Privacy Policy

BOBBY Privacy Policy

This policy applies to your use of BOBBY's products and services in any way. Before using BOBBY products or services, please read carefully and thoroughly understand this policy, and use related products or services after confirming your full understanding and consent. Once you start to use BOBBY products or services, it means that you have fully understood and agreed to this policy. If the products or services provided by BOBBY are used in the products or services of our affiliated companies but there is no independent privacy policy, this policy also applies to those products or services.

FLOW AI PTE. LTD. ("Bobby", "we", "us" or "our") provides an AI-powered application that helps you turn your investment views into structured, cross-asset analysis (the "Service"). This Privacy Policy describes how we process personal information that we collect through the Bobby mobile apps (iOS and Android) and related websites (collectively, the "Service").

FLOW AI PTE. LTD. is a Singapore company, with its registered address at 2 Venture Drive, #11-31, Vision Exchange, Singapore 608526. Our products and services are distributed by Waffo.com Limited, an authorised distributor, located at RM 1903, 19/F Lee Garden One, 33 Hysan Avenue, Causeway Bay, Hong Kong.

Bobby and RockFlow are separate. Bobby and RockFlow operate independent account systems. Bobby does not open brokerage accounts, perform identity verification (KYC), hold your funds, or execute trades on its own systems. Where Bobby displays or acts on brokerage data (such as your holdings or trading records), it does so only after you separately authorize access to your RockFlow account, and that data originates from and is controlled by RockFlow. See "Linking your RockFlow account" below.

NOTICE TO EUROPEAN USERS: Please see the Notice to European users section for additional information for individuals located in the European Economic Area or United Kingdom (which we refer to as "Europe", and "European" should be understood accordingly) below.

Index

Information you provide and that we collect
How we use your information
How we share your information
Linking your RockFlow account
Retention
Your choices
Other sites and services
Security
International data transfers
Children
Changes to this Privacy Policy
How to contact us
Addendum
- Notice to European users
- Notice to users in the State of California
- Notice to Singapore users
- Notice to users in other jurisdictions

Information you provide and that we collect

Information you provide to us. Depending upon the context in which you interact with us, personal information you may provide to us through the Service includes:

Account data, such as the email address or mobile phone number you use to register and sign in (you can use either), and the verification records used to confirm that the email or phone number belongs to you. We also store a display name and avatar, which may be generated by default. Bobby accounts use passwordless sign-in, so we do not collect or store an account login password.
Inputs, prompts and user-generated content, such as the investment views and prompts you submit to Bobby (your "thesis"), your conversations and conversation history with Bobby, the positions you take on cards within the Service (for example, agreeing or disagreeing with a "Worth a Take" card), and the files you upload for portfolio analysis ("Portfolio X-ray") — including screenshots, PDF or CSV files that may contain your holdings or account statements — together with the analysis results and reports we generate from them and associated metadata.
Communications data, based on our exchanges with you, including when you contact our customer support.
Transactional data, such as information relating to or needed to complete your subscriptions on or through the Service, including subscription type and transaction history.
Payment data needed to complete transactions is collected and processed directly by our authorised distributor, Waffo.com Limited, as further described below in the "How we share your information" section.
Other data, not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

We ask that you not provide us with any sensitive personal information (e.g., government ID or passport numbers, tax identification numbers, information related to racial or ethnic origin, political opinions, religious or other beliefs, health, biometric or genetic information, or similar data) on or through the Service or otherwise. Note that files you choose to upload for portfolio analysis may contain account or financial details — please review files before uploading and remove anything you do not wish to share.

For clarity, the Service does not collect: facial or other biometric data; government-issued identity documents; tax identification numbers or tax-residency details; nationality, date of birth, or residential address; brokerage know-your-customer (KYC) information; your contacts; microphone audio; precise geolocation; or calendar data.

Third-party sources. We may combine personal information we receive from you with personal information that we obtain from other sources, such as:

Third-party login/linked services, such as Apple or Google, that you use to log into, or otherwise link to, your Service account. This data may include an account identifier and the email address associated with your account on that third-party service, based on your settings on that service.
Third-Party AI Providers. Parts of the Service are integrated with third-party AI model providers ("Third-Party AI Providers") that help generate outputs (i.e., responses) to your inputs and prompts. These providers process the content you submit only to generate outputs for you, and not to train their models on your content.
At your direction — RockFlow. Where you authorize us to do so, we access certain data from your RockFlow brokerage account in order to provide brokerage-related features. We only access the categories of data you authorize. See "Linking your RockFlow account" below for the details and your controls.
Service providers that provide services on our behalf or help us operate the Service or our business.

Automatic data collection. We and our service providers may automatically log information about you, your device, and your interaction over time with the Service, such as:

Device data, such as your device's operating system type and version, manufacturer and model, app version, language and time-zone settings, unique device identifiers, and general network information.
Online activity data, such as the screens you view, how long you spend on a screen, navigation paths, the features you use, the actions you take, and access times and duration.
Log and connection data, such as IP address and session information used to keep you signed in.
Push notification tokens, if you enable notifications, so that we can send you alerts such as briefs and account messages.

Cookies and similar technologies. Some of the automatic collection described above may be facilitated by cookies and similar technologies, primarily on our websites. You can manage cookies through your browser settings; blocking some cookies may affect certain features.

How we use your information

We may use your personal information for the following purposes or as otherwise described at the time of collection:

Service delivery and operations. We may use your personal information to:

provide the Service;
transmit your inputs, prompts, conversations, and uploaded files to our Third-Party AI Providers for processing and to receive outputs, as necessary to fulfil your requests;
establish and maintain your user profile and authenticate you;
generate and store your conversations and portfolio analysis reports;
provide brokerage-related features through your authorized RockFlow connection;
enable security features of the Service;
communicate with you about the Service, including by sending verification codes, security alerts, briefs and other notifications, and support and administrative messages; and
provide support for the Service, and respond to your requests, questions and feedback.

Service personalization. We may use your personal information to understand your interests, personalize your experience with the Service, and remember your selections and preferences.

Service improvement and analytics. We may use your personal information to analyze how the Service is used, improve the Service, and develop new features. We do not use your inputs, prompts, conversations, or uploaded content to train or improve artificial-intelligence models, and the Third-Party AI Providers we use process your inputs only to generate outputs for you and not to train their models on your content.

Compliance and protection. We may use your personal information to comply with applicable laws, lawful requests, and legal process; to protect our, your or others' rights, privacy, safety or property; to enforce the terms that govern the Service; and to prevent, identify, investigate and deter fraudulent, harmful, unauthorized or illegal activity.

To create aggregated, de-identified and/or anonymized data. We may create aggregated, de-identified and/or anonymized data from personal information and use it for our lawful business purposes, including to analyze and improve the Service.

Further uses. In some cases, we may use your personal information for further uses, in which case we will ask for your consent if those uses are not compatible with the purpose for which the information was collected.

How we share your information

We may share your personal information with the following parties and as otherwise described in this Privacy Policy or at the time of collection:

Our corporate parent, subsidiaries, and affiliates, who may help provide and operate the Service and who are bound by this Privacy Policy.
Service providers. Third parties that provide services on our behalf or help us operate the Service or our business, such as cloud hosting and content delivery, information technology, customer support, analytics, and email/SMS delivery.
Third-Party AI Providers. We use Third-Party AI Providers to power certain aspects of the Service, such as processing your inputs and prompts to generate outputs.
Authorised distributor — Waffo.com Limited. Our products and services are distributed by Waffo.com Limited, an authorised distributor, located at RM 1903, 19/F Lee Garden One, 33 Hysan Avenue, Causeway Bay, Hong Kong. Any payment information you use to complete a subscription on the Service is collected and processed directly by Waffo.com Limited, which may use payment data in accordance with its own privacy policy.
RockFlow. In connection with the account-linking and brokerage features you authorize. RockFlow is an independent party that controls your brokerage data under its own privacy policy.
Third parties designated by you. We may share your personal information with third parties where you have instructed us or provided your consent to do so.
Linked third party services. If you log into the Service with, or link your Service account to, a third party service such as Apple or Google, we may share your personal information with that service, whose use will be governed by its own privacy policy.
Professional advisors, such as lawyers, auditors and insurers, where necessary in the course of the professional services they render to us.
Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.
Business transferees. We may disclose personal information in the context of an actual or prospective corporate transaction (e.g., investment, financing, or the sale, transfer or merger of all or part of our business or assets), subject to this Privacy Policy.

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising or other third-party targeted-advertising purposes.

Linking your RockFlow account

Some Bobby features (such as portfolio diagnosis and trading) rely on data and capabilities that belong to your RockFlow brokerage account. Because Bobby and RockFlow are separate, independent account systems, these features work only if you choose to link the two.

How linking works. When you use a feature that needs brokerage capabilities, or when you tap the link entry on your account page, Bobby sends an authorization request and directs you to RockFlow. You sign in to (or register with) RockFlow directly, review the access you are granting, and confirm. RockFlow then returns an authorization result to Bobby. Whether you currently have a RockFlow account, and the entire account-opening and KYC process, are handled on RockFlow's side — Bobby does not perform them and does not receive your RockFlow password.

What you authorize. When you authorize, you grant Bobby ongoing permission to access your RockFlow brokerage data so that we can provide the related features. Specifically, Bobby may view your holdings and asset data, view your transaction history, and place trades on your behalf — with each trade still requiring your confirmation within Bobby. Authorization grants ongoing access rather than a one-time snapshot, so if you authorize before opening a brokerage account, Bobby can read your data once you later open one. To maintain the connection, we store the access and refresh credentials (tokens) returned to us; we never receive your RockFlow login password.

Roles. With respect to the brokerage data accessed in this way, RockFlow is an independent controller of that data, and its handling of your data is governed by RockFlow's own privacy policy. Bobby processes the data it retrieves to provide the features you request.

Your control — unlinking. You can unlink your RockFlow account at any time in Bobby's settings. When you unlink, the connection is released, and we delete the holdings and transaction data we previously retrieved (analysis reports already generated are retained, as described in "Retention"). You may then link a different RockFlow account if you wish. If your RockFlow account is closed on RockFlow's side, the corresponding link is automatically invalidated.

Retention

We generally retain personal information to fulfil the purposes for which we collected it, and to satisfy any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes. To determine the appropriate retention period, we may consider factors such as the amount, nature, and sensitivity of the personal information, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements. When the retention period expires, we delete the information or render it anonymous.

Note the following concerning particular data:

Conversations and inputs. You can delete conversation content through your account, and you can close your account. After you close your account, we will delete or anonymize your personal information in accordance with applicable law.
Brokerage data after unlinking. If you unlink your RockFlow account, we delete the holdings and transaction data we previously retrieved from RockFlow. Portfolio analysis reports that have already been generated are retained, because they form part of your own content within Bobby and no longer reflect live brokerage data.

Your choices

Access or update your information. If you have registered for an account, you may review and update certain account information by logging into the account.
Delete your content. You can delete conversation content through your account.
Close your account. You can delete your Bobby account in the app under Settings → Account → Delete Account; we will then delete or anonymize your personal information in accordance with applicable law.
Unlink RockFlow. You can unlink your RockFlow account at any time, as described in "Linking your RockFlow account".
Notifications. You can control push notifications through your device settings.
Linked third party platforms. If you connect to the Service through your Apple or Google account, you may use your settings with that platform to limit the information we receive. If you revoke our access, that choice will not apply to information we have already received.
Declining to provide information. We need to collect certain personal information to provide the Service. If you do not provide information we identify as required, we may not be able to provide those features.

Other sites and services

The Service may contain links to, or integrate with, websites and online services operated by third parties (including RockFlow, Waffo.com Limited, and third-party login providers). These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control these services and are not responsible for their actions. We encourage you to read their privacy policies.

Security

We employ technical, organizational and physical safeguards designed to protect the personal information we collect against loss, misuse, and unauthorized access, disclosure, alteration or destruction. Despite commercially reasonable safeguards, no method of online or email transmission or storage is fully secure. Please help protect your account by keeping your sign-in details secure, and contact us promptly if you believe your account has been compromised.

International data transfers

We are headquartered in Singapore and may use service providers that operate in other countries. Your personal information may therefore be transferred to, stored in, or processed in countries other than the one in which you live, where data-protection laws may differ from those in your jurisdiction. Where we transfer personal information across borders, we take steps designed to ensure it receives an appropriate level of protection — for example, transferring to countries recognized as providing adequate protection, putting in place standard contractual clauses or other approved safeguards with the recipient, or relying on a permitted exception such as your consent.

Users in Europe should read the important information provided below about the transfer of personal information outside of Europe.

Children

The Service is not intended for use by anyone under 18 years of age, and we do not knowingly collect personal information from children. If you are a parent or guardian and believe we have collected information from a child in a manner prohibited by law, please contact us, and we will comply with applicable legal requirements to delete the information.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will notify you by updating the date of this Privacy Policy and posting it on the Service or by other appropriate means. Any modifications will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). Your continued use of the Service after the changes take effect means you accept the updated policy.

How to contact us

If you have any questions, comments, or requests regarding this Privacy Policy or your personal information, please contact us at:

Email: cs@bobby.ai
Entity: FLOW AI PTE. LTD., 2 Venture Drive, #11-31, Vision Exchange, Singapore 608526
Distributor: Waffo.com Limited, RM 1903, 19/F Lee Garden One, 33 Hysan Avenue, Causeway Bay, Hong Kong
Website: https://bobby.ai/

Addendum

Notice to European users

General

Where this Notice to European users applies. The information provided in this "Notice to European users" section applies only to individuals in the United Kingdom and the European Economic Area (i.e., "Europe" as defined at the top of this Privacy Policy).

Personal information. References to "personal information" in this Privacy Policy should be understood to include a reference to "personal data" (as defined in the GDPR) — i.e., information about individuals who are either directly identified or can be identified.

Controller. FLOW AI PTE. LTD. is the controller in respect of the processing of your personal information covered by this Privacy Policy for purposes of European data protection legislation (i.e., the EU GDPR and the so-called 'UK GDPR' (as and where applicable, the "GDPR")). See the "How to contact us" section above for our contact details.

RockFlow. With respect to the brokerage data accessed through your authorization, RockFlow acts as an independent controller. For questions about, or to exercise your rights over, that data, please contact RockFlow.

Our legal bases for processing. In respect of each of the purposes for which we use your personal information, the GDPR requires us to ensure that we have a "legal basis" for that use. Our legal bases are:

Consent. We process information for certain purposes only when you have given us your consent to do so.
Contractual Necessity. Where we need to perform a contract we are about to enter into, or have entered into, with you.
Legitimate Interests. Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests.
Compliance with Law. Where we need to comply with a legal or regulatory obligation.

Purpose	Categories of personal information involved	Legal basis
Service delivery and operations (incl. AI processing of inputs, RockFlow features)	Account data; inputs and content; transactional data; payment data; device data; data from third-party services	Contractual Necessity
Security	Account data; device data; log and connection data	Compliance with Law; Legitimate Interests (ensuring the security and proper operation of the Service)
Service improvement and analytics	Account data; device data; online activity data; inputs and content	Legitimate Interests (providing and improving the Service); Consent (for any optional analytics)
Compliance and protection	Any data relevant in the circumstances	Compliance with Law; Legitimate Interests
To create aggregated, de-identified and/or anonymized data	Any data relevant in the circumstances	Legitimate Interests (ensuring the Service operates as intended)
Further uses	Any data relevant in the circumstances	The original legal basis, if the further use is compatible; otherwise Consent

Your rights. European data protection laws give you certain rights regarding your personal information. You may ask us to:

Access — provide information about, and access to, your personal information.
Correct — update or correct inaccuracies in your personal information.
Delete — delete your personal information where there is no good reason for us to continue processing it.
Transfer — transfer a machine-readable copy of your personal information to you or a third party of your choice.
Restrict — restrict the processing of your personal information.
Object — object to our processing of your personal information where we rely on Legitimate Interests.
Withdraw Consent — where we use your personal information based on your consent, you may withdraw it at any time.

Exercising these rights. You may submit requests by email to cs@bobby.ai. We may request specific information to help confirm your identity and process your request. If we reject a request, we will let you know our grounds for doing so, subject to legal restrictions.

Your right to lodge a complaint with your supervisory authority. If you are not satisfied with our response or how we process your personal information, you can make a complaint to the data-protection regulator in your habitual place of residence. For users in the EEA, see https://edpb.europa.eu/about-edpb/about-edpb/members_en. For users in the UK, contact the Information Commissioner's Office (Water Lane, Wycliffe House, Wilmslow — Cheshire SK9 5AF; https://ico.org.uk/make-a-complaint/).

Data processing outside Europe. Where we share your personal information with parties based outside Europe, we try to ensure a similar degree of protection by relying on one of the following: transfers to territories with an adequacy decision recognized by the European Commission or UK Government (as applicable); or, where there is no adequacy decision, appropriate safeguards such as standard contractual clauses approved by the relevant authorities, or in limited circumstances a permitted derogation such as your explicit consent. You may contact us at cs@bobby.ai for further information or a copy of the relevant safeguards.

Notice to users in the State of California

This section applies to individuals in the State of California and, where applicable, to our provision of the Service that is subject to the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"). We collect the categories of personal information described above for the business purposes described in this Privacy Policy, and we disclose personal information to service providers and contractors under written contracts that restrict their use of the information.

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA.

Subject to applicable law, California residents have the right to know and access the personal information we collect, to request its deletion, to request correction of inaccurate personal information, and not to be discriminated against for exercising these rights. To exercise these rights, contact us at cs@bobby.ai. We may need to verify your identity before responding.

Notice to Singapore users

This section applies to individuals in Singapore and is subject to the Personal Data Protection Act 2012 (PDPA) and its regulations and guidelines.

FLOW AI PTE. LTD. is a company incorporated in Singapore, acts as data controller, and is responsible for the collection, use, and disclosure of your personal data as described in this Privacy Policy. If a notifiable data breach occurs, we will notify the Personal Data Protection Commission (PDPC) and affected individuals where required, within the timelines prescribed by law. When transferring personal data outside Singapore, we ensure that the recipient provides a standard of protection comparable to the PDPA.

Notice to users in other jurisdictions

Depending on where you live, you may have additional rights under local data-protection laws, such as the right to access, correct, or delete your personal information. To exercise any such rights, please contact us at cs@bobby.ai, and we will respond as required by applicable law.