Privacy Policy
Last updated: 6 July 2026
FLIORE is built for confidentiality. This policy explains what personal data we process, why, where it is hosted, who may access it, and the rights available to individuals. It is provided for transparency and does not replace the Data Processing Agreement (DPA) entered into with each organisation, which prevails in case of conflict.
1. Who is responsible (controller / processor)
FLIORE is operated by Innopulse Consulting GmbH, Gotthardstrasse 30, 6300 Zug, Switzerland (UID CHE-219.727.921). For personal data that an organisation uploads or processes through FLIORE (its mandates, beneficial owners, documents and transactions), the organisation is the data controller and FLIORE acts as its data processor, processing that data only on the organisation's documented instructions. For data we process about our own account holders (name, email, authentication and billing data), FLIORE is the controller.
2. What data we process
As processor, on behalf of an organisation: mandate and entity records; beneficial-owner details (name, date of birth, nationality, PEP status); documents uploaded to the vault; transactions and bank-statement data; screening and risk-assessment results; messages. As controller, for account holders: name, email, hashed authentication factors, locale, role, audit logs, and billing information. We do not intentionally collect special-category data except where an organisation chooses to store it within its own documents.
3. Why we process it (purposes & legal bases)
To provide the service under our contract with the organisation; to secure the platform and prevent abuse (legitimate interest); to meet legal and regulatory obligations; and, for account data, to administer billing. Where required, processing of EU personal data relies on the corresponding GDPR legal bases (contract, legal obligation, legitimate interest). FLIORE does not sell personal data and does not use client data for advertising.
4. Where data is hosted
FLIORE hosts application data and documents on Swiss cloud infrastructure (Supabase, hosted in Zürich, Switzerland), governed by Swiss data-protection law. Where a subprocessor processes limited data outside Switzerland (see the Subprocessors page), that transfer is covered by appropriate safeguards such as EU Standard Contractual Clauses and the Swiss addendum.
5. Subprocessors
FLIORE uses a small set of vetted subprocessors to run the service (hosting, email delivery, payments, and the AI provider). Each is bound by data-protection terms and processes only the data needed for its function. The current list, purpose and location of each is maintained on the Subprocessors page.
6. How data is protected
Mandatory two-factor authentication on every account; row-level security enforcing hard tenant isolation at the database layer, so no organisation can access another's data; encrypted document storage served only through short-lived signed links; message-body encryption; and a full audit trail of security-relevant actions. Access by our personnel is restricted, logged, and used only to operate and support the service.
7. AI and your data
FLIORE AI answers only from a mandate's own data within the organisation and cites the data it draws on. When you ask the assistant a question, the relevant mandate context — which may include beneficial-owner names and PEP flags, asset and liability figures, KYC status and document titles — is sent to the configured AI provider (by default Anthropic; optionally OpenAI or Azure OpenAI) solely to generate that answer. Client data is never used to train models and is not retained by the provider for any other purpose. Each provider is listed on the Subprocessors page. Organisations can disable AI entirely, or bring their own AI key (BYOK) so requests run under their own provider agreement. AI output is advisory: it supports, but does not replace, the responsible person's judgement.
8. Retention
As processor, we retain organisation data for the life of the account and delete or return it after termination in line with the DPA, subject to any retention the organisation must observe (for example, AML record-keeping periods the organisation is legally required to maintain). Account and billing data we hold as controller is retained as required by law. Audit logs are retained to support security and regulatory needs.
9. Rights of individuals
Depending on applicable law (Swiss revFADP and, for individuals in the EU, the GDPR), individuals may request access, correction, deletion, restriction, portability, or object to certain processing. Because most personal data in FLIORE is controlled by the organisation that uploaded it, requests about that data should be directed to the relevant organisation; FLIORE will assist that organisation as processor. For data we control, contact us directly.
10. International transfers
Where personal data is transferred outside Switzerland or the EEA to a subprocessor, we rely on recognised transfer mechanisms (adequacy, EU Standard Contractual Clauses with the Swiss addendum) and apply additional technical measures such as encryption in transit.
11. Changes to this policy
We may update this policy to reflect changes in the service or the law. Material changes will be communicated to account holders. The “last updated” date above always reflects the current version.
12. Contact
Innopulse Consulting GmbH, Gotthardstrasse 30, 6300 Zug, Switzerland — hello@fliore.com.
This page is provided for transparency and general information. It is not legal advice. The Data Processing Agreement and applicable law govern the actual rights and obligations of the parties.
