Is FirmFlow really $29/month with no per-user fees?

Yes! FirmFlow charges a flat monthly fee. The Starter plan is $29/month and Pro is $89/month — both include your entire team with no per-user charges.

Are the e-signatures legally binding?

Yes. FirmFlow uses draw-to-sign with a full audit trail including timestamp, IP address, device info, and signer identity. Meets eIDAS (EU/UK), ESIGN Act (US), and equivalent legislation worldwide.

How does the 14-day free trial work?

Sign up with just your email — no credit card required. Full access to all features for 14 days. Choose a plan at the end or your account is simply paused — no charge.

Yes. Each firm's data is isolated using row-level security. All files are encrypted with AES-256. We offer 2FA, full audit logging, and GDPR-compliant data handling.

What currencies do you support?

FirmFlow supports 10 currencies: GBP, EUR, USD, CHF, CAD, AUD, SEK, NOK, DKK, and PLN. Currency is auto-detected on signup.

⬡ FirmFlow ← Back to home

Privacy Policy

Last updated: 29 March 2026

1. Introduction

FirmFlow Ltd ("FirmFlow", "we", "us", "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform at www.firmflow.org ("Platform").

We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Data Protection Act 2018, and other applicable data protection laws.

2. Data Controller

FirmFlow Ltd is the data controller for personal data collected directly through our Platform. For data uploaded by Firm Owners about their Clients, the Firm Owner is the data controller and FirmFlow acts as a data processor on their behalf.

Contact: hello@firmflow.org

3. Data We Collect

3.1 Account Data: Name, email address, password (encrypted), phone number (optional), firm name, role, and billing information.

3.2 Usage Data: IP address, browser type, device information, pages visited, features used, timestamps, and session duration.

3.3 User Content: Documents, invoices, messages, signature data, time entries, and any other content you upload or create on the Platform.

3.4 Communication Data: Emails and messages exchanged with our support team.

3.5 Payment Data: Payment processing is handled by Stripe. We do not store credit card numbers. We may store transaction IDs, invoice amounts, and payment status.

4. How We Use Your Data

We use your data for the following purposes:

(a) To provide, maintain, and improve the Platform and its features.

(b) To process your subscription and billing.

(d) To provide customer support.

(e) To monitor and prevent fraud, abuse, and security threats.

(f) To generate anonymised, aggregated analytics to improve the Platform.

(g) To comply with legal obligations.

We do NOT sell, rent, or share your personal data with third parties for marketing purposes.

5. Legal Basis for Processing (GDPR)

5.1 Contract Performance: Processing necessary to provide the Service you subscribed to (Article 6(1)(b) GDPR).

5.2 Legitimate Interest: Processing for security, fraud prevention, and Platform improvement (Article 6(1)(f) GDPR).

5.3 Consent: Where you have given explicit consent, such as for marketing communications (Article 6(1)(a) GDPR).

5.4 Legal Obligation: Where processing is required by law (Article 6(1)(c) GDPR).

6. Data Sharing

We share data only with the following categories of recipients, solely for the purposes described:

6.1 Supabase (Database and Authentication): Stores your account data and user content. Supabase infrastructure is hosted in the EU/EEA.

6.2 Vercel (Hosting): Hosts and delivers the Platform.

6.3 Stripe (Payments): Processes subscription payments. Stripe is PCI DSS Level 1 certified.

6.4 Resend (Email): Sends transactional emails on our behalf.

6.5 Anthropic (AI): Powers the AI Assistant feature. Only data explicitly sent via the AI chat is processed. No data is stored by Anthropic beyond the request.

We require all third-party processors to have appropriate data processing agreements in place and to comply with GDPR requirements.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we retain data for 30 days to allow for recovery, after which it is permanently deleted. We may retain anonymised, aggregated data indefinitely for analytics. We retain billing records as required by tax law (typically 6 years in the UK).

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including: (a) AES-256 encryption for stored data; (b) TLS/SSL encryption for data in transit; (c) Row-level security ensuring data isolation between firms; (d) Two-factor authentication (2FA) with TOTP and recovery codes; (e) Regular security monitoring and access logging; (f) Principle of least privilege for internal access.

While we take reasonable measures to protect your data, no method of transmission over the internet or electronic storage is 100% secure.

9. Your Rights (GDPR)

Under the GDPR, you have the following rights:

Right of Access: Request a copy of the personal data we hold about you.

Right to Rectification: Request correction of inaccurate personal data.

Right to Erasure: Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing: Request that we limit how we use your data.

Right to Data Portability: Receive your data in a structured, machine-readable format.

Right to Object: Object to processing based on legitimate interests.

Right to Withdraw Consent: Where processing is based on consent, withdraw at any time.

To exercise any of these rights, email us at hello@firmflow.org. We will respond within 30 days.

10. International Data Transfers

Some of our service providers may be located outside the UK/EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions.

11. Children

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The "Last updated" date at the top indicates when the latest changes were made.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK at ico.org.uk, or your local data protection authority.

14. Contact

FirmFlow Ltd
Email: hello@firmflow.org
Website: www.firmflow.org