:

• Customer and carrier names
• Order, load, PO, and PU numbers
• Pickup and delivery locations (city and state)
• Ship and delivery dates
• Rate and pricing information
• Carrier contact information (email, phone number)
• Delivery status information
• Proof of Delivery (POD) documents and related files

Important: The Extension only extracts data from fields you explicitly configure in your templates or from supported integrations (such as ITS Dispatch) that you initiate. It does not passively collect data from websites you visit.

1.3 Locally Stored Data

The Extension stores the following data locally in your browser using Chrome's storage API:

• Your authentication credentials (encrypted tokens)
• Your field-mapping templates
• Extracted data rows (cached locally before syncing)
• Session activity timestamps

1.4 Information We Do Not Collect

• We do not collect your browsing history.
• We do not collect data from websites other than those you actively use the Extension on.
• We do not collect personally identifiable information beyond what is required for authentication.
• We do not use third-party analytics, tracking, or advertising services within the Extension.

2. How We Use Your Information

We use the information described above for the following purposes:

• Authentication: To verify your identity and maintain your session.
• Core Functionality: To extract, store, and sync the logistics data you configure the Extension to capture.
• Data Synchronization: To transmit your extracted data to our backend servers so it is accessible within the Flow platform (main-flow.com).
• Template Management: To save, retrieve, and manage your field-mapping templates across sessions.
• Delivery Tracking: To track and sync delivery status updates for your loads.
• Session Security: To automatically log you out after a period of inactivity (1 hour) to protect your account.

3. Data Sharing and Disclosure

3.1 Our Backend Services

Extracted data and templates are transmitted to our servers at api.main-flow.com for storage and use within the Flow platform. This data is associated with your user account.

3.2 Third-Party Authentication

We use Google Firebase for authentication services. When you sign in, your credentials are processed through Google's Identity Toolkit and Secure Token services. Google's use of this data is governed by Google's Privacy Policy.

3.3 No Sale of Data

We do not sell, rent, or trade your personal information or extracted data to third parties.

3.4 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Google User Data & Gmail Integration

This section describes how Flow accesses, uses, stores, and shares Google user data, in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

4.1 Google Sign-In

Flow uses Google Firebase Authentication to allow users to sign in with their Google account. During sign-in, we receive your name, email address, and profile picture from Google. This information is used solely to create and maintain your Flow account. We do not request any additional Google data during the sign-in process.

4.2 Gmail Integration (Optional)

Flow offers an optional Gmail integration that users may connect through the Settings page. This integration is entirely separate from sign-in and requires explicit user action to enable. When you connect your Gmail account, we request the following OAuth scopes:

• gmail.send — Used to send emails (rate confirmations, load tender responses, and shipping status updates) on your behalf from your own Gmail address to carriers and shippers within the Flow platform.
• gmail.readonly — Used to read your incoming emails to detect and surface freight-related messages (load offers, rate confirmations, carrier responses) within your Flow dashboard, so you can manage logistics communications without switching between apps.
• userinfo.email — Used to verify which Gmail address is connected to your account.

4.3 How We Use Gmail Data

Gmail data accessed through the integration is used exclusively to:

• Send emails that you compose and initiate within the Flow platform
• Read and display incoming emails relevant to your freight brokerage operations
• Show email delivery status within the platform

We do not use Gmail data for advertising, market research, or any purpose unrelated to the core freight brokerage functionality of Flow.

4.4 Gmail Data Storage

• OAuth Tokens: Gmail OAuth access tokens and refresh tokens are stored securely on our backend servers (api.main-flow.com) and are associated with your user account. Tokens are encrypted in transit via HTTPS/TLS.
• Email Content: Email content retrieved via the Gmail API is displayed in real-time within the platform and is not permanently stored on our servers. Email metadata (message IDs, timestamps, subject lines) may be cached temporarily to improve performance.
• Sent Emails: When you send an email through Flow, the email is transmitted directly to Gmail's API. We store a record of the send action (recipient, subject, timestamp, delivery status) for your reference within the platform.

4.5 Gmail Data Sharing

We do notshare, sell, or transfer your Gmail data to any third parties. Gmail data is only transmitted between your browser, our backend servers, and Google's Gmail API. No other services or parties have access to your Gmail data.

4.6 Disconnecting Gmail

You may disconnect your Gmail account at any time through the Flow Settings page. When you disconnect, we delete your stored Gmail OAuth tokens from our servers. You may also revoke Flow's access to your Google account at any time by visiting Google Account Permissions.

4.7 Google API Services Limited Use Disclosure

Flow's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4B. Microsoft User Data & Outlook Integration

This section describes how Flow accesses, uses, stores, and shares Microsoft user data when you connect your Outlook/Microsoft 365 email account.

4B.1 Microsoft Sign-In

Flow allows users to sign in with their Microsoft account via Firebase Authentication. During sign-in, we receive your name, email address, and profile picture. This information is used solely to create and maintain your Flow account.

4B.2 Outlook Email Integration (Optional)

Flow offers an optional Outlook/Microsoft 365 email integration that users may connect through the Settings page. This integration is entirely separate from sign-in and requires explicit user action to enable. When you connect your Outlook account, we request the following Microsoft Graph API permissions:

• Mail.Send — Used to send emails (rate confirmations, load tender responses, and shipping status updates) on your behalf from your own Outlook email address to carriers and shippers within the Flow platform.
• Mail.Read — Used to read your incoming emails to detect and surface freight-related messages (load offers, rate confirmations, carrier responses) within your Flow dashboard.
• User.Read — Used to retrieve your basic profile information and verify which email address is connected.
• offline_access — Used to maintain your email connection without requiring you to re-authenticate each session.

4B.3 How We Use Outlook Data

Outlook data accessed through the integration is used exclusively to:

• Send emails that you compose and initiate within the Flow platform
• Read and display incoming emails relevant to your freight brokerage operations
• Show email delivery status within the platform

We do not use Outlook data for advertising, market research, or any purpose unrelated to the core freight brokerage functionality of Flow.

4B.4 Outlook Data Storage

• OAuth Tokens: Outlook OAuth access tokens and refresh tokens are stored securely on our backend servers (api.main-flow.com) and are associated with your user account. Tokens are encrypted in transit via HTTPS/TLS.
• Email Content: Email content retrieved via the Microsoft Graph API is displayed in real-time within the platform and is not permanently stored on our servers. Email metadata may be cached temporarily to improve performance.
• Sent Emails: When you send an email through Flow, the email is transmitted directly to Microsoft's Graph API. We store a record of the send action (recipient, subject, timestamp, delivery status) for your reference.

4B.5 Outlook Data Sharing

We do notshare, sell, or transfer your Outlook data to any third parties. Outlook data is only transmitted between your browser, our backend servers, and Microsoft's Graph API. No other services or parties have access to your Outlook data.

4B.6 Disconnecting Outlook

You may disconnect your Outlook account at any time through the Flow Settings page. When you disconnect, we delete your stored Outlook OAuth tokens from our servers. You may also revoke Flow's access to your Microsoft account at any time by visiting Microsoft Account App Access.

4C. Truckstop Load Post Integration

This section describes how Flow accesses, uses, stores, and shares Truckstop data when you connect your Truckstop Load Post account through the Flow Live Loads page.

4C.1 Scope of the Integration

The Truckstop integration is entirely optional and requires explicit user action to enable. Each broker connects their own Truckstop account via Truckstop's OAuth 2.0 authorization flow; there are no shared logins or pooled credentials. When you authorize the connection, Flow is granted the following permissions on your behalf:

• Load Post API (truckstop scope) — Used to post new loads to the Truckstop load board, update posted loads (rate changes, equipment, notes), refresh active postings on the standard 15-minute Truckstop cooldown, and remove postings you no longer want to show.

4C.2 How We Use Truckstop Data

Truckstop data accessed through the integration is used exclusively to:

• Submit, update, refresh, and remove load postings that you explicitly initiate within Flow
• Display per-load posting status (active, expired, last refreshed) on your Live Loads page
• Surface posting errors returned by Truckstop's API so you can correct and retry

We do not use Truckstop data for advertising, market research, competitive analysis, or any purpose unrelated to the core load-posting functionality of Flow.

4C.3 Truckstop Data Storage

• OAuth Tokens: Truckstop access tokens and refresh tokens are encrypted at rest on our backend servers (api.main-flow.com) using AES-256-GCM, with one row per Flow user. Tokens are decrypted in memory only at the moment of an outbound API call.
• Posted Load Records: For each load you post to Truckstop, we store the Truckstop-issued load id, the payload we submitted, the latest Truckstop API response, and the posting status (active, expired, removed). This is required so Flow can update or delete the correct posting later without needing to re-query Truckstop's system.
• In Transit: All Truckstop API requests use HTTPS/TLS. Refresh tokens are single-use; Flow rotates them automatically and serializes concurrent refresh attempts to avoid burning a valid token.

4C.4 Truckstop Data Sharing

We do notshare, sell, or transfer your Truckstop data to any third parties. Truckstop data flows only between your browser, our backend servers, and Truckstop's API. No other services or parties have access to your Truckstop credentials or load-posting records.

4C.5 Disconnecting Truckstop

You may disconnect your Truckstop account at any time from the Live Loads page in Flow. When you disconnect, we delete your stored Truckstop OAuth tokens from our servers. Loads you have already posted to Truckstop remain live on the Truckstop load board until they expire or are removed; however, Flow will no longer be able to update or delete those postings on your behalf. To remove already-posted loads after disconnecting, contact Truckstop directly or reconnect your Truckstop account in Flow.

4D. QuickBooks Online (Intuit) Integration

This section describes how Flow accesses, uses, stores, and shares QuickBooks Online data when you connect your QuickBooks Online company through the Flow Billing page. Flow's use of Intuit data is subject to and complies with the Intuit Developer Data Protection Policy and the Intuit Data Security Standards.

4D.1 Scope of the Integration

The QuickBooks Online integration is entirely optional and requires explicit user action to enable. Each broker connects their own QuickBooks Online company via Intuit's OAuth 2.0 authorization flow. Flow requests only the following Intuit OAuth scope:

• com.intuit.quickbooks.accounting — The QuickBooks Online Accounting API scope, used to create invoices, customers, and service items in the connected company. Flow does not request Intuit's Payments or Payroll API scopes.

4D.2 What Intuit Data We Access

Within the connected QuickBooks Online company, Flow accesses only the following entities and only for the purposes described:

• CompanyInfo (read): Read once at connection time and on the Verify Connection action to display your company name in the Flow UI so you can confirm Flow is connected to the correct QuickBooks company.
• Customer (read/create): When you push a load as an invoice, Flow searches QuickBooks for a customer matching the broker-customer name on the load. If found, Flow reuses that customer record. If not found, Flow creates a new customer with just the display name so the invoice has a valid CustomerRef.
• Item (read/create): Flow searches for a Service item named "Freight" in your QuickBooks company. If found, Flow reuses it. If not found, Flow creates one and attaches it to the first available Income account so the invoice has a valid line item.
• Account (read): Read once when auto-creating the Freight service item, solely to identify an Income account to attach to the item.
• Invoice (create): Flow creates one invoice per load you explicitly push. Each invoice contains the broker-customer reference, the Freight service item, the rate amount, and a description of the lane (origin to destination + Flow load id).

Flow does not read or write the following QuickBooks data: bills, payments, journal entries, payroll data, sales receipts, estimates, purchase orders, vendor records, bank transactions, employee records, or any other entities not listed above. Flow never deletes any QuickBooks data; if you need to remove a Flow-created invoice or customer from QuickBooks, you must do so directly in QuickBooks.

4D.3 How We Use Intuit Data

Intuit data accessed through the integration is used exclusively to:

• Display your QuickBooks company name on the Flow Billing page so you can verify the active connection
• Create invoices in your QuickBooks company in response to your explicit Send to QuickBooks action on a load
• Create the minimum customer and service-item records required to make those invoices valid

We do not use Intuit data for advertising, profiling, benchmarking across other Flow customers, training machine learning models, market research, or any purpose unrelated to the core freight-to-invoice functionality of Flow.

4D.4 Intuit Data Storage and Security

• OAuth Tokens: QuickBooks access tokens and refresh tokens are encrypted at rest on our backend servers (api.main-flow.com) using AES-256-GCM, with one row per Flow user. The realm id (your QuickBooks company id) is stored alongside the tokens so Flow can scope every API call to the correct company. Tokens are decrypted in memory only at the moment of an outbound API call.
• Token Rotation: Intuit refresh tokens rotate on every successful use; Flow replaces the stored refresh token after each refresh and serializes concurrent refresh attempts per user to prevent token-burning races.
• In Transit: All QuickBooks Online API requests use HTTPS/TLS. Token requests use Basic authentication with the application client id and secret, which are stored only in server-side environment variables and never exposed to the browser.
• No Persistent Copy of Intuit Data: Flow does not maintain a local copy of your QuickBooks customers, items, invoices, or other entities. Each push to QuickBooks is a one-shot API call. Flow records only the QuickBooks-assigned invoice id and document number for the invoices it creates, so you can reference them later.

4D.5 Intuit Data Sharing

We do notshare, sell, transfer, or sublicense your QuickBooks data to any third parties. Intuit data flows only between your browser, our backend servers, and Intuit's QuickBooks Online API endpoints. No other services or parties — including other Flow customers — have access to your QuickBooks company data, tokens, or realm id. Flow's data isolation is enforced at the database layer: every row in our QuickBooks-related tables is keyed by your Flow user id, and every API call is scoped to your realm id.

4D.6 Disconnecting QuickBooks

You may disconnect your QuickBooks Online account at any time from the Flow Billing page. When you disconnect, we delete your stored QuickBooks OAuth tokens and realm id from our servers. You may also revoke Flow's access from inside QuickBooks Online at any time via QuickBooks Online Settings → My Apps. Invoices, customers, and items that Flow created in your QuickBooks company are not removed by a disconnect; they remain yours to manage directly inside QuickBooks.

4D.7 Compliance with Intuit's Requirements

Flow's integration with QuickBooks Online has been built to comply with Intuit's published Developer Code of Conduct, Data Protection Policy, and Data Security Standards. Specifically: we encrypt OAuth tokens at rest, we use HTTPS for all API calls, we capture Intuit's per-request trace id (intuit_tid) in our logs to assist Intuit Support during any future troubleshooting, we use Intuit's OpenID discovery document to resolve OAuth endpoints at runtime, and we do not store or expose client credentials in the browser. Our use of Intuit data is limited to the scopes and purposes disclosed above.

5. Data Storage and Security

• Local Storage: Data stored locally in your browser is scoped to your user account to prevent cross-account access. Authentication tokens are stored using Chrome's storage API and expire after 1 hour, after which they are automatically refreshed or you are logged out.
• Data in Transit: All communication between the Extension and our servers is encrypted using HTTPS/TLS.
• Server-Side Storage: Data transmitted to our backend is stored on secured servers with access controls in place.
• Local Storage Limits: Local cached data is capped at 1 MB per storage key with automatic cleanup to prevent excessive storage use.

6. Chrome Extension Browser Permissions

The Extension requests the following browser permissions:

The "all URLs" host permission is required because the Extension is a universal field scraper — you may need to extract data from any logistics website or carrier portal. The Extension does not passively monitor or collect data from all websites; it only activates when you explicitly use it on a page.

7. Data Retention

• Local Data: Extracted data rows and templates are stored locally until you clear them or uninstall the Extension.
• Server Data: Data synced to our servers is retained as part of your Flow account for as long as your account is active. You may request deletion of your data by contacting us (see Section 11).
• Authentication Tokens: Tokens expire after 1 hour of inactivity and are automatically removed.
• Gmail OAuth Tokens: Stored on our servers for as long as your Gmail integration is connected. Deleted immediately when you disconnect Gmail or delete your account.
• Gmail Email Content: Not permanently stored. Displayed in real-time and cached only temporarily for performance.
• Outlook OAuth Tokens: Stored on our servers for as long as your Outlook integration is connected. Deleted immediately when you disconnect Outlook or delete your account.
• Outlook Email Content: Not permanently stored. Displayed in real-time and cached only temporarily for performance.

8. Your Rights and Choices

• Access and Deletion: You may request access to or deletion of your personal data by contacting us at the email address below.
• Uninstall: You may uninstall the Extension at any time through your browser's extension management page. Uninstalling removes all locally stored data.
• Template Management: You can create, edit, and delete your field-mapping templates at any time through the Extension interface.
• Clear Extracted Data: You can clear your locally cached extracted data through the Extension interface.
• Disconnect Gmail: You can disconnect your Gmail integration at any time from the Flow Settings page. This revokes our access and deletes your stored Gmail tokens.
• Revoke Google Access: You can revoke Flow's access to your Google account at any time via Google Account Permissions.
• Disconnect Outlook: You can disconnect your Outlook integration at any time from the Flow Settings page. This revokes our access and deletes your stored Outlook tokens.
• Revoke Microsoft Access: You can revoke Flow's access to your Microsoft account at any time via Microsoft Account App Access.

9. Children's Privacy

The Extension is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will take steps to delete that information promptly.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last Updated" date at the top of this policy and, where appropriate, notifying you within the Platform. Your continued use of our services after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or want to request deletion of your data, please contact us at:

Email: flowbros@main-flow.com

Website: https://main-flow.com