Legal
Privacy Policy
Last updated: March 2026
1. Who We Are
biflo.ai is a UK-based AI voice receptionist service operated by KRM Consultants Limited (trading as biflo.ai) (registered in England and Wales, company number 10021206), registered address Suite 8 Room 2, Excelsior House, 3-5 Balfour Road, Ilford, Essex IG1 4HP.
We provide AI-powered telephone reception to UK hair salons, enabling them to answer calls, take bookings, and serve clients around the clock. References to “we” or “our” refer to KRM Consultants Limited (trading as biflo.ai) throughout this policy.
We are registered with the Information Commissioner's Office (ICO) under registration number ZC111398. ICO registration is required before processing personal data commercially in the UK.
2. What Data We Collect
2.1 Salon Callers (Processed on Behalf of Salon Owners)
When you call or message a salon using biflo.ai (by phone or WhatsApp), we process:
- Your telephone number (CLI for voice calls, WhatsApp number for messages)
- Your name and booking preferences, if provided during the conversation
- A transcript of your conversation with the AI receptionist (voice or text)
- Conversation metadata: date, time, duration, channel (voice/WhatsApp), and outcome
- Appointment details: service requested, preferred stylist, date and time
For WhatsApp conversations, Meta Platforms Ireland Limited acts as an independent controller for WhatsApp platform data (delivery metadata, device information). We process only the message content and your phone number via the Meta Cloud API.
We act as a data processor on behalf of the salon (the data controller). The salon is responsible for informing callers about AI-handled calls and for its own lawful basis for processing.
2.2 Salon Owners and Dashboard Users
- Name and email address (account registration)
- Business name, address, and telephone number
- Billing information (processed by Stripe - we do not store card details)
- Usage data: dashboard activity, settings changes, features used
- Communications: support messages and emails sent to us
2.3 Website Visitors
- IP address and browser or device information
- Pages visited and time on site (aggregate analytics only)
3. Call Recording Disclosure
All calls handled by biflo.ai are processed by an AI assistant and may be recorded or transcribed. Salons are contractually required to inform callers at the start of every call:
“Hi, you've reached [Salon Name]. This call is handled by our AI assistant and may be recorded. How can I help?”
If you have concerns about call processing, contact the salon directly or email hello@biflo.ai.
4. Our Lawful Basis for Processing
| Processing Activity | Lawful Basis (UK GDPR) |
|---|---|
| Answering inbound calls on behalf of a salon | Legitimate interests - Article 6(1)(f) |
| Creating and managing bookings | Performance of a contract - Article 6(1)(b) |
| Call recording and transcription | Consent - Article 6(1)(a) |
| Salon owner account management | Performance of a contract - Article 6(1)(b) |
| Billing and payment processing | Contract performance - Article 6(1)(b) |
| Service improvement and analytics | Legitimate interests - Article 6(1)(f) |
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Call transcripts and recordings | 30 days default (configurable per salon: 7 to 365 days) |
| Caller profiles (phone number and preferences) | Duration of salon subscription + 30 days after termination |
| Booking records | 7 years (UK financial records obligation) |
| Salon owner account data | Duration of subscription + 30 days after cancellation |
| Billing and invoicing records | 7 years (HMRC requirement) |
6. Your Rights Under UK GDPR
To exercise any right, contact hello@biflo.ai. We respond within one calendar month.
- Right of access - Request a copy of the personal data we hold about you.
- Right to rectification - Ask us to correct inaccurate or incomplete data.
- Right to erasure - Ask us to delete your data where consent was the lawful basis and you withdraw it. Note that legal obligations may require retaining certain records.
- Right to restriction - Ask us to pause processing while a dispute is resolved.
- Right to data portability - Where processing is based on consent or contract and is automated, request your data in a machine-readable format.
- Right to object - Object to processing based on legitimate interests. We will stop unless we have compelling grounds to continue.
- Right to withdraw consent - Where we rely on consent, you may withdraw it at any time without affecting prior processing.
Salon callers wishing to exercise rights should contact the salon (data controller) directly, or contact us and we will forward your request within 72 hours.
You may also lodge a complaint with the ICO: ico.org.uk or call 0303 123 1113.
7. Automated Processing
biflo.ai uses artificial intelligence to process voice calls and WhatsApp messages on behalf of salons. This includes:
- Speech-to-text transcription of voice calls
- Understanding caller intent (e.g. booking request, enquiry, complaint)
- Checking stylist availability and creating booking records
- Building caller profiles (name, preferences) from conversation context
No decisions made by our AI produce legal or similarly significant effects on callers. Booking decisions can always be amended or cancelled by the caller or salon. A caller may request to speak to a human at any time during a voice call, and the AI will transfer the call to salon staff.
Under UK GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects. As our AI does not make such decisions, Article 22 does not apply. However, you may still contact us at hello@biflo.ai with any questions about how our AI processes your data.
8. Our Sub-Processors
Each sub-processor has a Data Processing Agreement in place with us.
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database - transcripts, profiles, bookings | EU (Frankfurt, Germany) |
| LiveKit | Real-time voice processing | UK / EU region |
| Deepgram | Speech-to-text transcription | US (SCCs in place) |
| OpenAI | Language model (AI conversation) | US (SCCs in place) |
| Cartesia | Text-to-speech voice synthesis | US (SCCs in place) |
| Telnyx | UK telephone network and SIP trunk | EU (Amsterdam SIP endpoint) |
| Stripe | Payment processing and billing | EU (Dublin) / UK |
9. International Data Transfers
Deepgram, OpenAI, and Cartesia are US-based. Transfers are safeguarded by Standard Contractual Clauses (SCCs) under the UK ICO's International Data Transfer Agreement (IDTA). Transfer impact assessments have been conducted where required.
Our primary database (Supabase) stores data in the EU (Frankfurt), which benefits from UK adequacy decisions for EU member state transfers.
10. Security Measures
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption in transit for all communications
- Row-Level Security (RLS) - each salon's data is strictly isolated by tenant
- Role-based access controls - staff access only their own data
- Supabase Auth with JWT tokens containing tenant and role claims
- Regular security reviews of code and infrastructure
- Minimal staff access to production data
11. Cookies
Our dashboard uses essential authentication cookies (Supabase Auth session cookies). These are strictly necessary and do not require consent under PECR. We do not use tracking or advertising cookies. If we introduce analytics cookies in future, we will update this policy and obtain appropriate consent.
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify salon owners by email at least 14 days before they take effect.
13. Contact Us
For privacy queries, to exercise your rights, or to raise a concern:
KRM Consultants Limited (trading as biflo.ai)Suite 8 Room 2, Excelsior House, 3-5 Balfour Road, Ilford, Essex IG1 4HP
Email: hello@biflo.ai
ICO Registration: ZC111398