Overview
Midflow handles operational and personal data across property workflows, communications, and document storage. Clear policies help define user responsibilities, data handling expectations, and service boundaries.
The sections below describe the core legal pages and operational policies that support Midflow's service delivery. They are intended to provide practical clarity for customers, administrators, and end users.
1. Terms of Service
The Terms of Service define the legal agreement between Midflow and each user account.
- Acceptance of terms and legal eligibility.
- Account responsibilities and credential security.
- Permitted use and prohibited activity boundaries.
- Subscription, billing, and payment obligations.
- Suspension, termination, and post-termination treatment.
- Limitation of liability and disclaimers.
- Intellectual property ownership and licensing.
- Governing law and dispute handling approach.
This policy sets expectations for lawful and fair use of the platform and explains how account access may be restricted where terms are breached.
2. Privacy Policy
The Privacy Policy explains what personal data is processed, why it is processed, and the lawful basis used under UK GDPR.
- What data is collected and from which sources.
- How data is used and shared.
- Legal basis for processing under UK GDPR.
- Data retention and deletion windows.
- Cookies and tracking technologies.
- Third-party services and international transfer controls.
- Data subject rights and response channels.
- Privacy contact details and complaint pathways.
Given the nature of Midflow's workflows, this policy is central to transparency, accountability, and lawful data stewardship across agencies and their teams.
4. Acceptable Use Policy
The Acceptable Use Policy protects the platform, customers, and recipients from abuse, spam, and harmful conduct.
- Prohibited use, including unlawful or deceptive activity.
- Spam and unsolicited bulk messaging restrictions.
- No WhatsApp or SMS abuse.
- No harassment, threatening behavior, or illegal content.
- No automated misuse, scraping abuse, or attack traffic.
This policy is important for Midflow due to Twilio messaging, email integrations, bulk communication workflows, and AI automation.
Enforcement measures may include warnings, temporary restrictions, or account suspension where misuse is identified.
5. Data Processing Agreement (DPA)
The Data Processing Agreement defines how personal data is processed between Midflow and agency customers.
- Midflow role as data processor.
- Agency role as data controller.
- GDPR obligations and processing instructions.
- Subprocessor usage and transparency.
- Breach notification and incident handling procedures.
- Deletion and return of personal data upon termination.
This agreement supports GDPR-compliant procurement and provides a clear allocation of controller and processor responsibilities.
6. Security Policy
The Security Policy describes the technical and organisational controls used to protect customer data and system integrity.
- Encryption posture for data at rest and in transit.
- Backup strategy and recovery expectations.
- Access controls and least-privilege standards.
- MFA roadmap and account hardening practices.
- Secure document storage design principles.
- Audit logging and monitoring basics.
Publishing these controls helps customers evaluate operational risk and understand Midflow's approach to resilience and incident preparedness.
7. AI Usage Policy
The AI Usage Policy sets expectations for AI-assisted features, including scope, oversight, and limitations.
- AI may assist with communications and workflow actions.
- Human review may be applied where needed.
- AI outputs can be incomplete or inaccurate.
- No guarantee of AI accuracy or fitness for legal decisions.
- Users must verify critical information independently.
AI features are intended to support efficiency, not to replace professional, legal, or compliance judgement.
8. Communication Consent Policy
The Communication Consent Policy defines lawful outreach and record-keeping requirements for SMS, WhatsApp, and email channels.
- Users must obtain valid recipient consent before outreach.
- Template messaging standards and quality controls.
- WhatsApp 24-hour window constraints where applicable.
- Opt-out and suppression handling requirements.
- User responsibility for legality of uploaded contact data.
This policy supports compliant recipient engagement and reduces legal risk in high-volume messaging workflows.
Midflow-Specific Legal Risk Areas
The following areas require explicit wording across Midflow's legal and operational policies.
- Document storage: certificates, tenancy records, uploaded files, and cloud-sync integrations.
- Messaging systems: Twilio usage, WhatsApp messaging, email sending, and communication logs.
- Third-party integrations: Google, Microsoft, Twilio, OpenAI, and related providers.
- AI processing: automated categorization, message analysis, support automation, and maintenance detail extraction.
- User responsibility: agencies must have lawful authority to upload and process personal data belonging to tenants, landlords, and contractors.
Midflow provides operational tooling, but each agency remains responsible for lawful data collection, communication consent, and regulatory compliance.
