Table of Contents
1
Introduction
Please read this Privacy Policy carefully before using FlexiFunnels. This Policy sets out how Misfits Change Makers Private Limited ("FlexiFunnels", "We", "Us", or "Our"), owner of https://www.flexifunnels.com and related mobile applications (collectively, the "Platform"), collects, uses, maintains, and discloses personal data from users ("You" or "Your").
This Policy has been updated to comply with the EU General Data Protection Regulation (GDPR) 2016/679, India's Digital Personal Data Protection Act 2023 (DPDPA), the California Consumer Privacy Act (CCPA), and all other applicable data protection laws. By continuing to use our Platform, You acknowledge that You have read and understood this Policy.
Important: FlexiFunnels acts as a Data Controller for personal data it collects directly from users, and as a Data Processor for personal data collected by our customers (Data Controllers) through tools and funnels built on the FlexiFunnels Platform.
2
Definitions
The following definitions apply throughout this Privacy Policy:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person (data subject), including name, email address, phone number, IP address, location data, and online identifiers. |
| Data Controller | The entity that determines the purposes and means of processing personal data. FlexiFunnels is the Data Controller for data collected directly from its users. |
| Data Processor | An entity that processes personal data on behalf of a controller. FlexiFunnels acts as a Data Processor for end-customer data handled on behalf of its customers. |
| Processing | Any operation performed on personal data, including collection, storage, use, disclosure, or deletion. |
| Data Subject | The natural person whose personal data is being processed. |
| Sub-Processor | A third party engaged by FlexiFunnels to process personal data on its behalf. |
| Consent | Freely given, specific, informed, and unambiguous agreement by the data subject to the processing of their personal data. |
3
Personal Data We Collect
3.1 Account & Identity Data
- Full name, email address, phone number
- Account login credentials (stored encrypted)
- Business name and billing address
- Profile preferences and account settings
3.2 Payment & Financial Data
- Payment card details — processed via PCI-DSS compliant gateways (Razorpay, Stripe)
- Transaction history and billing records
Security Note: FlexiFunnels does not store full payment card numbers. All payment data is tokenised and handled by our PCI-DSS compliant payment processors.
3.3 Technical & Usage Data
- IP address, browser type and version, operating system
- Device identifiers and geolocation data (where permitted by You)
- Pages visited, session duration, click patterns, scroll heatmaps
- Log files, error reports, timestamps, and load times
3.4 Customer End-User Data (Processed as Data Processor)
When You use FlexiFunnels to build funnels, websites, or run marketing campaigns, personal data of your end-customers (name, email, phone, payment information) is processed by FlexiFunnels on Your behalf as a Data Processor.
Your Responsibility: Your obligations as a Data Controller to your own end-customers remain your responsibility. Please ensure you maintain appropriate privacy notices and lawful bases for processing your end-customers' data.
3.5 Employee & HR Data
- Professional and employment-related information for employees, contractors, and job applicants
- Governed by internal HR policies, employment agreements, and applicable labour law
4
Legal Basis for Processing (GDPR & DPDPA)
We process your personal data only where a valid legal basis exists. The legal bases we rely on are:
Contractual Necessity
(GDPR Art. 6(1)(b) | DPDPA S.7(a))
Processing necessary to perform our contract with You — providing the Platform, processing payments, and managing your account.
Legitimate Interests
(GDPR Art. 6(1)(f) | DPDPA S.7(d))
Processing necessary for our legitimate business interests — fraud prevention, security, analytics, and service improvement — where these interests are not overridden by your rights.
Legal Obligation
(GDPR Art. 6(1)(c) | DPDPA S.7(c))
Processing necessary to comply with a legal obligation, including tax records, regulatory reporting, and responding to law enforcement requests.
Vital Interests
(GDPR Art. 6(1)(d))
Processing necessary to protect the vital interests of You or another natural person.
5
How We Use Your Personal Data
Service Delivery
Creating and managing your account, processing transactions, providing customer support, and operating the Platform.
Communications
Sending account-related emails, service updates, product announcements, and responding to your queries.
Marketing (with consent)
Sending promotional materials where You have opted in. You may opt out at any time via the unsubscribe link in any email or by emailing help@flexifunnels.com and DPO@flexifunnels.com.
Security & Fraud Prevention
Detecting, investigating, and preventing fraudulent transactions, abuse, and security incidents.
Analytics & Improvement
Analysing usage patterns to improve features, optimise performance, and enhance the user experience.
Legal Compliance
Meeting our obligations under applicable laws, regulations, and court orders.
Business Continuity: For corporate transactions such as mergers, acquisitions, or asset transfers, your data may be transferred subject to equivalent data protection obligations on the receiving entity.
6
Your Data Subject Rights
Under the GDPR, DPDPA 2023, and other applicable laws, You have the following rights with respect to your personal data. To exercise any of these rights, contact us at help@flexifunnels.com or DPO@flexifunnels.com. We will respond within 30 calendar days (extendable to 90 days for complex requests, with notice to You).
6.1 Right to Be InformedGDPR Art. 13–14 | DPDPA S.11
You have the right to be informed about how your personal data is collected and used. This Privacy Policy fulfils that obligation. At the point of collection, we inform You of: the identity and contact details of the Data Controller / Data Fiduciary; the purpose and legal basis for processing your data; recipients of your data and any international transfers; how long we retain your data; and your rights and how to exercise them.
6.2 Right of AccessGDPR Art. 15 | DPDPA S.11(a)
You have the right to obtain confirmation as to whether we process your personal data, and if so, to receive a copy of that data along with information about the purposes of processing, categories of data, recipients, retention periods, and your other rights. To submit an access request, email privacy@flexifunnels.com with the subject line 'Data Access Request'.
6.3 Right to RectificationGDPR Art. 16 | DPDPA S.11(b)
You have the right to request correction of inaccurate personal data, and to have incomplete data completed. You may update most account information directly in your FlexiFunnels account settings. For data you cannot update yourself, contact privacy@flexifunnels.com. We will act without undue delay and within one month.
6.4 Right to Erasure — 'Right to Be Forgotten'GDPR Art. 17 | DPDPA S.13
You have the right to request deletion of your personal data where: the data is no longer necessary for the purpose for which it was collected; You withdraw consent and there is no other legal basis for processing; You object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required to comply with a legal obligation.
We may retain certain data where required by law, to establish or defend legal claims, or to meet regulatory obligations. We will inform You of any such retention at the time of your request. To submit an erasure request, email help@flexifunnels.com & DPO@flexifunnels.com with the subject line 'Right to Erasure Request'.
We may retain certain data where required by law, to establish or defend legal claims, or to meet regulatory obligations. We will inform You of any such retention at the time of your request. To submit an erasure request, email help@flexifunnels.com & DPO@flexifunnels.com with the subject line 'Right to Erasure Request'.
6.5 Right to Restrict ProcessingGDPR Art. 18
You have the right to request restriction of processing of your personal data in the following circumstances: You contest the accuracy of the data — restriction applies while we verify accuracy; processing is unlawful and You oppose erasure but request restriction instead; we no longer need the data but You require it for legal claims; or You have objected to processing — restriction applies while we assess overriding grounds.
Where processing is restricted, we will only store your data and will not process it further without your consent, except for legal claims, protection of rights, or important public interest.
Where processing is restricted, we will only store your data and will not process it further without your consent, except for legal claims, protection of rights, or important public interest.
6.6 Right to Data PortabilityGDPR Art. 20 | DPDPA S.11(c)
Where processing is based on your consent or on a contract and is carried out by automated means, You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g. CSV or JSON) and to have that data transmitted to another controller. To submit a portability request, email privacy@flexifunnels.com with the subject line 'Data Portability Request'. We will provide your data within 30 days.
6.7 Right to Object to ProcessingGDPR Art. 21 | DPDPA S.11
You have the right to object to the processing of your personal data at any time where it is based on our legitimate interests or for direct marketing purposes:
Direct Marketing: You may opt out of marketing communications at any time by clicking 'Unsubscribe' in any email or by emailing help@flexifunnels.com and DPO@flexifunnels.com. We will immediately cease processing for this purpose.
Legitimate Interests: You may object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is required for legal claims.
Direct Marketing: You may opt out of marketing communications at any time by clicking 'Unsubscribe' in any email or by emailing help@flexifunnels.com and DPO@flexifunnels.com. We will immediately cease processing for this purpose.
Legitimate Interests: You may object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is required for legal claims.
6.8 Rights in Relation to Automated Decision-Making and ProfilingGDPR Art. 22
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects on You.
FlexiFunnels does not currently make automated decisions that produce legal or similarly significant effects. Where we use profiling or automated analytics for product improvement or marketing segmentation, no significant individual decisions are made without human review.
If this changes, we will update this Policy and provide You the right to: request human review of any automated decision; express your point of view and contest the decision; and obtain a clear explanation of the logic involved.
FlexiFunnels does not currently make automated decisions that produce legal or similarly significant effects. Where we use profiling or automated analytics for product improvement or marketing segmentation, no significant individual decisions are made without human review.
If this changes, we will update this Policy and provide You the right to: request human review of any automated decision; express your point of view and contest the decision; and obtain a clear explanation of the logic involved.
6.9 Right to Withdraw Consent and Consequences of WithdrawalGDPR Art. 7(3) | DPDPA S.6
Where we process your data based on consent, You have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, email privacy@flexifunnels.com or update your preferences in your account settings.
How to Exercise Your Rights
Contact: Email help@flexifunnels.com & DPO@flexifunnels.com
Response time: Acknowledged within 72 hours, full response within 30 days
Identity verification: We may verify your identity to protect your data
No fee: Exercising rights is free (except manifestly excessive requests)
Complex requests: May be extended by 60 days with notice
Right to complain: EU/EEA users → national DPA; Indian users → Data Protection Board
Consequences of withdrawal:
Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal — past processing based on your consent remains valid.
If You withdraw consent for cookie-based analytics or tracking, certain personalisation features on the Platform may no longer function as intended.
If You withdraw consent for marketing communications, You will no longer receive promotional emails, offers, or product updates from FlexiFunnels.
If You withdraw consent that is necessary for the performance of a service or for account management, this may affect your ability to use certain features or the Platform as a whole. We will inform You of any such impact at the time of your request before processing the withdrawal.
Complex requests: May be extended by 60 days with notice
We will action your withdrawal request within 72 hours of receipt and confirm the same to You in writing.
7
Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:
Active Account Data
Duration of subscription + 90 days post-deletion
Financial & Transaction Records
7 years (Indian GST & accounting compliance)
Support & Communication Records
24 months from last communication
Security & Audit Logs
12 months
Consent Records
Duration of engagement + 3 years
Legal Hold
Until resolution of legal proceedings
Upon expiry of retention periods, data is securely deleted using industry-standard methods or anonymised such that it can no longer be attributed to any individual.
8
Data Processing Agreement (DPA)
This section constitutes the Data Processing Agreement between FlexiFunnels (as Data Processor) and our customers (as Data Controllers) for the purposes of GDPR Article 28 and DPDPA 2023.
8.1 Scope and Nature of Processing
FlexiFunnels processes personal data submitted to the Platform by customers and their end-users. Processing activities include hosting, storage, transmission, analytics, and service delivery operations necessary to provide the FlexiFunnels Platform services.
| Category | Details |
|---|---|
| Data Subjects | End-customers of FlexiFunnels customers; subscribers, leads, and contacts added to the Platform by customers |
| Categories of Data | Name, email address, phone number, IP address, payment and billing information, and behavioural interaction data |
| Purpose | Providing, maintaining, and improving the FlexiFunnels Platform services as instructed by the Data Controller |
| Duration | For the term of the customer subscription plus 90 days following termination |
8.2 Processor Obligations (GDPR Art. 28)
- Process only on documented instructions: We process personal data only on your written instructions, unless required by applicable law.
- Confidentiality: All personnel authorised to process personal data are bound by confidentiality obligations.
- Security: We implement appropriate technical and organisational measures as described in Section 11.
- Sub-processors: We engage only sub-processors listed in Section 8.3. We will notify customers of any intended changes and provide opportunity to object.
- Data subject rights assistance: We assist customers in fulfilling data subject requests within the timelines specified in Section 6.
- Deletion on termination: Upon termination, we will delete or return all personal data within 90 days at the customer's choice, and certify deletion in writing.
- Audit rights: We will provide all information necessary to demonstrate compliance and support audits by customers or their designated representatives on reasonable notice.
8.3 Sub-Processors
FlexiFunnels currently engages the following sub-processors to process personal data:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, and compute services | India (ap-south-1) & Singapore (ap-southeast-1) |
| Razorpay | Indian payment gateway (PCI-DSS compliant) | India |
| Stripe | International payment gateway (PCI-DSS compliant) | Global |
| Zoho CRM | Customer relationship management — names, emails, interaction data | India & Global |
| Google Analytics / Google LLC | Usage analytics and performance measurement — IP & device identifiers | Global |
| Freshdesk / Freshworks | Customer support — names, emails, support communications | India & Global |
| Cashfree Payments India Pvt. Ltd. | Indian payment gateway. Processes payment data for payouts, payment collection, and refunds under PCI-DSS compliance. No full card data is stored by FlexiFunnels. | India |
An up-to-date list of sub-processors is maintained at flexifunnels.com/sub-processors. We will provide 30 days' notice of any intended changes, allowing customers to object.
8.4 International Data Transfers
Where we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we ensure appropriate safeguards through Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms. For Indian citizens' data, we comply with cross-border transfer requirements under DPDPA 2023.
9
Third-Party Disclosure
FlexiFunnels does not sell, rent, or trade your personal data to any third party.
We share personal data only in the following circumstances:
- Service Providers & Sub-Processors: As listed in Section 8.3, under binding data processing agreements.
- Payment Processors: Payment information shared with Razorpay or Stripe solely for transaction processing.
- Analytics Partners: Aggregated or pseudonymised usage data shared with analytics tools.
- Legal Requirements: Where required by law, court order, or a competent governmental authority.
- Business Transfers: In connection with a merger, acquisition, or asset sale, where the receiving party assumes equivalent privacy obligations.
- With Your Consent: For any other purpose, only with your prior explicit consent.
All third parties with whom we share personal data are contractually required to maintain appropriate security standards and use data only for the specified purpose.
10
Cookies & Tracking Technologies
We use cookies and similar technologies to improve your experience on the Platform:
You may manage cookie preferences through your browser settings or our cookie preference centre. Disabling certain cookies may affect Platform functionality.
To opt out of Google Analytics: https://tools.google.com/dlpage/gaoptout
11
Security Measures
We implement appropriate technical and organisational security measures to protect your personal data:
Encryption
Data encrypted in transit using TLS 1.2+ and at rest using AES-256.
Access Controls
Role-based access control (RBAC) with least-privilege principles; multi-factor authentication required for all administrative access.
Vulnerability Management
Regular vulnerability assessments, penetration testing, and patch management.
Incident Response
Documented incident response procedures; breach notification within 72 hours to supervisory authorities and without undue delay to affected data subjects (GDPR Art. 33–34 | DPDPA S.8).
Employee Training
All staff complete mandatory Information Security and GDPR/DPDPA training on joining and annually thereafter.
Audit Logging
Comprehensive audit trails maintained for all access to personal data.
Certification Progress: FlexiFunnels is pursuing ISO 27001 and SOC 2 Type II certification. Security policies are reviewed and updated at least annually. Despite our measures, no internet transmission is completely secure. In the event of a confirmed breach, we will notify You and the relevant supervisory authority as required by applicable law.
12
Children's Privacy
Our Platform is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware of such collection without verifiable parental consent, we will promptly delete the data and terminate the relevant account.
If you are a parent or guardian and believe we have your child's data, please contact help@flexifunnels.com and DPO@flexifunnels.com immediately.
13
Jurisdiction-Specific Provisions
13.1 GDPR — European Economic Area, United Kingdom & Switzerland
If You are located in the EEA, UK, or Switzerland, all rights described in Section 6 apply in full. Our lawful bases are set out in Section 4. Our data protection contact is DPO@flexifunnels.com.
You have the right to lodge a complaint with your national Data Protection Authority. A list of EU DPAs is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
13.2 DPDPA 2023 — India
FlexiFunnels complies with the Digital Personal Data Protection Act 2023 (DPDPA). As a Data Fiduciary, we commit to:
- Appointing a Data Protection Officer (DPO) — contact: dpo@flexifunnels.com
- Conducting periodic Data Protection Impact Assessments for high-risk processing activities
- Maintaining accurate Records of Processing Activities (ROPA)
- Implementing Data Protection by Design and by Default
- Providing a grievance redressal mechanism — contact: privacy@flexifunnels.com
- Enabling nomination of a person to exercise data rights in case of death or incapacity of the data principal
Indian data principals may lodge a complaint with the Data Protection Board of India once established under DPDPA 2023.
14
Changes to This Privacy Policy
We may update this Policy periodically to reflect changes in our practices, technology, or legal requirements.
Notice of Changes: Material changes will be notified via email to your registered address at least 30 days before taking effect, and by a prominent notice on our website. The effective date of the most recent version is stated at the top of this Policy. Continued use of the Platform following notification constitutes acceptance of the updated Policy.
15
Contact & Data Protection Officer
Data Protection Officer (DPO)
Karthik Ramani
Chief Technology Officer & Interim DPO
Misfits Change Makers Private Limited
165-B, Lane No.5, South Vanasthali, Ballupur,
Dehradun, Uttarakhand – 248001, India
Karthik Ramani
Chief Technology Officer & Interim DPO
Misfits Change Makers Private Limited
165-B, Lane No.5, South Vanasthali, Ballupur,
Dehradun, Uttarakhand – 248001, India
Privacy & Compliance Enquiries
General Support