Privacy Policy
Last updated: February 18, 2026
1. Information We Collect
1.1 Information You Provide
- Account Information: Name, email address, password, company name, and job title when you create an account.
- Profile Information: Profile picture, phone number, timezone, and other optional details.
- Business Data: Contacts, accounts, leads, opportunities, quotes, invoices, tasks, meetings, and any other data you input into BizFlow.
- Payment Information: Billing address and payment method details (processed securely by our payment provider Stripe; we do not store full card numbers).
- Communications: Messages you send us via support, feedback, or contact forms.
1.2 Information Collected Automatically
- Log Data: IP address, browser type and version, operating system, referring URL, pages visited, and timestamps.
- Device Information: Device type, unique device identifiers, and screen resolution.
- Usage Analytics: Feature usage patterns, click events, and navigation paths to help us improve the Service.
- Cookies: Session cookies and preference cookies (see Section 7 for details).
1.3 Information from Third Parties
- Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google.
- Integrations: If you connect third-party services (e.g., email providers, Twilio), we receive data necessary to operate those integrations.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the BizFlow platform and its features.
- Authenticate your identity, manage your account, and enforce access controls.
- Process transactions and send billing-related communications.
- Send transactional notifications (e.g., workflow alerts, SMS notifications, email alerts).
- Provide customer support and respond to your requests.
- Analyze usage patterns to improve performance, fix bugs, and develop new features.
- Detect, prevent, and address security incidents, fraud, and technical issues.
- Comply with applicable laws, regulations, and legal processes.
- Send marketing communications (only with your opt-in consent; you can unsubscribe anytime).
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your data under the following legal bases:
- Contract Performance: Processing necessary to provide the Service you have subscribed to.
- Legitimate Interest: Improving our Service, preventing fraud, ensuring security, and marketing to existing customers.
- Consent: Where you have given explicit consent (e.g., marketing emails, optional cookies).
- Legal Obligation: Where we are required by law to process your data (e.g., tax records, regulatory compliance).
4. Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We may share your information only in the following circumstances:
- Service Providers: Trusted third parties that help us operate BizFlow, including hosting (Vercel, Supabase), payment processing (Stripe), email delivery providers, and SMS services (Twilio). These providers are contractually bound to protect your data.
- Within Your Organization: Data you enter into BizFlow is accessible to other users within your company workspace as configured by your administrator.
- Legal Requirements: When required by law, subpoena, court order, or to protect our rights, property, or safety.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.
- With Your Consent: When you explicitly authorize us to share data with a third party.
5. International Data Transfers
BizFlow operates globally and your data may be transferred to and processed in countries outside your country of residence, including the United States. Where we transfer data internationally, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or rely on the recipient's participation in recognized frameworks to ensure adequate protection.
6. Data Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS/SSL) and at rest (AES-256).
- Secure authentication with bcrypt password hashing and optional OAuth providers.
- Role-based access controls within the application.
- Regular security audits and vulnerability assessments.
- Hosting on infrastructure with SOC 2 compliance (Vercel, Supabase).
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will promptly notify affected users of any data breach as required by law.
8. Your Rights
8.1 General Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request that we limit the processing of your data.
- Portability: Receive your data in a structured, commonly used, machine-readable format.
- Objection: Object to processing based on legitimate interest or direct marketing.
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
8.2 GDPR (EEA/UK Residents)
You have all rights listed above. You also have the right to lodge a complaint with your local data protection authority.
8.3 CCPA (California Residents)
Under the California Consumer Privacy Act, you additionally have the right to:
- Know what personal information is being collected about you.
- Know whether your personal information is sold or disclosed, and to whom.
- Opt out of the sale of your personal information (note: we do not sell personal data).
- Non-discrimination for exercising your privacy rights.
To exercise any of these rights, contact us at privacy@bizflow.com. We will respond within 30 days.
9. Data Retention
We retain your data as follows:
- Active Accounts: Data is retained for the duration of your account and active subscription.
- Account Deletion: Upon request, personal data is deleted within 30 days. Anonymized analytics data may be retained.
- Billing Records: Financial records are retained for 7 years as required by tax and accounting laws.
- Backup Data: Encrypted backups are purged within 90 days of account deletion.
- Legal Holds: Data may be retained longer if required for ongoing legal proceedings or regulatory requirements.
10. Children's Privacy
BizFlow is a business-to-business platform and is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take immediate steps to delete such information. If you believe a child has submitted data to us, please contact us at privacy@bizflow.com.
11. Third-Party Services
BizFlow integrates with or relies on the following third-party services. Each has its own privacy policy:
- Vercel — Hosting and deployment
- Supabase — Database hosting and management
- Stripe — Payment processing
- Google — OAuth authentication
- Twilio — SMS notification delivery
- SMTP Providers — Transactional and marketing email delivery
We encourage you to review the privacy policies of these services. We are not responsible for the privacy practices of third-party services.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting a prominent notice within the Service or by sending you an email. The "Last updated" date at the top indicates when the policy was last revised. Your continued use of BizFlow after any changes constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
BizFlow Privacy Team
Email: privacy@bizflow.com
Response time: Within 30 days of receiving your request