Privacy Policy

Effective Date: 11-1-2025

Last Updated: 11-1-2025

1. Introduction

Realflow.ai ("Realflow," "RealflowCloud," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at realflow.ai (the "Site") and when you use our Software-as-a-Service (SaaS) platform (the "Service").

This Privacy Policy applies to all users, including:

  • Website Visitors: Individuals browsing our Site
  • SaaS Subscribers: Organizations and individuals who subscribe to our Service
  • End Users: Individuals who interact with workflows, forms, links, or documents created through our Service

Please read this Privacy Policy carefully. By accessing or using our Site or Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

Website Visitors:

  • Contact information (name, email address, phone number, address) when you submit inquiries or sign up for our mailing list
  • Account registration information (username, password, company name)
  • Communications with us (support requests, feedback)
  • Signup survey results

SaaS Subscribers:

  • Account credentials (username, email, password)
  • Billing information (credit card details, billing address) processed through third-party payment processors
  • Organization details (company name, tax ID, billing contact)
  • User profile information (name, role, department)
  • Workflow configurations and MCP service definitions you create
  • SQL queries, data transformations, and business logic you define
  • Connection credentials for third-party services you integrate (stored encrypted)

End Users (Interacting with Shared Links):

  • Form submissions and survey responses
  • Email addresses or phone numbers provided for notification purposes
  • Data submitted through workflows requiring human approval or input
  • Files uploaded through workflow forms

2.2 Information Collected Automatically

Usage Data:

  • IP addresses
  • Browser type and version
  • Device information (type, operating system)
  • Pages visited, time spent, and navigation paths
  • Referring/exit pages
  • Date and time stamps
  • Clickstream data

Service Usage Analytics:

  • Workflow execution logs (timestamps, success/failure status, execution duration)
  • MCP and API calls and connector usage
  • Realflow.studio usage patterns
  • Feature usage patterns
  • Performance metrics
  • Error logs and debugging information

Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to:

  • Maintain user sessions
  • Remember preferences
  • Analyze usage patterns
  • Provide personalized experiences
  • Support security features

You can control cookies through your browser settings, but disabling cookies may limit functionality.

2.3 Information from Third-Party Sources

  • Authentication data from single sign-on (SSO) providers
  • Data retrieved through connectors you configure (e.g., CRM data, database records)
  • Payment verification from payment processors
  • Lead generation data from marketing partners (with consent)

3. How We Use Your Information

3.1 Primary Purposes

We use collected information to:

Provide and Maintain Services:

  • Operate and maintain the Realflow platform
  • Execute workflows and MCP and API services you create
  • Process human-in-the-loop approvals and pauses
  • Generate and deliver shared links with expiration dates
  • Create reports, forms, and zip file packages
  • Send SMS and email notifications as configured in your workflows
  • Store workflow state
  • Manage connection credentials securely through HashiCorp Vault Encryption keys
  • Double envelope encryption with master key rotation

Improve and Optimize:

  • Analyze platform performance and usage patterns
  • Develop new features and enhancements
  • Troubleshoot technical issues
  • Optimize workflow execution efficiency
  • Test and improve fuzzy matching algorithms

Communicate:

  • Send service-related notifications
  • Respond to inquiries and support requests
  • Provide workflow status updates
  • Send billing and account information
  • Deliver marketing communications (with consent)

Security and Compliance:

  • Authenticate users and prevent fraud
  • Monitor for security threats
  • Enforce Terms of Service
  • Comply with legal obligations
  • Conduct audits and investigations

Business Operations:

  • Process payments and manage subscriptions
  • Track usage for billing purposes
  • Conduct research and analysis
  • Generate anonymized statistics

3.2 Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), UK, or Switzerland, we process personal data based on:

  • Contract Performance: Processing necessary to provide the Service
  • Legitimate Interests: Improving our Service, security, and business operations
  • Consent: Marketing communications and optional features
  • Legal Obligations: Compliance with applicable laws

4. Data Storage and Security

4.1 Storage Infrastructure

Multi-Cloud Architecture:

  • Azure: Database and configuration layer storage
  • DigitalOcean: Execution environment hosting
  • S3-Compatible Storage: Workflow state checkpoints and file storage

Data is stored in secure data centers with:

  • Physical security controls
  • Network security measures
  • Access controls and authentication
  • Regular security audits

Data Locations:

  • Primary data storage: United States
  • Backup and redundancy: Multiple geographic regions
  • Execution environments: May vary based on subscription tier but defaults to US East

4.2 Security Measures

We implement industry-standard security measures:

Encryption:

  • Data in transit: TLS 1.2 or higher
  • Data at rest: AES-256 encryption
  • Connection strings: Encrypted using HashiCorp Vault
  • Database credentials: Encrypted at application and storage layers

Access Controls:

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) available
  • Session management and timeout policies
  • Audit logging of administrative actions

Application Security:

  • Regular security assessments
  • Vulnerability scanning
  • Penetration testing
  • Secure development practices
  • SQL-92 parser with injection prevention

Workflow Security:

  • Isolated execution environments
  • Sandboxed connector operations
  • Secure handling of pause/resume states
  • Expiration enforcement on shared links

4.3 Data Retention

Account Data:

  • Active accounts: Retained while subscription is active
  • Canceled accounts: Retained for 90 days, then deleted
  • Billing records: Retained for 7 years for legal compliance

Workflow Data:

  • Execution logs: Retained for 90 days
  • Checkpoints: Retained while workflow is active, then 30 days
  • User-generated content: Retained according to your settings or until deletion

Shared Link Data:

  • Active until expiration date or manual deletion
  • Expired links: Data deleted within 30 days of expiration
  • Form submissions: Retained according to workflow configuration

You may request deletion of your data at any time by contacting us.

5. Information Sharing and Disclosure

5.1 We Share Information With:

Service Providers:

  • Cloud hosting providers (Azure, DigitalOcean)
  • Payment processors
  • Email and SMS delivery services
  • Analytics providers
  • Customer support tools
  • Security and monitoring services

All service providers are contractually bound to protect your data and use it only for specified purposes.

Third-Party Integrations: When you configure connectors to third-party services (CRMs, databases, APIs), data flows according to your workflow configuration. You control what data is shared with these services.

Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred. You will be notified of any such change.

Legal Requirements: We may disclose information when required by law or to:

  • Comply with legal processes
  • Respond to government requests
  • Enforce our Terms of Service
  • Protect rights, property, or safety
  • Prevent fraud or illegal activity

5.2 We Do Not:

  • Sell your personal information to third parties
  • Share your data with advertisers without consent
  • Use your workflow data to train AI models without permission
  • Access your connection credentials (encrypted at rest)

6. Shared Links and End User Privacy

6.1 Links Generated by Workflows

Realflow allows subscribers to create workflows that generate shareable links for:

  • Forms and surveys
  • Document downloads (reports, zip files)
  • Approval workflows
  • Status update pages

Link Features:

  • Configurable expiration dates
  • Optional authentication requirements
  • SMS and email delivery options
  • Usage tracking (view counts, submission times)

6.2 End User Data Collection

When end users interact with shared links:

  • We collect only the information necessary for workflow execution
  • Data is processed according to the subscriber's workflow configuration
  • We act as a data processor on behalf of the subscriber
  • Subscribers are responsible for providing privacy notices to their end users

6.3 End User Rights

If you received a shared link from a Realflow subscriber:

  • The subscriber (not Realflow) is the data controller
  • Contact the subscriber for privacy questions or data requests
  • You may contact us if you cannot reach the subscriber
  • Links expire based on subscriber configuration

7. Your Rights and Choices

7.1 Access and Control

You have the right to:

  • Access: Request copies of your personal information
  • Correction: Update inaccurate or incomplete information
  • Deletion: Request deletion of your account and data
  • Portability: Export your workflow configurations and data
  • Restriction: Limit how we process your information
  • Objection: Object to certain processing activities

7.2 Subscriber Controls

SaaS subscribers can:

  • Manage user access and permissions
  • Configure data retention policies
  • Export workflow data and configurations
  • Delete workflows and associated data
  • Control shared link expiration settings
  • Manage connection credentials

7.3 Communication Preferences

You can opt out of:

  • Marketing emails (via unsubscribe link)
  • Non-essential notifications (account settings)
  • Newsletter subscriptions

You cannot opt out of service-related communications (security alerts, billing notices, workflow status updates).

7.4 Cookie Management

Control cookies through:

  • Browser settings
  • Third-party opt-out mechanisms

8. Children's Privacy

Realflow is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect information from children. If we learn we have collected information from a child, we will delete it immediately. Please contact us if you believe we have inadvertently collected such information.

9. International Data Transfers

Realflow is based in the United States. If you access our Service from outside the U.S., your information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

For EEA, UK, and Swiss Users: We rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Your explicit consent for transfers

We implement appropriate safeguards to protect your information in accordance with applicable law.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

10.1 Right to Know

Request information about:

  • Categories of personal information collected
  • Sources of personal information
  • Business purposes for collection
  • Categories of third parties who receive information
  • Specific pieces of personal information collected

10.2 Right to Delete

Request deletion of personal information we collected from you, subject to certain exceptions.

10.3 Right to Opt-Out

We do not sell personal information. If our practices change, we will provide an opt-out mechanism.

10.4 Right to Correct

Request correction of inaccurate personal information.

10.5 Right to Limit Use of Sensitive Information

Request limits on use of sensitive personal information.

10.6 Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

10.7 Authorized Agent

You may designate an authorized agent to make requests on your behalf.

To Exercise California Rights: Email: privacy@realflow.ai Phone: 3153599198 We will respond within 45 days.

11. Virginia, Colorado, Connecticut, and Utah Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, or Utah, you have rights under state privacy laws including:

  • Right to confirm whether we process your personal data
  • Right to access your personal data
  • Right to correct inaccuracies
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of targeted advertising, sale of data, or profiling

To exercise these rights, contact us at [privacy@realflow.ai].

12. European Privacy Rights (GDPR)

If you are in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

12.1 Your Rights

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making and profiling

12.2 Data Controller and Processor Roles

  • For Website Visitors and Direct Subscribers: Realflow is the data controller
  • For End Users of Shared Links: The subscriber is the data controller; Realflow is the data processor

12.3 Legal Bases

We process your data based on:

  • Contract performance
  • Legitimate interests
  • Legal obligations
  • Your consent

12.4 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority.

Contact for GDPR Matters: Data Protection Officer: [dpo@realflow.ai]

13. Data Processing Addendum (DPA)

For SaaS subscribers who are data controllers under GDPR or other privacy laws, we offer a Data Processing Addendum (DPA) that includes:

  • Standard Contractual Clauses
  • Security obligations
  • Sub-processor lists
  • Data breach notification procedures
  • Audit rights

Contact legal@realflow.ai to execute a DPA.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

  • Changes in our practices
  • Legal or regulatory requirements
  • New features or services

Notification of Changes:

  • Material changes: Email notification to registered users
  • Minor changes: Updated "Last Updated" date
  • Effective date of changes clearly stated

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

Version History: Previous versions available upon request.

15. Contact Information

For privacy-related questions, concerns, or requests:

General Privacy Inquiries: Email: privacy@realflow.ai

Data Protection Officer (GDPR): Email: dpo@realflow.ai

California Privacy Rights: Email: privacy@realflow.ai

Mailing Address: RealflowCloud, Inc.
620 W 42nd St.
S-28a
New York, NY 10036

Response Time: We aim to respond to all privacy inquiries within 30 days (45 days for California requests).

16. Specific Service Features

16.1 Human-in-the-Loop Workflows

When workflows pause for human approval:

  • Pause state stored securely in checkpoint files
  • Notification sent via configured channels (email, SMS)
  • Approval links expire per workflow configuration
  • Resume triggers logged for audit purposes
  • Approver identity captured (all participants must create a Realflow account)

16.2 Shareable Link Privacy

Generated links include:

  • Unique identifiers
  • Optional authentication tokens
  • Configurable expiration dates
  • Usage tracking (views, submissions)
  • Optional password protection

Subscribers control:

  • Data collection through forms
  • Notification recipients
  • Link expiration timing
  • Access restrictions

16.3 File Generation and Downloads

When generating reports, forms, or zip files:

  • Files stored temporarily during workflow execution
  • Download links expire per configuration
  • Files deleted after expiration or 30 days
  • Size limits enforced per subscription tier

16.4 SMS and Email Notifications

When workflows send notifications:

  • Phone numbers and emails processed only for delivery
  • Third-party delivery services used (compliant sub-processors)
  • Delivery logs retained for 90 days
  • Opt-out mechanisms included where required by law
  • Subscribers responsible for obtaining recipient consent

17. Business Subscriber Responsibilities

As a SaaS subscriber, you agree to:

  • Provide privacy notices to your end users
  • Obtain necessary consents for data collection
  • Comply with applicable privacy laws
  • Configure appropriate data retention settings
  • Secure your account credentials
  • Use the Service lawfully and ethically
  • Notify us of any security incidents
  • Indemnify Realflow for your misuse of the Service

18. Security Incident Response

In the event of a data breach:

  • We will investigate promptly
  • Affected users notified within 72 hours (or as required by law)
  • Supervisory authorities notified if required
  • Mitigation steps taken immediately
  • Post-incident review conducted
  • Subscribers notified if their data or workflows affected

Report Security Issues: Email: security@realflow.ai

19. Third-Party Links and Services

Our Site and Service may contain links to third-party websites or integrate with third-party services. We are not responsible for:

  • Privacy practices of third parties
  • Content on third-party sites
  • Third-party data handling
  • Security of external services

Review privacy policies of any third-party services you use through Realflow.

20. Automated Decision-Making

Realflow does not use automated decision-making or profiling that produces legal effects or similarly significant effects concerning you, except:

  • Fraud detection and prevention
  • Security threat detection
  • Service optimization (with your consent)

You have the right to:

  • Be informed of automated processing
  • Contest automated decisions
  • Request human review

21. Consent Withdrawal

Where we process your data based on consent:

  • You may withdraw consent at any time
  • Withdrawal does not affect prior processing
  • Some services may become unavailable
  • We will confirm receipt of withdrawal
  • Processing will cease promptly

Withdraw Consent:

22. Questions and Complaints

If you have concerns about our privacy practices:

  1. Contact us directly (contact information in Section 15)
  2. We will investigate and respond within 30 days
  3. If unsatisfied, you may:
    • File a complaint with your data protection authority
    • Seek legal remedies under applicable law
    • Request mediation or arbitration (per Terms of Service)

We are committed to resolving privacy concerns fairly and promptly.

Acknowledgment: By using Realflow's Site or Service, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

Document Version: 1.0
Effective Date: 11-1-2025
Last Reviewed: 11-1-2025