Privacy Policy

Last updated: April 7, 2026

1. Introduction

ANKOR (“we”, “us”, “our”) operates the AnkorFlow platform at ankorflow.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website, admin dashboard, booking widgets, and third-party integrations.

2. Information We Collect

Account Information

When you register a business or create an account, we collect your name, email address, phone number, and business information (business name, address, phone).

Booking Data

When customers book appointments, we collect their name, email, phone number, selected services, and appointment times.

Payment Information

Payment processing is handled by Square and Stripe. We do not store credit card numbers. We receive transaction confirmations and payment status from these providers.

Third-Party Integrations

When you connect third-party services (Instagram, Google, Twilio), we store encrypted access tokens and basic profile information (e.g., Instagram username). We do not access your passwords, direct messages, or follower lists.

Automatically Collected Data

We collect IP addresses, browser type, and usage analytics to operate, secure, and improve the platform. IP addresses are used for rate limiting and abuse prevention.

3. How We Use Your Information

  • Provide and operate the platform services
  • Process bookings and send appointment notifications
  • Authenticate users and protect accounts
  • Send transactional emails (booking confirmations, password resets)
  • Display Instagram feeds and social media integrations on business pages
  • Process payments through Square and Stripe
  • Prevent abuse, fraud, and enforce rate limits
  • Improve the platform based on usage patterns

4. Data Sharing

We do not sell your personal information. We share data only with:

  • Service providers: Square (payments), Stripe (subscriptions), Twilio (SMS/calls), Anthropic (AI features), SMTP providers (email delivery)
  • Business owners: Customer booking data is shared with the business you book with
  • Legal requirements: When required by law or to protect our rights

5. Data Security

We protect your data with:

  • HTTPS/TLS encryption for all data in transit
  • AES-256 encryption for stored integration tokens and 2FA secrets
  • Bcrypt-12 password hashing
  • HTTP-only cookies for authentication (XSS protection)
  • Per-IP rate limiting and automatic abuse detection
  • Input validation and XSS sanitization (DOMPurify)

6. Data Retention

We retain your data for as long as your account is active. When you delete your account or disconnect an integration, associated data is removed. Cached media (e.g., Instagram posts) is automatically purged when it expires or the integration is disconnected.

7. Your Rights

You can:

  • Access and update your profile in the admin dashboard
  • Disconnect third-party integrations at any time
  • Request deletion of your data by emailing us
  • Request deletion of Instagram data via our data deletion page

8. Cookies

We use essential cookies for authentication (JWT session token) and short-lived cookies for middleware auth caching. We do not use advertising or tracking cookies.

9. Third-Party Services

Our platform integrates with third-party services that have their own privacy policies:

  • Meta / Instagram — for social media feed display
  • Square — for payment processing
  • Stripe — for subscription billing
  • Twilio — for SMS and voice services
  • Google — for OAuth sign-in and business reviews

10. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes via email. The “last updated” date at the top reflects the most recent revision.

11. Contact

For privacy questions or data requests, contact us at: support@ankorflow.com