FlowMetrics Pro — Privacy Policy
Last Updated: 2026-03-15 Effective Date: 2026-03-15 Version: 1.0
VistaSysTech ("Company," "we," "us," or "our") operates FlowMetrics Pro, a workforce management platform that provides HR management, payroll processing, employee monitoring, KPI tracking, and project management services (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect personal information when you use our Service, including our web application, desktop application, mobile application, and browser extension.
This Privacy Policy applies to all users of the Service worldwide, with specific provisions for users located in the United States, Canada, Australia, and New Zealand as detailed in the regional sections below.
Table of Contents
- Definitions
- Information We Collect
- How We Collect Information
- How We Use Information
- Data Retention
- Data Storage and Security
- Data Sharing and Disclosure
- Employee Monitoring Disclosure
- Your Rights and Choices
- Regional Privacy Provisions
- Children's Privacy
- International Data Transfers
- Changes to This Privacy Policy
- Contact Us
1. Definitions
- "Organization" means the company or entity that subscribes to FlowMetrics Pro and manages employees through the Service.
- "Administrator" means a user with administrative access to manage the Organization's account, including Owner, Admin, and HR Manager roles.
- "Employee User" or "Monitored User" means an individual whose work activities are tracked through the Service as directed by the Organization.
- "Personal Information" or "Personal Data" means any information that identifies, relates to, or could reasonably be linked to a particular individual.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, modification, disclosure, or deletion.
- "Data Controller" means the entity that determines the purposes and means of processing Personal Data (typically the Organization).
- "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller (VistaSysTech, when processing employee data on behalf of the Organization).
2. Information We Collect
2.1 Account and Organization Information
When an Organization registers for FlowMetrics Pro, we collect:
- Organization details: Company name, business address, industry, timezone, company logo
- Administrator account details: Full name, email address, phone number, job title, role within the organization
- Billing information: Payment method details (processed and stored by our payment processor, Stripe — we do not store full credit card numbers)
2.2 Employee Profile Information
When Administrators add employees to the Service, the following information may be collected:
- Full name, email address, phone number
- Job title, designation, department assignment
- Employee identification number
- Date of hire, employment status
- Profile photograph
- Facial biometric data (for face enrollment verification, Professional and Enterprise plans only — collected with explicit consent)
2.3 Attendance and Time Data
- Clock-in and clock-out timestamps
- Attendance records and history
- Attendance correction requests and approvals
- Leave requests, approvals, and leave balance history
- Shift assignments and schedules
- Timesheet entries and approvals
- Device identifiers used for attendance (attendance device IDs)
2.4 GPS and Location Data (Mobile App)
When the mobile application is installed and location permissions are granted:
- Real-time GPS coordinates during work hours for location tracking purposes
- Location history and timeline data showing movement patterns during work periods
- Geofence entry and exit events for automated clock-in/out based on proximity to defined work locations
- Geofence boundary definitions (set by Administrators — these are organizational data, not personal data)
Important: Location tracking is only active during designated work hours as configured by the Organization. Location data is not collected outside of work hours or when the employee is clocked out, unless the Organization has configured continuous tracking and the employee has been notified.
2.5 Screenshot and Screen Monitoring Data
The FlowMetrics Pro desktop application captures periodic screenshots of the employee's screen during work hours:
| Plan | Capture Frequency | Image Quality | Resolution |
|---|---|---|---|
| Free | Every 30 minutes | Low | 720p |
| Starter | Every 10 minutes | Medium | 1080p |
| Professional | Every 5 minutes | High | 1080p+ |
| Enterprise | Every 1 minute | High | 1080p+ |
What screenshots may contain: Screenshots capture the entire visible screen content at the time of capture. This may include application windows, documents, web pages, email content, messaging conversations, and any other visible content. Screenshots may inadvertently capture personal information displayed on screen.
Employee visibility: Employees can view their own captured screenshots through the "My Screenshots" section of their self-service portal. The Service is designed for transparent monitoring — employees are always aware that screenshot capture is active.
2.6 Application and Website Usage Data
On Professional and Enterprise plans, the desktop application and browser extension collect:
- Application usage: Names of applications used, duration of use, active/idle time per application
- Website and URL tracking: URLs visited during work hours, time spent on each website, page titles
- AI-powered classification: Each application and website is automatically classified as Productive, Neutral, or Distractive using AI-based analysis
- Activity timeline: Hour-by-hour breakdown of employee activity during the workday
- Idle time detection: Periods of keyboard and mouse inactivity
2.7 Cloud File Activity Data (Professional and Enterprise Plans)
The browser extension detects file operations on 85+ cloud services:
- Upload detection: When files are uploaded to cloud storage services (Google Drive, Dropbox, OneDrive, and others)
- Download detection: When files are downloaded from cloud storage and web services
- File audit trail (Enterprise only): Comprehensive logging of all file operations including file names, service names, timestamps, and user identifiers
Important: We detect file operation events (upload/download activity) but do not access, read, copy, or store the contents of the files themselves.
2.8 Payroll and Compensation Data
On Starter, Professional, and Enterprise plans:
- Salary structure and components (base pay, allowances, deductions)
- Salary template assignments
- Payroll processing records and payment history
- Payslip data
- Bonus calculations and distribution records
- Tax-related information as configured by the Organization
2.9 Performance and KPI Data (Professional and Enterprise Plans)
- Key Performance Indicator (KPI) definitions and targets
- KPI scores and performance metrics
- Performance trend data and historical comparisons
2.10 AI-Generated Data
- AI-generated daily work summaries for employees
- AI-generated team reports for managers
- AI-powered productivity insights and workforce analytics
- AI-based application classification scores
2.11 Technical and Usage Data
- IP address, browser type, operating system, device type
- Log data (access times, pages viewed, actions taken within the Service)
- System activity logs and audit logs
- Desktop application version, browser extension version, mobile app version
- WebSocket connection data (desktop app to browser extension communication)
- Error reports and crash logs
2.12 Gamification Data
- Points earned, achievement badges, level progression
- Leaderboard rankings
- Activity-based reward calculations
3. How We Collect Information
| Collection Method | Data Collected | User Action Required |
|---|---|---|
| Direct input | Account info, employee profiles, payroll data | User manually enters data |
| Desktop application | Screenshots, app usage, activity data, idle time | Runs in background during work hours |
| Browser extension | URL tracking, cloud file upload/download detection | Runs in background in the browser |
| Mobile application | GPS location, geofence events, clock-in/out | Requires location permission grant |
| Attendance devices | Clock-in/out timestamps, device identifiers | Employee interacts with physical device |
| Face enrollment | Facial biometric data | Employee voluntarily enrolls |
| AI processing | App classification, daily reports, insights | Automated processing of collected data |
| Automated systems | Technical logs, error reports, system events | Automatic — no user action required |
4. How We Use Information
We process Personal Information for the following purposes:
4.1 Service Delivery
- Providing workforce management, HR, payroll, monitoring, KPI, and project management functionality
- Processing payroll and generating payslips
- Tracking attendance, leave, and shift schedules
- Capturing and displaying screenshots for productivity monitoring
- Tracking and displaying GPS location data for field workforce management
- Generating AI-powered reports and insights
- Operating gamification features (points, levels, leaderboards)
4.2 Service Improvement
- Analyzing aggregated, de-identified usage patterns to improve the Service
- Training and improving AI classification models (using aggregated, anonymized data only)
- Identifying and fixing bugs, errors, and performance issues
4.3 Communication
- Sending in-app and email notifications related to the Service (leave approvals, attendance alerts, system notifications)
- Sending account-related communications (billing, plan changes, security alerts)
- Responding to support requests
4.4 Security and Compliance
- Maintaining audit logs for security and compliance purposes
- Detecting and preventing unauthorized access, fraud, or abuse
- Enforcing our Terms of Service
4.5 Legal Obligations
- Complying with applicable laws, regulations, and legal processes
- Responding to lawful requests from government authorities
5. Data Retention
5.1 Screenshot and Monitoring Data Retention
Screenshot data and monitoring records are retained based on the Organization's subscription plan:
| Plan | Screenshot Retention | Data Retention |
|---|---|---|
| Free | 7 days | 7 days |
| Starter | 30 days | 30 days |
| Professional | 90 days | 90 days |
| Enterprise | 365 days (1 year) | 365 days (1 year) |
After the retention period expires, screenshot images and associated monitoring data are automatically and permanently deleted through an automated cleanup process.
5.2 GPS and Location Data Retention
GPS location data, location timeline history, and geofence event logs follow the same retention schedule as the Organization's plan (7 days to 365 days). Location data is permanently deleted after the applicable retention period.
5.3 HR, Payroll, and Employee Records
- Employee profile data: Retained for as long as the employee is active in the Organization's account, plus 30 days after removal to allow for reactivation.
- Payroll records and payslips: Retained for the duration of the Organization's active subscription, plus 7 years after account closure (or as required by applicable tax and employment laws).
- Leave and attendance records: Retained for the duration of the Organization's active subscription, plus 2 years after account closure.
5.4 Account Data
- Organization account data: Retained for the duration of the active subscription, plus 90 days after account closure to allow for reactivation.
- After the 90-day grace period: All Organization data, including employee records, screenshots, monitoring data, payroll records, and all associated data, is permanently and irreversibly deleted.
5.5 Audit Logs and System Logs
- Audit logs (Professional and Enterprise): Retained for the duration of the plan's data retention period.
- System activity logs: Retained for 90 days for operational purposes.
5.6 Data Deletion Requests
Organizations may request early deletion of their data at any time by contacting us at [email protected]. We will process deletion requests within 30 days, subject to any legal obligations that require us to retain certain data.
6. Data Storage and Security
6.1 Where Data Is Stored
| Data Type | Storage Provider | Location |
|---|---|---|
| Application data (employee records, attendance, payroll, KPIs, projects) | MongoDB Atlas | Cloud infrastructure (see Data Infrastructure document for details) |
| Screenshot images | Backblaze B2 Cloud Storage | Cloud infrastructure |
| Cache and session data | Redis | Cloud infrastructure |
| Payment and billing data | Stripe (PCI DSS Level 1 certified) | Stripe's secure infrastructure |
6.2 Security Measures
We implement the following security measures to protect your data:
- Encryption in transit: All data transmitted between your devices and our servers is encrypted using TLS 1.2 or higher (HTTPS)
- Encryption at rest: All data stored in our databases and object storage is encrypted at rest using AES-256 encryption
- Access controls: Role-based access control (RBAC) within the application. Internal access to production systems is restricted to authorized personnel with MFA
- Authentication: Secure password hashing, session management, and optional Single Sign-On (SSO) for Enterprise plans
- Monitoring: Automated security monitoring, intrusion detection, and alerting on our infrastructure
- Backups: Regular encrypted backups of all application data
- Vendor security: All third-party service providers (MongoDB Atlas, Backblaze B2, Stripe) maintain their own security certifications and compliance programs
For full details on our security practices, please see our Security Page and Data Infrastructure Document.
7. Data Sharing and Disclosure
7.1 We Do NOT Sell Personal Information
We do not sell, rent, or trade Personal Information to third parties for their marketing purposes. We have never sold Personal Information and have no plans to do so.
7.2 Sharing Within the Organization
Employee data is shared with authorized users within the employee's Organization based on role-based access:
| Role | Access Scope | What They Can See |
|---|---|---|
| Owner / Admin | Full organization | All employee data, monitoring, payroll, reports |
| HR Manager | Full organization | Employee data, payroll, leave — no alerts or role management |
| Manager | Their department only | Team monitoring, reports, leave approvals — department-scoped |
| Employee | Self only | Own dashboard, attendance, screenshots, salary slips, KPIs |
7.3 Third-Party Service Providers
We share data with the following categories of service providers who process data on our behalf:
| Provider Category | Purpose | Data Shared |
|---|---|---|
| Cloud infrastructure (MongoDB Atlas, Backblaze B2, Redis) | Data storage and hosting | All application and screenshot data (encrypted) |
| Payment processing (Stripe) | Subscription billing | Billing contact info, payment method (we never see full card numbers) |
| AI processing (Google Gemini API) | AI-generated reports, app classification | Anonymized or pseudonymized activity data for AI analysis |
| Email delivery | Transactional emails and notifications | Email addresses, notification content |
All service providers are bound by data processing agreements and are required to protect data in accordance with this Privacy Policy.
7.4 Legal and Compliance Disclosure
We may disclose Personal Information if required to do so by law, regulation, or legal process, including:
- In response to a valid subpoena, court order, or government request
- To protect the rights, property, or safety of VistaSysTech, our users, or the public
- To enforce our Terms of Service
- In connection with a merger, acquisition, or sale of assets (with prior notice to affected users)
7.5 Aggregated and De-Identified Data
We may use and share aggregated, de-identified data that cannot reasonably be used to identify any individual for purposes such as industry benchmarking, research, and Service improvement. This data is not considered Personal Information.
8. Employee Monitoring Disclosure
8.1 Transparency Commitment
FlowMetrics Pro is designed as a transparent monitoring platform. We believe that effective workforce management is built on trust, not secrecy. Our transparency principles:
- Employees are always informed that monitoring is active. The desktop application displays a visible indicator when screenshot capture and activity tracking are running.
- Employees can view their own data. Every monitored employee has access to a self-service portal where they can see their own screenshots, attendance records, activity data, daily reports, and KPI scores.
- No hidden or covert monitoring. The Service does not offer keystroke logging, webcam recording, email content reading, or any form of covert surveillance.
- Clear scope of monitoring. The Organization defines when monitoring occurs (work hours, specific shifts) and the monitoring features are disclosed to employees.
8.2 What We Monitor vs. What We Do NOT Monitor
| We Monitor | We Do NOT Monitor |
|---|---|
| Periodic screenshots of the visible screen | Keystroke logging or keyboard input recording |
| Application names and usage duration | Content of files, documents, or emails (we see app names, not content) |
| Website URLs visited during work hours | Personal device activity (only the enrolled work device) |
| GPS location during work hours (mobile) | Location outside of work hours (unless configured and disclosed) |
| Cloud file upload/download events | Contents of uploaded/downloaded files |
| Idle time (keyboard/mouse inactivity) | Audio or video recording |
| Clock-in/out times and attendance | Personal messaging content |
8.3 Employer Responsibilities
The Organization (employer) using FlowMetrics Pro is the Data Controller for employee data and is responsible for:
- Informing employees about the use of FlowMetrics Pro and the specific monitoring activities enabled, before monitoring begins
- Obtaining any required consent under applicable local laws before activating monitoring features
- Creating and distributing a workplace monitoring policy that describes what data is collected, why, and how it is used
- Ensuring lawful use of the Service in compliance with all applicable employment, privacy, and data protection laws in their jurisdiction
- Configuring appropriate monitoring levels — the Organization chooses which features to enable and the scope of monitoring
VistaSysTech provides the technology platform; the Organization determines how it is used. We strongly recommend that all Organizations consult with legal counsel in their jurisdiction before implementing employee monitoring.
9. Your Rights and Choices
9.1 Rights for All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the Personal Information we hold about you
- Correction: Request that we correct inaccurate or incomplete Personal Information
- Deletion: Request deletion of your Personal Information, subject to legal retention requirements
- Data portability: Request your data in a structured, commonly used, machine-readable format
- Withdraw consent: Where processing is based on consent, withdraw your consent at any time
- Object: Object to processing of your Personal Information in certain circumstances
- Complaint: Lodge a complaint with a relevant supervisory authority
9.2 How to Exercise Your Rights
- Employee Users: Contact your Organization's administrator first. Your employer (the Organization) is the Data Controller for your employment data. If your employer is unable to fulfill your request, or if your request relates to data we control, contact us directly.
- Organization Administrators: Use the in-app settings to manage, export, or delete data. For requests that cannot be handled through the app, contact us.
- All Users: Email us at [email protected] with the subject line "Privacy Rights Request."
We will respond to all verified requests within 30 days (or within the timeframe required by applicable law, if shorter).
9.3 Account and Data Controls
| Control | How to Use |
|---|---|
| Disable screenshot monitoring | Organization Admin can disable screenshot capture per employee or organization-wide in Settings |
| Disable location tracking | Employees can revoke location permissions on their mobile device. Organization Admin can disable GPS tracking in Settings. |
| Disable app/web tracking | Organization Admin can disable application and website tracking in Settings |
| Export data | Organization Admin can export attendance records, payroll data, and reports via the Reports section |
| Delete account | Organization Owner can request full account deletion via Settings > Subscription or by contacting support |
10. Regional Privacy Provisions
10.1 United States
California (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: You may request the categories and specific pieces of Personal Information we have collected, the sources, the business purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your Personal Information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate Personal Information.
- Right to Opt-Out of Sale: We do not sell Personal Information. No opt-out is necessary.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive Personal Information to what is necessary for the Service.
- Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Categories of Personal Information collected (CCPA categories):
| CCPA Category | Examples from FlowMetrics Pro | Sold? |
|---|---|---|
| Identifiers | Name, email, employee ID | No |
| Employment-related information | Job title, department, salary, attendance | No |
| Internet or network activity | App usage, website URLs, activity logs | No |
| Geolocation data | GPS coordinates, geofence events | No |
| Biometric information | Facial data (face enrollment) | No |
| Visual information | Screenshots | No |
| Inferences | AI-generated productivity scores, app classifications | No |
Sensitive Personal Information: We may collect precise geolocation data, facial biometric data, and financial information (payroll). These are used solely to provide the Service and are not used for profiling or advertising.
To exercise your rights, email [email protected] or call [toll-free number to be added] with the subject "CCPA Request."
Other U.S. States
Several U.S. states have enacted employee monitoring notification laws. We support our customers' compliance with these laws by:
- Providing visible monitoring indicators in the desktop application
- Offering employee self-service access to their own monitored data
- Providing this Privacy Policy as a disclosure document
Organizations are responsible for complying with state-specific notification requirements, including but not limited to:
- Connecticut: Requires written notice to employees about electronic monitoring (Conn. Gen. Stat. § 31-48d)
- Delaware: Requires notice of monitoring of telephone, email, and internet usage (Del. Code tit. 19, § 705)
- New York: Requires written notice and posted acknowledgment for electronic monitoring (N.Y. Civ. Rights Law § 52-c)
- Texas, Illinois, and other states: Various notification and consent requirements
We recommend that Organizations consult local legal counsel to ensure compliance with applicable state laws.
10.2 Canada (PIPEDA and Provincial Laws)
If you are located in Canada, your Personal Information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation (e.g., PIPA in Alberta and British Columbia, or Quebec's Law 25).
Our commitments under PIPEDA:
Accountability: VistaSysTech is responsible for Personal Information in our possession or under our control. Our Privacy Officer can be contacted at [email protected].
Identifying Purposes: We identify the purposes for collecting Personal Information at or before the time of collection, as described in Sections 2 and 4 of this Policy.
Consent:
- Organizations (employers) provide consent for the collection and processing of employee data when they subscribe to the Service and configure monitoring features.
- Organizations are responsible for obtaining and managing employee consent in accordance with Canadian law.
- For sensitive information (biometric data, precise location), explicit consent is obtained at the point of collection.
Limiting Collection: We collect only the Personal Information necessary for the identified purposes. Monitoring features are configurable — Organizations can disable features they do not need.
Limiting Use, Disclosure, and Retention: Personal Information is used and disclosed only for the purposes for which it was collected, as described in this Policy. Data is retained according to the schedules in Section 5.
Accuracy: We provide tools for Organizations and employees to review and correct Personal Information through the Service's self-service portal.
Safeguards: We protect Personal Information with security measures appropriate to the sensitivity of the information, as described in Section 6.
Openness: This Privacy Policy and our related documents are publicly available and describe our data practices in detail.
Individual Access: Individuals may request access to their Personal Information by contacting their Organization's administrator or by contacting us directly.
Challenging Compliance: Individuals may challenge our compliance with these principles by contacting our Privacy Officer at [email protected]. Complaints may also be directed to the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca.
Quebec Law 25 (applicable to Quebec residents):
- We conduct privacy impact assessments for high-risk processing activities.
- We provide privacy notices in French for Quebec-based users upon request.
- We support data portability rights in a structured, commonly used format.
Employee Monitoring in Canada: Canadian privacy law requires that employee monitoring be reasonable, proportionate, and transparent. We support compliance by providing employee access to their own data, configurable monitoring levels, and clear disclosure tools. Organizations must inform employees of monitoring before it begins and document the business purpose.
10.3 Australia (Privacy Act 1988 and Australian Privacy Principles)
If you are located in Australia, your Personal Information is protected under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Our commitments under Australian law:
APP 1 — Open and transparent management: This Privacy Policy describes our data practices. We make it freely available on our website.
APP 2 — Anonymity and pseudonymity: Where practicable, individuals may deal with us without identifying themselves. However, the nature of workforce management services requires identification of employees.
APP 3 — Collection of solicited Personal Information: We collect only Personal Information that is reasonably necessary for our functions and activities. We collect sensitive information (biometric, location) only with consent.
APP 4 — Unsolicited Personal Information: If we receive Personal Information that we did not solicit, and it is not reasonably necessary for our functions, we will destroy or de-identify it.
APP 5 — Notification of collection: We notify individuals of the matters required by APP 5 through this Privacy Policy and the Organization's monitoring disclosure.
APP 6 — Use or disclosure: We use and disclose Personal Information only for the primary purpose for which it was collected, or for a directly related secondary purpose that would be reasonably expected.
APP 7 — Direct marketing: We do not use employee Personal Information for direct marketing. We may send service-related communications to Organization Administrators.
APP 8 — Cross-border disclosure: See Section 12 (International Data Transfers). We take reasonable steps to ensure that overseas recipients of Personal Information comply with the APPs.
APP 9 — Government identifiers: We do not adopt, use, or disclose government-related identifiers (such as Tax File Numbers) as our own identifiers.
APP 10 — Quality of Personal Information: We take reasonable steps to ensure Personal Information is accurate, complete, and up-to-date. We provide tools for correction through the Service.
APP 11 — Security: We take reasonable steps to protect Personal Information from misuse, interference, loss, unauthorized access, modification, and disclosure. See Section 6.
APP 12 — Access: Individuals may request access to their Personal Information. We will respond within 30 days.
APP 13 — Correction: Individuals may request correction of inaccurate Personal Information.
Workplace Surveillance in Australia:
Employee monitoring in Australia is subject to state and territory legislation in addition to the Privacy Act. Key legislation includes:
- New South Wales: Workplace Surveillance Act 2005 — requires 14 days' written notice before commencing surveillance
- Australian Capital Territory: Workplace Privacy Act 2011 — requires written surveillance policy
- Other states and territories: May have specific notification requirements
Organizations using FlowMetrics Pro in Australia are responsible for:
- Providing employees with written notice of monitoring at least 14 days before it begins (NSW) or as required in their state/territory
- Maintaining a workplace surveillance policy
- Ensuring monitoring is limited to work-related purposes
- Consulting with relevant industrial relations frameworks (e.g., Fair Work Act 2009)
Notifiable Data Breaches (NDB) Scheme: In the event of an eligible data breach that is likely to result in serious harm, we will notify the Organization (as the Data Controller), the Office of the Australian Information Commissioner (OAIC), and affected individuals as required by Part IIIC of the Privacy Act.
Complaints: Individuals may lodge a complaint with us at [email protected]. If unsatisfied with our response, complaints may be directed to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
10.4 New Zealand (Privacy Act 2020)
If you are located in New Zealand, your Personal Information is protected under the Privacy Act 2020 and the Information Privacy Principles (IPPs).
Our commitments under New Zealand law:
IPP 1 — Purpose of collection: We collect Personal Information only for a lawful purpose connected with our function (providing workforce management services) and where the collection is necessary for that purpose.
IPP 2 — Source of Personal Information: We collect Personal Information directly from the individual concerned wherever possible. Where information is collected from the Organization (employer), we ensure individuals are notified.
IPP 3 — Collection of information from the individual: When collecting Personal Information directly, we inform the individual of the purpose, intended recipients, and their rights through this Privacy Policy and in-app notices.
IPP 4 — Manner of collection: We collect Personal Information in a manner that is lawful, fair, and not unreasonably intrusive. Our monitoring is transparent — employees can see their own data.
IPP 5 — Storage and security: We protect Personal Information with reasonable security safeguards. See Section 6.
IPP 6 — Access to Personal Information: Individuals may request access to their Personal Information. We will respond within 20 working days.
IPP 7 — Correction of Personal Information: Individuals may request correction of inaccurate Personal Information.
IPP 8 — Accuracy: We take reasonable steps to ensure Personal Information is accurate before use.
IPP 9 — Retention: We retain Personal Information only for as long as necessary for the purpose for which it was collected. See Section 5.
IPP 10 — Use limitation: We use Personal Information only for the purpose for which it was collected, or a directly related purpose.
IPP 11 — Disclosure limitation: We disclose Personal Information only as described in Section 7.
IPP 12 — Cross-border disclosure: Before disclosing Personal Information to an overseas recipient, we ensure they are subject to comparable privacy protections or that the individual authorizes the disclosure. See Section 12.
IPP 13 — Unique identifiers: We do not assign unique identifiers to individuals unless necessary for our functions.
Privacy Breach Notification: In the event of a privacy breach that poses a risk of serious harm, we will notify the Privacy Commissioner and affected individuals as required by Part 6 of the Privacy Act 2020.
Employee Monitoring in New Zealand:
New Zealand privacy law emphasizes proportionality and fairness. Organizations using FlowMetrics Pro in New Zealand should:
- Inform employees about monitoring before it begins
- Limit monitoring to what is proportionate and necessary for legitimate business purposes
- Consider the impact on employee privacy and wellbeing
- Maintain a clear workplace monitoring policy
- Consult with employees or their representatives before introducing monitoring
The Employment Relations Act 2000 and common law obligations of good faith also apply to the introduction of workplace monitoring.
Complaints: Individuals may lodge a complaint with us at [email protected]. If unsatisfied with our response, complaints may be directed to the Office of the Privacy Commissioner at www.privacy.org.nz.
11. Children's Privacy
FlowMetrics Pro is a workplace management platform designed for use by organizations and their employees. The Service is not intended for use by individuals under the age of 16 (or the applicable age of majority for employment in the relevant jurisdiction). We do not knowingly collect Personal Information from children.
If we become aware that we have collected Personal Information from a child under 16, we will take steps to delete such information promptly.
12. International Data Transfers
As FlowMetrics Pro serves customers in multiple countries, Personal Information may be transferred to and processed in countries other than the country in which it was collected.
When we transfer Personal Information across borders, we ensure appropriate safeguards are in place:
- Contractual protections: Data processing agreements with all service providers that include data protection obligations
- Security measures: Encryption in transit and at rest for all cross-border data transfers
- Provider compliance: Our infrastructure providers (MongoDB Atlas, Backblaze B2, Stripe) maintain their own compliance certifications and cross-border transfer mechanisms
For Australian users: We take reasonable steps under APP 8 to ensure that overseas recipients of Personal Information handle it in accordance with the Australian Privacy Principles. By using our Service, the Organization acknowledges and consents to the transfer of employee data to overseas servers as necessary to provide the Service.
For New Zealand users: We ensure that Personal Information disclosed to overseas recipients is subject to comparable privacy protections as required by IPP 12. We use contractual safeguards (data processing agreements) with all overseas service providers.
For Canadian users: We ensure that Personal Information transferred outside of Canada is protected by contractual or other means providing a comparable level of protection as required by PIPEDA.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Last Updated" date at the top of this Policy
- We will notify Organization Administrators via email and/or in-app notification at least 30 days before material changes take effect
- We will post the updated Privacy Policy on our website
- For material changes that affect employee monitoring practices, we will provide Organizations with advance notice to allow them to inform their employees
Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the changes.
14. Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:
Privacy Officer VistaSysTech Email: [email protected] Website: www.flowmetricspro.com/privacy
For data subject access requests: [email protected] (subject line: "Privacy Rights Request")
For data breach reports: [email protected]
For general support: [email protected]
Response times:
- Privacy rights requests: Within 30 days (20 working days for New Zealand)
- Data breach notifications: Within 72 hours of confirmation
- General privacy inquiries: Within 10 business days
This Privacy Policy is provided in English. If there is a conflict between any translated version and the English version, the English version shall prevail.
VistaSysTech FlowMetrics Pro Privacy Policy v1.0 Effective: 2026-03-15