Privacy Policy

FLOWSTATE LLC  ·  Effective Date: May 1, 2026  ·  Last Updated: May 4, 2026

1. Who We Are

FLOWSTATE LLC is a limited liability company registered in Washington, DC. We build and operate automated revenue systems for residential solar installation companies in the United States.

Our registered address is: FLOWSTATE LLC, 1717 M Street NW, Ste 1, Washington DC, 20036, USA.

You can reach us at: [email protected]

2. What This Policy Covers

This policy explains how FLOWSTATE LLC handles personal data in two distinct contexts.

The first context is our relationship with our clients. Our clients are solar installation companies. When they sign up, communicate with us, or use our systems, we collect and process data about them and treat them as website visitors when they browse FlowstateRevenue.com.

The second context is our role as a data processor on behalf of those clients. When we operate our revenue systems, we process personal data belonging to our clients' leads and customers. In that context, our clients are the data controllers. We act on their instructions. This distinction matters legally, and we address it explicitly in Section 8.

We aim to apply a uniform privacy standard across all U.S. residents. Where a state law provides rights or protections beyond this baseline, we honor those rights for residents of that state and, where operationally feasible, extend similar controls to all users.

3. Data We Collect

From Clients (Solar Installation Companies)

When a company engages FLOWSTATE, we collect:

  • Business name, address, and contact details
  • Name and contact information of the primary point of contact
  • Billing information (processed via a third-party payment processor — we do not store payment card data ourselves)
  • Communications and correspondence
  • Account activity and usage data within our systems

From Website Visitors

When someone visits FlowstateRevenue.com, we may collect the following categories of data.

Identifiers and device information. IP address, browser type, device type, operating system, and unique device or browser identifiers.

Internet and network activity. Pages visited, time spent on each page, navigation behavior, and referral source.

Geolocation data. General location derived from IP address. We do not collect precise geolocation.

Contact and business information. Name, email address, phone number, and company name, where submitted through a form or voice interaction.

Audio and electronic data. Recordings and transcripts of interactions with our voice AI assistant, where consent has been obtained.

Inferences. Where we link website activity to an existing contact record, we may draw inferences about interest and intent for follow-up purposes.

Website activity linked to known contacts. If you are an existing contact in our systems, we may use cookies or similar technologies to link your website activity to your contact record. This allows us to personalize your experience, such as pre-filling form fields, and to log pages visited and time spent for internal follow-up purposes. This only occurs where a prior relationship or inquiry exists.

Voice AI interactions. Our website includes a voice-based AI assistant. When you interact with this assistant, the conversation may be recorded and transcribed. Where required by applicable law, your consent is obtained before recording begins. A disclosure is provided at the start of each conversation. If you do not consent to recording, you may end the interaction and contact us through another available channel.

Lead and Customer Data (Processed on Behalf of Clients)

When we operate our revenue systems for a client, we process personal data belonging to that client's leads and customers. This data typically includes:

  • Full name
  • Phone number
  • Email address
  • Physical address or service area
  • Property information, including roof type and ownership status
  • Energy profile data, including estimated consumption and utility bill amount
  • Lead qualification responses collected during the sales process
  • Self-reported financing eligibility range, where collected as part of the qualification process
  • Lead source and status history
  • Communication logs generated by our systems

We do not collect this data for our own purposes. We process it solely to perform the services our clients have contracted us to deliver.

FLOWSTATE does not obtain consumer credit reports, act as a lender, mortgage broker, or consumer reporting agency, or make credit eligibility or financing decisions. Any financing-related information collected during qualification reflects what the individual voluntarily disclosed and is used only to determine whether they meet the client's criteria for a solar consultation.

4. Why We Collect Data

Client Data

We use client data to deliver our services, process billing, communicate about the account, comply with legal obligations, and improve our systems based on aggregate non-identifiable usage patterns.

Website Visitor Data

We use visitor data to operate and improve the website, respond to inquiries, personalize the experience for known contacts where applicable, understand how people find and use our site, serve relevant advertising to business visitors, and comply with applicable law.

Lead and Customer Data (Processed on Behalf of Clients)

We process this data only as instructed by our clients and only to deliver the contracted services. This includes sending follow-up messages, booking appointments, requesting reviews, reactivating dormant leads, and facilitating referral requests on behalf of the client.

5. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. Here is what that means in practice.

Strictly necessary cookies keep the site functioning. These cannot be turned off.

Analytics cookies help us understand how visitors use the site. These may include online identifiers such as IP address and device information, depending on configuration.

Personalization cookies may be used to link a returning visitor to an existing contact record in our systems, enabling features such as pre-filled forms and logged browsing activity. This only applies where a prior relationship or inquiry exists.

Marketing and advertising cookies may be placed to serve relevant advertising to business visitors and to measure the effectiveness of our campaigns. These technologies may share limited identifiers and activity data with advertising partners for cross-context behavioral advertising directed at business prospects visiting our website. We do not use marketing cookies or retargeting in connection with lead or consumer data processed on behalf of our clients.

We do not share personal data of website visitors with third parties for those third parties' own direct marketing purposes.

You can control cookie preferences through our cookie preference center when you first visit the site. You can also adjust your browser settings to block or delete cookies at any time. Note that disabling certain cookies may affect how the site works.

Where our systems support it, we honor browser-based opt-out preference signals, including Global Privacy Control, for applicable opt-out rights.

All visitors have the right to opt out of the use of cookies for cross-site tracking, advertising, or behavioral personalization. A "Do Not Sell or Share My Personal Information" link is available on our website for this purpose.

We do not sell personal data. We do not use marketing cookies or share data for advertising purposes in connection with individuals who interact with our systems as leads or customers of our clients.

6. How We Store and Protect Data

We use a set of third-party platforms to store and process data. These fall into the following categories:

  • A CRM and automation platform used for contact management, workflow automation, and system logic
  • A payment processing platform that handles all billing transactions
  • An automation integration platform that connects our internal systems
  • A communications platform used to send and receive SMS messages, emails, voice calls, and WhatsApp messages
  • AI language model providers used to conduct conversations and support automated decision-making within our workflows

All platforms we use are contractually bound to process data only on our instructions and to maintain appropriate security standards. We do not transfer personal data outside of these systems without a legitimate reason.

Security. We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure. Access is limited to personnel and systems that require it to deliver our services. No system is completely secure. If we become aware of a data breach affecting your personal data, we will notify affected parties without unreasonable delay and in accordance with applicable law. Where we act as a processor on behalf of a client, we will notify that client promptly so they can fulfill their own notification obligations.

Data retention. We apply the following retention periods:

  • Client data: for the duration of the service relationship and five years afterward
  • Compliance and consent records, including communication logs, opt-out records, and consent documentation: minimum five years, as required under federal telemarketing and communications law
  • Website visitor data: up to 12 months
  • Lead and customer data processed on behalf of clients: no longer than 90 days after the end of the active campaign or service relationship, unless the client requests earlier deletion or applicable law requires otherwise

7. Deletion Requests and Legal Hold

You have the right to request deletion of your personal data. When we receive a verified deletion request, we act on it as quickly as possible and no later than 45 days from receipt.

Some data cannot be deleted immediately because federal or state law requires us to retain it for a defined period. Examples include consent records, opt-out logs, and communication records required for regulatory compliance under the TCPA, CAN-SPAM Act, and FTC Telemarketing Sales Rule.

When a legal retention obligation applies, we do the following:

  • We delete everything we are not legally required to keep
  • We place the remaining data in a restricted state, removed from all active systems, workflows, and reporting
  • We use it for no purpose other than satisfying the specific legal obligation for which it is retained
  • We delete it as soon as the applicable retention period expires

We do not use legal retention as a reason to keep data we do not need. If your deletion request cannot be fully fulfilled because of a legal hold, we will tell you which data we are retaining, why, and when it will be deleted.

8. Lead and Customer Data: Our Role as a Processor

When a solar installer engages FLOWSTATE, they provide us access to their leads and customer database. We contact those individuals on the installer's behalf via phone call, SMS, email, and WhatsApp, depending on the contracted services.

Client responsibility for consent. The installer is responsible for ensuring that all required consents were obtained before providing that data to us. We require clients to represent and warrant that all submitted leads were collected lawfully and that proof of consent can be demonstrated. We reserve the right to request proof of consent and to reject or suspend campaigns where consent is incomplete, outdated, channel-specific, or otherwise insufficient.

How we use the data. FLOWSTATE processes lead and customer data strictly to deliver the contracted services. We do not use it for our own marketing. We do not sell it. We do not share it with other clients. We do not combine it across client accounts except for internal security and aggregate analytics purposes. We do not retain it after the service relationship ends beyond what is required under Section 7.

Outreach model and consent basis. FLOWSTATE does not conduct cold outreach. All contacts reached through our systems have submitted an inquiry or lead form through which prior express written consent for automated outreach was obtained. We do not screen against national or state Do Not Call registries, as our outreach is limited to individuals who have provided verifiable consent for the applicable channels.

Before initiating outreach, we check the client's existing contact records for any Do Not Disturb flags or channel-specific opt-outs. Any such flags are honored before outreach begins on the relevant channel.

For lead reactivation campaigns involving older contact records, clients are required to confirm that consent remains valid, current, and applicable to the intended outreach channels before we begin.

Opt-out mechanisms. Every outreach channel includes a clear opt-out mechanism:

  • SMS: reply STOP to any message. SMS opt-outs are processed automatically where technically supported.
  • Email: use the unsubscribe link in any email. Email opt-outs are honored within 10 business days as required by the CAN-SPAM Act. The unsubscribe mechanism remains functional for at least 30 days after each message is sent.
  • Phone: request removal verbally during any call. Phone opt-out requests are added to the applicable suppression list before any further outreach on that channel.
  • WhatsApp: reply STOP or request removal in any message.

Opt-out requests are processed per channel unless the individual requests removal from all channels. Opt-out records are retained for five years.

AI voice and call recording. Where AI is used to conduct voice calls on behalf of a client, the call will identify the business being represented, disclose that the caller is an automated system, and provide an opt-out option at the start of the interaction. Where required by applicable law, consent is obtained before the call is recorded or transcribed. If you do not consent to recording, you may end the interaction and contact the business through another available channel.

If you are a lead or customer of one of our installer clients and want to stop receiving messages or learn more about how your data is used, contact the installer directly or reach us at [email protected].

9. Your Rights

The following rights apply to all individuals. Where a specific state law grants additional rights, we honor those rights for residents of that state.

Right to know. You can ask what personal data we hold about you, where it came from, why we use it, and with whom it is shared.

Right to correct. You can ask us to fix inaccurate or incomplete data.

Right to delete. You can ask us to delete your personal data. We will do so as described in Section 7, subject only to legal retention obligations.

Right to data portability. You can ask us to provide your personal data in a structured, commonly used format where technically feasible.

Right to opt out of sale or sharing. We do not sell personal data. We do not share personal data from leads or consumers for advertising purposes. We may share limited business visitor data with advertising partners through marketing cookies on our website. You may opt out through our cookie preference center or via the "Do Not Sell or Share My Personal Information" link on our website.

Right to opt out of targeted advertising and profiling. You may opt out of the use of your data for targeted advertising or automated profiling through our cookie preference center or by contacting us directly.

Right to limit use of sensitive personal information. You may direct us to limit the use of your sensitive personal information to what is strictly necessary to deliver the service you requested. Contact us at [email protected] or use the preference link on our website.

Right to human review. Where an automated system has been used to make a qualification decision affecting you, you may request that a human review that decision. To make this request, contact us at [email protected].

Right to appeal. If we decline your privacy request, you may appeal that decision by contacting us at [email protected] and indicating that you are submitting an appeal. We will respond to appeals within 45 days. If your appeal is denied, we will provide an explanation and, where required by applicable law, information about how to submit a complaint to your state attorney general.

Authorized agents. You may designate an authorized agent to submit a request on your behalf. We will require written proof of authorization and may verify your identity directly before acting on the request.

Right to non-discrimination. Exercising any of these rights will not result in denial of service, a different price, or a lower quality of service.

How to submit a request. Contact us at [email protected] with a description of your request. To verify your identity, we will match the information you provide against data we already hold in our systems, such as confirming a verification link sent to your email address on file. We will not ask you to provide more personal information than is reasonably necessary to verify your identity. We will respond within 45 days. If we need more time, we will notify you before that deadline.

10. Sensitive Personal Information

Some data we process on behalf of clients falls into categories that require additional protection under applicable law.

Sensitive personal information under applicable privacy law may include precise geolocation, biometric data, account credentials, government identifiers, health data, racial or ethnic origin, religious beliefs, sexual orientation, children's data, and similar categories. We do not collect these categories in the ordinary course of our services.

High-risk qualification data that we do collect on behalf of clients includes financial information such as utility bill amounts, self-reported financing eligibility ranges, and property-related information such as home ownership status. While not always classified as sensitive personal information under every applicable law, we treat this data with the same level of protection.

This qualification data is used solely to determine whether an individual meets the criteria established by our client for a solar installation consultation. It is used to support a single routing decision in that specific context. We do not use it to build profiles over time, combine it with external data sources, evaluate creditworthiness for any consumer lending or financial purpose, or use it for advertising, targeting, or any purpose beyond the qualification decision it was collected for.

We do not collect biometric identifiers. We do not extract or store voiceprints, facial geometry templates, or any other biometric identifier derived from voice or image data. Voice recordings made during AI-assisted interactions are transcribed for service delivery purposes only and are not processed to identify individuals by their voice or physical characteristics.

11. Automated Decision-Making and AI

Some of the conversations conducted on behalf of our clients, and some of the decisions made within our automated workflows, involve AI systems. This includes AI language models and AI voice agents.

These systems support routing, lead qualification, and appointment scheduling. They do not make decisions that produce legal effects or similarly significant consequences for individuals. The data processed within these systems is subject to the same handling rules described in this policy.

Where AI is used to conduct conversations, the individual is interacting with an automated system. No attempt is made to conceal this. A disclosure is provided before or at the start of each automated interaction.

AI language model providers used within our systems process data only as required to execute the requested task and are bound by their own privacy and security commitments.

Individuals may request human review of any automated qualification outcome as described in Section 9.

12. Our Role as a Service Provider

When we process personal data on behalf of a client, we act as a service provider, contractor, or processor under applicable law. In that capacity, we process personal information only under a written agreement with the client that restricts our use of the data to the contracted business purpose. We do not process client lead data for our own commercial purposes, sell it, or retain it beyond the terms of that agreement.

13. Children's Data

Our services are designed for business use. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly.

14. Do Not Track

There is currently no binding federal or state standard requiring websites to honor Do Not Track browser signals. We do not currently alter our data practices in response to Do Not Track signals. We honor Global Privacy Control where our systems support it, as described in Section 5.

15. Third-Party Links

Our website may contain links to external sites. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before sharing any personal data with them.

16. Governing Law

This policy is governed by the laws of the District of Columbia, without regard to conflict of law principles. Nothing in this section limits any rights you may have under the laws of the state in which you reside.

17. Changes to This Policy

We may update this policy from time to time. When we do, we will update the date at the top of this page. If we make material changes, we will notify active clients by email at least 30 days before the change takes effect. Continued use of our website or services after the updated policy becomes effective means the updated policy applies going forward. Client contractual obligations are governed by the applicable service agreement.

18. Contact

If you have questions about this policy, want to exercise your rights, want to submit an appeal, or want to request information about our subprocessors, contact us at:

FLOWSTATE LLC

1717 M Street NW, Ste 1
Washington DC, 20036, USA

[email protected]

© Flowstate LLC . All rights reserved.