Privacy Policy

Introduction

Welcome to Chiflows ("we," "our," or "us"). We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, services, and AI-powered marketing automation platform.

Legal Contact: legal@chiflows.io

Business Name: Chiflows (registration details to be updated upon formal registration)

By using our services, you agree to the collection and use of information in accordance with this Privacy Policy. This policy complies with:

• GDPR (General Data Protection Regulation) for EU users
• CCPA (California Consumer Privacy Act) for California residents
• International data protection standards

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide when you:

Account Registration:

• Email address
• Full name
• Password (encrypted)
• User role and tier preferences

Business Profile Information:

• Business name
• Business website URL
• Contact number
• Business region/location
• Industry and business type
• Current business challenges
• Ideal customer profile (ICP)
• Service goals and objectives
• Pricing tier preference

Get in Touch / Vetting Submissions:

• How you heard about us
• Why you're interested in Chiflows
• Alignment with your values
• Monthly revenue range
• Team size
• Readiness to start

Business Knowledge Base (KB):

• Company information and background
• Brand voice and messaging guidelines
• Product/service descriptions
• Target audience details
• Marketing materials and content
• Business documents (PDFs, etc.)

AI Conversations:

• Messages sent to our AI assistant
• Conversation context and history
• Campaign builder inputs
• Analytics preferences

Payment Information:

• Billing email
• Payment method type (stored securely via Stripe)
• Transaction history
• Subscription details

Support Tickets:

• Support requests and responses
• Feedback and communications

1.2 Information Collected Automatically

Session and Authentication Data:

• IP address
• Device type, browser type, and operating system
• Login timestamps and session duration
• Geographic location (city/country level via IP geolocation)
• Device fingerprints for security purposes

Usage Data:

• Pages visited and features used
• Campaign and lead management activities
• AI assistant usage patterns
• Time spent on platform
• Click patterns and navigation flows

Cookies and Similar Technologies:

• Essential Cookies: Authentication cookies from Supabase (required for login/session management)
• Functional Cookies: Theme preferences (light/dark mode), language settings
• Duration: Session cookies expire when you close your browser; persistent cookies remain for up to 1 year

We do not currently use third-party analytics cookies (e.g., Google Analytics), but may implement them in the future with notice and consent options.

1.3 Information from Third Parties

• Stripe: Payment confirmation and transaction status
• Mailgun: Email delivery status (sent, opened, bounced)
• Anthropic (Claude AI): API usage metrics (no conversation content shared beyond processing)
• Cardano Blockchain: Public wallet addresses and transaction confirmations for crypto payments

2. How We Use Your Information

2.1 Service Delivery

• Provide access to our AI-powered marketing automation platform
• Process your campaigns, leads, and CRM activities
• Personalize AI responses based on your Business Knowledge Base
• Enable multi-channel outreach (email, social media)
• Generate analytics and insights dashboards

2.2 Account Management

• Create and manage your user account
• Process payments and subscriptions
• Send transactional emails (password resets, payment confirmations)
• Verify your identity and prevent fraud
• Track session activity for security purposes

2.3 Communication

• Respond to your support requests
• Send service announcements and updates
• Process vetting/onboarding applications
• Notify you of account status changes (approval, tier upgrades)
• Send marketing communications (with your consent, opt-out available)

2.4 Improvement and Analytics

• Analyze platform usage to improve features
• Monitor system performance and reliability
• Conduct A/B testing for UX improvements
• Develop new AI capabilities and services

2.5 Legal and Compliance

• Comply with legal obligations and regulations
• Enforce our Terms of Service
• Protect against fraud, abuse, and security threats
• Resolve disputes and investigate violations

2.6 AI Training and Enhancement

Important: We use Anthropic's Claude AI API. Your conversations and Business KB data are:

• ✅ Used to generate personalized responses for your account
• ✅ Sent to Anthropic's API for processing (encrypted in transit)
• ❌ NOT used to train Anthropic's models (per Anthropic's commercial terms)
• ❌ NOT shared with other Chiflows users

3. Data Retention

3.1 Standard Retention Periods

We retain your data for as long as necessary to provide services and comply with legal obligations:

Active Accounts:

• Account data: Retained while account is active
• Campaign data: 365 days (1 year) by default
• Lead data: 730 days (2 years) by default
• AI conversation history: 365 days (1 year)
• Financial transactions: 7 years (tax/legal compliance)

Closed Accounts:

• Most data deleted within 30 days of account closure
• Financial records retained for 7 years (legal requirement)
• Anonymized usage analytics may be retained indefinitely

3.2 User-Configurable Retention

You can adjust retention periods in your Privacy Settings (/user/account → Privacy tab):

• Campaign data retention (30-730 days)
• Lead data retention (30-1095 days)
• Conversation history retention (30-365 days)

3.3 Backups

Backup copies are retained for 90 days for disaster recovery purposes, then permanently deleted.

4. How We Share Your Information

We do not sell your personal information. We share data only in these limited circumstances:

4.1 Service Providers (Data Processors)

We share data with trusted third parties who process it on our behalf:

All providers are contractually required to protect your data and use it only for specified purposes.

4.2 Legal Requirements

We may disclose data when required by law:

• Court orders, subpoenas, or legal processes
• Government investigations or regulatory requests
• Protection of our rights, property, or safety
• Prevention of fraud or security threats

4.3 Business Transfers

If Chiflows is acquired, merged, or sells assets, your data may be transferred to the new entity. You will be notified via email and given the option to delete your account before transfer.

4.4 With Your Consent

We may share data for other purposes with your explicit consent (e.g., testimonials, case studies).

5. Data Security

We implement industry-standard security measures to protect your data:

5.1 Technical Safeguards

• Encryption in Transit: TLS 1.3 for all data transmission
• Encryption at Rest: AES-256 encryption for database storage
• Password Security: Bcrypt hashing with salt
• API Security: JWT tokens for authentication, role-based access control (RBAC)
• Infrastructure: Hosted on secure cloud infrastructure (AWS via Supabase)

5.2 Organizational Safeguards

• Access Controls: Employees/contractors access data only when necessary for support
• Admin Oversight: All admin actions are logged and auditable
• Security Monitoring: Automated alerts for suspicious activity
• Incident Response Plan: Procedures for breach notification and remediation

5.3 Limitations

No system is 100% secure. While we use best practices, we cannot guarantee absolute security. You are responsible for:

• Keeping your password confidential
• Using strong, unique passwords
• Enabling two-factor authentication (2FA) if available
• Logging out on shared devices

6. Your Privacy Rights

6.1 Rights for All Users

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete data
• Deletion: Request deletion of your account and data (subject to legal retention)
• Export: Download your data in portable format (JSON/CSV)
• Opt-Out: Unsubscribe from marketing emails (transactional emails cannot be disabled)

6.2 Additional Rights (GDPR - EU Users)

• Data Portability: Receive your data in machine-readable format
• Restriction of Processing: Limit how we use your data
• Object to Processing: Object to data use for marketing or legitimate interests
• Automated Decision-Making: Right to human review of AI-driven decisions
• Withdraw Consent: Revoke consent at any time (doesn't affect prior processing)
• Lodge a Complaint: File a complaint with your local data protection authority

6.3 Additional Rights (CCPA - California Residents)

• Know What's Collected: Detailed disclosure of data categories (see Section 1)
• Know What's Shared: Disclosure of data sharing (see Section 4)
• Delete Personal Information: Request deletion (subject to exceptions)
• Opt-Out of Sales: We do not sell data, so this doesn't apply
• Non-Discrimination: We won't discriminate against you for exercising rights

6.4 How to Exercise Your Rights

Email: legal@chiflows.io with subject "Privacy Rights Request"

Or use in-app controls:

• Account Settings: /user/account → Profile tab (edit data)
• Privacy Settings: /user/account → Privacy tab (retention, visibility)
• Data Export: /user/account → Privacy tab → "Export My Data"
• Delete Account: /user/account → Privacy tab → "Delete Account"

We will respond within:

• 30 days for general requests
• 45 days for CCPA requests (with possible 45-day extension)
• 1 month for GDPR requests (with possible 2-month extension for complex requests)

7. Children's Privacy

Chiflows is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a minor, contact us immediately at legal@chiflows.io, and we will delete it promptly.

8. International Data Transfers

Primary Data Location: United States (Supabase infrastructure on AWS)

EU Users: Your data may be transferred to the US. We rely on:

• Standard Contractual Clauses (SCCs) with processors
• Adequacy decisions where applicable
• Your explicit consent for transfers

Data Protection: All international transfers maintain GDPR-level protection.

9. Cookies and Tracking Technologies

9.1 Cookies We Use

9.2 Future Analytics (Not Yet Implemented)

We may implement Google Analytics 4 in the future for:

• Page view tracking
• User journey analysis
• Conversion funnel optimization

When implemented, you will be able to:

• Opt-out via browser Do Not Track (DNT) settings
• Opt-out via in-app Privacy Settings
• Use browser extensions (e.g., uBlock Origin)

9.3 Managing Cookies

Browser Controls: Most browsers allow you to refuse cookies via settings

• Chrome: Settings → Privacy → Cookies
• Firefox: Preferences → Privacy → Cookies
• Safari: Preferences → Privacy

Impact of Blocking: Disabling essential cookies will prevent login/core functionality.

10. Third-Party Links

Our platform may contain links to third-party websites (e.g., social media, integrations). We are not responsible for their privacy practices. Review their privacy policies before providing information.

11. AI and Automated Decision-Making

11.1 AI Features

We use Anthropic's Claude AI for:

• Personalized marketing campaign suggestions
• Lead qualification scoring (values alignment, budget fit)
• Automated message generation
• Business insights and analytics

11.2 Human Oversight

Critical Decisions with Human Review:

• Account approval/rejection (admin vetting process)
• Payment disputes and refunds
• Account suspensions or terminations

Automated Decisions (No Human Review by Default):

• Lead scoring (you can manually override)
• AI conversation responses (you control prompts)
• Campaign recommendations (suggestions only, you approve)

11.3 Your Rights

You have the right to:

• Understand AI Logic: Request explanation of how AI decisions are made
• Human Review: Request human review of automated decisions that significantly affect you
• Opt-Out: Disable AI features in Account Settings (may limit functionality)

12. Data Breach Notification

In the event of a data breach affecting your personal information:

We will notify you within:

• 72 hours for GDPR-covered breaches
• Without undue delay for other jurisdictions

Notification will include:

• Nature of the breach (what data was affected)
• Potential consequences
• Measures we've taken to mitigate harm
• Steps you can take to protect yourself

How we'll notify you:

• Email to your registered address
• In-app notification banner
• Public notice on our website (if large-scale)

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

• New features or services
• Legal or regulatory changes
• Improved data practices

When we make changes:

• "Last Updated" date at the top will change
• Material changes: You'll receive email notification 30 days before effective date
• Minor changes: Posted on website; continued use implies acceptance

Your options:

• Review changes and continue using services
• Contact us with questions
• Delete your account if you disagree

14. Contact Us

For privacy questions, concerns, or rights requests:

Email: legal@chiflows.io
Subject Line: "Privacy Inquiry - [Your Name]"

Response Time: Within 7 business days for general inquiries; faster for rights requests per Section 6.4

15. Definitions

• Personal Information/Data: Information that identifies, relates to, or could reasonably be linked to you
• Processing: Any operation performed on data (collection, storage, use, disclosure, deletion)
• Data Controller: Chiflows (we decide why and how data is processed)
• Data Processor: Third parties who process data on our behalf (e.g., Supabase, Mailgun)
• Cookies: Small text files stored on your device by websites
• Service: Chiflows platform, website, and all related features

16. Your California Privacy Rights (CCPA Supplement)

16.1 Information We Collect (Last 12 Months)

We do NOT sell personal information.

16.2 Business Purpose for Collection

• Provide marketing automation services
• Process payments
• Improve AI features
• Comply with legal obligations

16.3 How to Exercise CCPA Rights

Email legal@chiflows.io with:

• "CCPA Rights Request" in subject line
• Your full name and email address
• Description of request (access, delete, know, etc.)

Verification: We'll verify your identity via email confirmation or additional authentication.

Authorized Agents: You may designate an agent to submit requests; we'll require proof of authorization.

17. Your European Privacy Rights (GDPR Supplement)

17.1 Legal Basis for Processing

We process your data under these legal bases:

17.2 Data Protection Officer (DPO)

Contact: legal@chiflows.io (DPO designation to be formalized upon registration)

17.3 Right to Lodge Complaint

You may file a complaint with your local supervisory authority:

• EU: Find your authority at https://edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner's Office (ICO) - https://ico.org.uk