Privacy Policy

1. Introduction

This policy covers all personal data processing activities undertaken by OkFlow in connection with the Service. It applies regardless of your location, though we specifically address the rights of individuals in the European Economic Area (EEA) and California.

We encourage you to read this policy in full before using OkFlow. If you have any questions that are not answered here, you can reach us at privacy@okflow.io. We will update this policy when our practices change, and we will notify you of material changes as described in Section 14.

2. Data Controller

[LEGAL ENTITY TBD — counsel to fill]

For the purposes of the EU General Data Protection Regulation (GDPR), OkFlow acts as the data controller for personal data collected through the Service. If a data processor agreement (DPA) is required for your organization's use of OkFlow, please contact legal@okflow.io.

If you have questions about how your personal data is handled, or wish to exercise your rights, please contact our privacy team at privacy@okflow.io.

3. Personal Data We Collect

We collect data you provide directly: your name, email address, and password when you register; billing information (processed by Stripe — OkFlow does not store raw card numbers); organizational details such as your company name; and any Content you create or upload within the Service, including annotations, tasks, comments, attachments, and wiki pages.

We collect data automatically when you use the Service: your IP address, browser type and version, operating system, referring URLs, pages visited, features used, session duration, and error reports. This data is collected through server logs and, where consent is given, through Google Analytics.

We may also collect data about how you interact with our browser extension on websites where it is activated, limited to what is necessary to deliver the annotation and feedback functionality.

4. Why We Process Data

We process your personal data to provide and operate the Service — including account management, project creation, task management, real-time collaboration, and AI-assisted features. Billing data is processed to manage subscriptions and payments through our payment processor Stripe.

We process usage and technical data to maintain security, diagnose errors, monitor performance, prevent abuse, and improve the Service. We may use your email address to send transactional communications (account confirmations, password resets, billing receipts), product updates, and service announcements.

With your consent, we use analytics data to understand how pages and features are used so we can improve the product. AI features process your Content to generate task suggestions, summaries, and other outputs — this processing occurs on our infrastructure and through our AI subprocessor.

5. Legal Basis Under GDPR

For users in the EEA, our processing is based on the following legal grounds: performance of a contract (Art. 6(1)(b) GDPR) for account creation, subscription management, and service delivery; legitimate interests (Art. 6(1)(f) GDPR) for security monitoring, fraud prevention, product improvement, and direct marketing to existing customers (who can opt out at any time); and your consent (Art. 6(1)(a) GDPR) for analytics cookies and any optional communications.

Where we rely on legitimate interests, we have assessed that those interests are not overridden by your fundamental rights and freedoms, taking into account the nature of the data and the context of processing. You may object to processing based on legitimate interests by contacting privacy@okflow.io.

6. Cookies and Tracking

OkFlow uses strictly necessary cookies to maintain your session and authenticate requests. These cookies are essential to the operation of the Service and cannot be disabled without breaking core functionality.

With your consent, we use Google Analytics 4 to collect aggregated, anonymized usage data about how visitors interact with our marketing site. GA only loads after you accept the cookie consent banner; it is never loaded by default. IP anonymization is enabled. You can withdraw consent at any time by clearing your localStorage entry for 'okflow-cookie-consent' or by using the consent banner.

We do not use cookies for behavioral advertising or sell cookie data to third parties.

7. Subprocessors

OkFlow uses the following categories of subprocessors to deliver the Service. Each subprocessor is bound by a data processing agreement consistent with GDPR requirements.

Supabase (database hosting and authentication), Stripe (payment processing), SendGrid (transactional email delivery), Upstash (Redis caching and rate limiting, vector search), OpenRouter (AI model access for AI features), PostHog (product analytics within the application). The current list may be updated as our subprocessors change; significant additions will be communicated via email or in-product notice.

If you require a complete, current list of subprocessors, please contact legal@okflow.io.

8. International Data Transfers

OkFlow and some of our subprocessors are based in or process data in the United States, which is outside the EEA. When we transfer personal data from the EEA to the US or other third countries, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) adopted by the European Commission.

By using the Service, you acknowledge that your data may be transferred to and processed in the US and other countries where data protection laws may differ from those in your home country. We take steps to ensure that any such transfers are subject to appropriate protections.

If you would like more information about the specific safeguards in place for your data transfers, please contact privacy@okflow.io.

9. Data Retention

We retain your personal data for as long as your account is active. If you cancel your subscription, your data remains accessible in your Workspace until the end of the paid period. Following account closure, we retain your Content and account data for 30 days to allow for export and to handle any billing disputes, after which it is deleted from active systems.

Server logs and security audit records may be retained for up to 90 days after account closure for security and compliance purposes. Billing records are retained for the period required by applicable tax and financial regulations, which may be up to 7 years.

Backup copies of data may persist for a short additional period consistent with our backup rotation schedule.

10. Your Rights Under GDPR

If you are located in the EEA, you have the following rights regarding your personal data: the right to access a copy of the data we hold about you; the right to rectification if your data is inaccurate or incomplete; the right to erasure (the right to be forgotten) in certain circumstances; the right to data portability; the right to restrict processing in certain circumstances; and the right to object to processing based on legitimate interests or for direct marketing.

To exercise any of these rights, contact privacy@okflow.io. We will respond within 30 days. In some cases, we may need to verify your identity before processing your request. If you believe we have not handled your request appropriately, you have the right to lodge a complaint with your local data protection supervisory authority.

11. CCPA Notice for California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect, use, disclose, and sell about you; the right to request deletion of your personal information; and the right to opt out of the sale of your personal information.

OkFlow does not sell personal information as defined under CCPA. We do not exchange your data for monetary consideration with third parties. We share data with subprocessors only for the purpose of operating the Service.

To submit a CCPA request, contact privacy@okflow.io with the subject line "CCPA Request". We will respond within 45 days as required by law.

12. Children

The Service is not directed at children under the age of 16, and we do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact privacy@okflow.io and we will take steps to delete that data promptly.

Parents or guardians who become aware that their child has created an account without consent should contact us immediately.

13. Security

OkFlow implements technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data at rest and in transit (TLS), row-level security (RLS) in our database layer to ensure strict data isolation between Workspaces, access controls limiting OkFlow staff access to production data, and regular security reviews.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, OkFlow will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and will notify affected users without undue delay.

No system is perfectly secure. We encourage you to use a strong, unique password and to enable two-factor authentication if available.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When changes are material, we will notify you by email to the address associated with your account and/or by posting a prominent notice in the application at least 30 days before the changes take effect.

We encourage you to review this policy periodically. Continued use of the Service after the revised policy takes effect constitutes your acceptance of the changes.

15. Contact

For all privacy-related inquiries, data subject requests, and CCPA requests, please contact our privacy team at privacy@okflow.io.

For legal and compliance matters, including DPA requests and subprocessor inquiries, contact legal@okflow.io. We aim to respond to all verifiable requests within 30 days.