Privacy Policy
Vinteract Pty Ltd t/a Floways · ABN: Pending · Last updated: 4 May 2026
1. Who we are
Floways is a product of Vinteract Pty Ltd (ABN: Pending), trading as Floways, headquartered in Adelaide, South Australia. In this Privacy Policy, “Floways”, “we”, “us” and “our” refer to Vinteract Pty Ltd.
We operate Floways - church management software - accessible at floways.com.au and app.floways.co.
Privacy-specific enquiries: privacy@floways.co.
General enquiries: support@floways.co.
2. What this policy covers
This policy explains how we collect, use, store, and share personal information about:
- Church administrators and staff who use Floways
- Congregation members whose data is managed by a church using Floways
- Visitors to floways.com.au
We are bound by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).
3. Our role: data controller vs data processor
For information about church administrators, staff, and our customer-relationship data, Floways is the data controller.
For information about congregation members whose data is managed by a church using Floways, the church is the data controller, and Floways is the data processor acting on the church's behalf and under the church's instructions.
This distinction matters: a congregation member who wants to access, correct, or delete information held about them in Floways should normally direct that request to their church first. The church can then exercise its rights as the data controller within Floways.
4. Information we collect
From churches (our customers):
- Organisation name, ABN, address, and billing email
- Church administrator names, email addresses, and phone numbers
- Payment and billing information (card details are tokenised by PCI-DSS compliant processors - we never store raw card numbers)
- Subscription, configuration, and usage data
From congregation members (managed by their church):
The church chooses what to record about its members, which may include: member names, contact details, attendance history, giving history, household information, pastoral notes, background check status, children's check-in records, and any other information the church chooses to store.
From website visitors:
- IP address, browser type, and pages visited (via analytics)
- Information submitted through contact or signup forms
- UTM parameters if you arrive from a marketing link
5. How we use your information
We use information to:
- Provide, maintain, improve, and secure the Floways platform
- Process payments and manage subscriptions
- Send transactional emails (account confirmation, invoices, service notifications, security notifications)
- Respond to support requests
- Analyse usage to improve our product
- Meet our legal obligations, including financial recordkeeping and regulatory cooperation
We do not:
- Sell your data to any third party
- Rent, lease, or otherwise commercialise your data
- Use congregation member data for our own marketing
- Use your data to train AI models - neither our own nor any third-party model
- Share your data with advertisers
6. How we store and protect your information
All AU/NZ customer data is stored on AWS cloud infrastructure in Sydney, Australia. We implement industry-standard security measures including encryption at rest (AES-256) and in transit (TLS 1.2+), access controls, audit logging, and regular security reviews.
Each church operates in its own dedicated database - tenants are not co-mingled.
For full details see our Security page.
7. AI inference and data handling
All AI inference within Floways runs server-side within our own backend boundary in Sydney. Your data is never sent to an AI provider in a way that allows the provider to retain it or use it to train models.
We use a third-party AI inference engine, held to a contractual no-training-on-your-data commitment. The inference is invoked from our infrastructure - not from a browser, not from a third-party app - and the data sent is scoped to the requesting church only. AI features can be disabled at the module or organisation level if you prefer.
8. Third-party service providers
We share data only with service providers necessary to operate Floways:
| Type of provider | Purpose | Region |
|---|---|---|
| Cloud infrastructure provider | Hosting and data storage | Sydney, Australia |
| PCI-DSS Level 1 compliant payment processors | Subscription billing and donation processing | AU domestic and international |
| Transactional email provider | Account and service notifications | TLS-encrypted in transit |
| SMS provider | SMS notifications to church staff and members | AU/global, TLS-encrypted |
| AI inference provider | Server-side AI features (held to no-training-on-customer-data commitment) | TLS-encrypted in transit |
| Error monitoring provider | Application error tracking with PII scrubbed before transmission | TLS-encrypted in transit |
These providers are contractually bound to use your data only for providing services to us, and to meet equivalent data security standards. The named-vendor register is available on request. We will notify customers at least 30 days before any material change to a subprocessor that affects how their data is handled.
9. Cross-border data transfers
Australian and New Zealand customers' data is stored in Sydney, Australia. Where customers in other jurisdictions use Floways, their data is also stored in Sydney unless we agree otherwise in writing.
New Zealand customer data is stored in Sydney with appropriate cross-border safeguards as permitted under the New Zealand Privacy Act 2020.
10. Data retention
We retain your data for as long as your Floways subscription is active.
On termination of your subscription:
- Your data is retained in read-only state for 90 days.
- You are notified at the 30-day and 7-day marks before permanent deletion.
- After 90 days, all data is permanently and irreversibly deleted from active systems.
- Backups containing your data age out on the standard backup-rotation schedule.
You may export your data in JSON or CSV format at any point during the 90-day retention window, at no charge.
11. Your rights
Under the Australian Privacy Act, you have the right to:
- Access the personal information we hold about you
- Correct inaccurate information
- Request deletion of your information (subject to our legal obligations)
- Export your data in a machine-readable format (JSON or CSV)
- Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
To exercise any of these rights, contact us at privacy@floways.co. We will respond within 30 days.
If your information is held in a church's Floways account (i.e. you are a congregation member), the request should normally go to your church first - they are the data controller for their congregation's data.
12. Notifiable data breaches
If a data breach occurs that is likely to result in serious harm to individuals, we comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth):
- We notify the affected church (the data controller) promptly, and in any event no later than 24 hours after we confirm the breach.
- We notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable after our assessment, and in any event no later than 30 days from awareness.
- We coordinate with the church on any required notification to affected individuals within statutory timeframes.
13. Cookies
floways.com.au uses cookies for analytics and to remember your preferences. You may disable cookies in your browser settings. This will not affect your ability to use the Floways application.
14. Changes to this policy
We may update this policy from time to time. We will notify customers of material changes via email at least 30 days before the change takes effect. Continued use of Floways after the effective date constitutes acceptance of the updated policy.
15. Contact
Vinteract Pty Ltd t/a Floways
privacy@floways.co - privacy enquiries
support@floways.co - general enquiries
Adelaide, South Australia, Australia