LEGAL
Effective Date: March 16, 2026 · Last Updated: March 16, 2026
FAST Advanced Technologies LLC ("HubFlora," "we," "us," or "our") operates the HubFlora platform accessible at hubflora.com. This Privacy Policy applies solely to the HubFlora platform and does not cover any other products or services that FAST Advanced Technologies LLC may operate, which are governed by their own separate privacy policies. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our services. It also describes your rights under applicable data protection laws, including the General Data Protection Regulation (GDPR). By accessing or using HubFlora, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of our services.
Data Controller: FAST Advanced Technologies LLC Registration Number: 400461399 Registered Address: Tbilisi, Georgia Data Protection Contact: privacy@hubflora.com HubFlora is a multi-tenant CRM and marketing automation platform designed for small and medium-sized businesses. We act as a data controller for information collected directly through hubflora.com and as a data processor for personal data our clients (Subscribers) upload or collect using our platform.
When you register for HubFlora, we collect: full name, business email address, phone number, company name, country of residence, billing information (processed by our payment partners — see Section 8), and subscription plan details.
Our Subscribers (HubFlora clients) use the platform to collect and manage data about their own leads and customers. This may include: names, email addresses, phone numbers, IP addresses, device and browser information, UTM and advertising attribution data, behavioural engagement data (page views, form submissions, email opens/clicks, CTA interactions), quiz responses, pipeline stage and deal values, and free-form notes or custom fields. HubFlora processes this data strictly on behalf of the Subscriber. The Subscriber is the data controller for their lead data; HubFlora is the data processor.
We automatically collect: IP address, browser type and version, operating system, referring URLs, pages visited within HubFlora, session duration, click paths, and error logs. This data is used to maintain platform performance, security, and product improvement.
HubFlora and its Subscribers use cookies and similar technologies including: • Session cookies — to keep you logged in during a browsing session. • Persistent lead tracking cookie (lead_id) — set on first page visit to link pre-opt-in activity to a lead record after form submission. Maximum duration: 1 year. • Facebook Pixel (_fbp) — a first-party browser cookie used by the Facebook Pixel to identify browsers for advertising purposes. • Facebook Click ID (fbclid / fbc) — captured from ad click URLs to attribute conversions to Facebook ad campaigns. • Google Analytics cookies — for aggregate traffic analysis. You may control cookies through your browser settings. Disabling cookies may affect platform functionality.
We process personal data under one or more of the following legal bases: • Contract (Art. 6(1)(b) GDPR) — processing necessary to deliver our services to Subscribers under the Terms of Service. • Legitimate Interests (Art. 6(1)(f) GDPR) — for platform security, fraud prevention, product analytics, and improving our services. • Consent (Art. 6(1)(a) GDPR) — for marketing communications and, where required, for cookie placement. • Legal Obligation (Art. 6(1)(c) GDPR) — to comply with applicable laws and regulations. Where Subscribers collect personal data from their own leads via HubFlora, the Subscriber is responsible for establishing the appropriate legal basis for that collection.
HubFlora integrates with Meta Platforms, Inc. (Facebook and Instagram) to provide advertising and messaging functionality to Subscribers. The following describes each integration and how data flows.
Subscribers may enable Facebook Pixel on their HubFlora landing pages. When active, the Pixel sends standard browser events (PageView, Lead, Purchase, etc.) directly to Meta from the visitor's browser. This data is processed by Meta under Meta's own Privacy Policy. HubFlora does not store raw Pixel event data.
HubFlora sends server-side conversion events to Meta's Conversions API on behalf of Subscribers. The following data elements may be transmitted to Meta: • Hashed email address (SHA-256) • Hashed phone number (SHA-256) • Client IP address • Client User-Agent string • Facebook Browser ID (fbp cookie) • Facebook Click ID (fbc) • Event name, event time, and event ID User identifiers (email, phone) are hashed before transmission and are never sent in plain text. CAPI events are deduplicated with Pixel events using a shared event_id. This integration operates under the Meta Business Tools Terms.
When a Subscriber connects their Facebook Page or Instagram account to HubFlora using the leads_retrieval permission, HubFlora receives lead data submitted by users through Meta Lead Ad forms and comment-triggered lead flows. This data is retrieved via the Meta Graph API and stored in the Subscriber's HubFlora CRM. The lead's data is used solely for the Subscriber's CRM and marketing automation workflows. HubFlora does not use this data for its own advertising purposes.
Using the pages_messaging and instagram_manage_messages permissions, HubFlora enables Subscribers to send and receive messages through their connected Facebook Pages and Instagram accounts. Message content and sender information are stored within the Subscriber's HubFlora workspace to facilitate CRM workflows and automated responses. HubFlora does not read, analyse, or use message content for any purpose other than routing messages to the Subscriber's inbox and triggering configured automations.
HubFlora integrates with the WhatsApp Business API to allow Subscribers to send and receive WhatsApp messages within their CRM. Phone numbers and message content are processed in accordance with WhatsApp's Business Policy and Meta's Privacy Policy. HubFlora acts as a processor of this data on behalf of the Subscriber.
When a Subscriber connects their Meta assets (Facebook Pages, Instagram accounts, Ad Accounts) to HubFlora via Meta's OAuth flow, HubFlora stores the resulting access tokens securely in an encrypted database. These tokens are: • Used exclusively to make API calls on behalf of the Subscriber. • Never shared with third parties other than Meta's own API endpoints. • Revocable at any time by the Subscriber from their HubFlora account settings or through Meta's App Permissions settings. • Deleted from our systems upon account termination or revocation. We use short-lived tokens where possible and refresh tokens only as required by Meta's token management policies.
Using the ads_management permission, HubFlora may access Subscriber ad account data — including campaign names, ad set configurations, spend data, and attribution results — solely for the purpose of displaying attribution reporting within the HubFlora dashboard and linking ad performance to lead outcomes. This data is not used for any other purpose and is not shared with third parties.
We use data collected through HubFlora for the following purposes: • Service Delivery — to provide, maintain, and improve the HubFlora platform and all its features. • Account Management — to manage Subscriber accounts, billing, authentication, and support. • Communications — to send transactional emails (account alerts, invoices, service notifications) and, with consent, marketing communications. • Analytics & Product Improvement — to understand how the platform is used and to improve features and performance. • Security & Fraud Prevention — to detect, investigate, and prevent fraudulent or unauthorized activity. • Legal Compliance — to meet our obligations under applicable laws. • Attribution Reporting — to help Subscribers understand which marketing channels generate leads and revenue. We do not sell personal data to third parties. We do not use Subscriber lead data for HubFlora's own advertising campaigns.
HubFlora works with the following categories of third-party sub-processors and service providers: • Cloud Infrastructure — DigitalOcean (EU region). All primary data is stored on servers located in the European Union, supporting GDPR compliance for data residency. • Meta Platforms — for Pixel, CAPI, Lead Ads, Messaging, and WhatsApp integrations as described in Section 4. • Payment Processors — Bank of Georgia (Georgian clients), Stripe, Inc. (global clients), and Tap Payments (MENA region clients). HubFlora does not store payment card numbers. All card data is handled directly by the respective payment processor under their own PCI-DSS compliance frameworks. • Email Delivery — transactional email providers for platform notifications and nurture emails. • Analytics — Google Analytics 4 for aggregate website analytics. We do not share personal data with third parties except: (a) as described in this policy; (b) with your explicit consent; (c) as required by law or a valid legal process; or (d) to protect the rights, property, or safety of HubFlora, our Subscribers, or the public.
HubFlora's primary data storage is hosted within the European Union (DigitalOcean EU region). Certain integrations — including Meta Platforms and Stripe — may involve transferring data to the United States or other jurisdictions. Where such transfers occur, we rely on: • Standard Contractual Clauses (SCCs) approved by the European Commission. • The recipient's participation in a recognised adequacy framework where applicable. By using HubFlora, you acknowledge that your data may be transferred to and processed in countries outside your own in accordance with this policy.
We retain personal data for as long as necessary to fulfil the purposes for which it was collected: • Subscriber account data — retained for the duration of the active subscription and for 90 days following account termination, after which it is permanently deleted or anonymised. • Lead and contact data — retained as long as the Subscriber's account is active. Subscribers may delete individual lead records at any time. • Billing and transaction records — retained for 7 years to comply with Georgian accounting and tax law requirements. • Server logs and technical data — retained for a maximum of 90 days. • OAuth access tokens — deleted immediately upon account disconnection or termination. • Backup copies — may persist for up to 30 days beyond the primary deletion date. Subscribers may request deletion of their data at any time by contacting privacy@hubflora.com or through the account deletion feature in their dashboard.
If you are located in the European Economic Area (EEA) or another jurisdiction with applicable data protection laws, you have the following rights with respect to your personal data: • Right of Access — request a copy of the personal data we hold about you. • Right to Rectification — request correction of inaccurate or incomplete data. • Right to Erasure ("Right to be Forgotten") — request deletion of your personal data where we have no legitimate grounds to continue processing it. • Right to Restriction — request that we restrict processing of your data in certain circumstances. • Right to Data Portability — receive your personal data in a structured, machine-readable format. • Right to Object — object to processing based on legitimate interests or for direct marketing. • Right to Withdraw Consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. • Right to Lodge a Complaint — file a complaint with your local supervisory authority (for EU residents: the data protection authority in your Member State). To exercise any of these rights, please contact us at privacy@hubflora.com. We will respond within 30 days. We may request identity verification before processing your request.
HubFlora implements appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, or access. These measures include: • Encryption of data at rest and in transit (TLS/HTTPS). • Encrypted storage of OAuth access tokens. • Hashing of sensitive identifiers (email, phone) before transmission to third parties. • Role-based access controls within the platform. • Regular security reviews and vulnerability assessments. • Multi-tenant data isolation to prevent cross-account data access. No transmission over the internet or storage system can be guaranteed 100% secure. If you become aware of any security vulnerability related to HubFlora, please report it immediately to security@hubflora.com.
HubFlora is a business-to-business platform not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data without parental consent, we will delete it promptly.
We may update this Privacy Policy from time to time. When we make material changes, we will notify Subscribers by email and/or by posting a prominent notice within the platform at least 14 days before the change takes effect. The "Last Updated" date at the top of this policy will always reflect the most recent revision. Continued use of HubFlora after the effective date constitutes acceptance of the updated policy.
For questions, concerns, or to exercise your data rights, please contact: FAST Advanced Technologies LLC Attn: Privacy & Data Protection Tbilisi, Georgia Registration No: 400461399 Email: privacy@hubflora.com For EU residents: if you are unsatisfied with our response, you have the right to lodge a complaint with the supervisory authority of your EU Member State.