Privacy Policy

At BizFlow ("we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, share, and protect personal data when you use DragFlow (the "Service"). It applies to all users, whether you are a registered customer, a team member added by an administrator, or simply visiting our website.

This policy is designed to comply with the General Data Protection Regulation (GDPR) (EU 2016/679), the UK GDPR, and the California Consumer Privacy Act (CCPA) as amended by the CPRA.

1. Who We Are (Data Controller)

BizFlow is the data controller for personal data processed through the DragFlow platform. If you are using DragFlow as an employee or user of an organisation (a "Tenant"), that organisation is a separate data controller for the workflows and data they manage, and BizFlow acts as a data processor on their behalf.

Contact: privacy@bizflow.id.vn

2. Personal Data We Collect

Data you provide directly

Account information: Name, email address, password (hashed), job title, phone number, profile photo.
Organisation data: Organisation name, billing address, VAT/tax ID (for paid plans).
Payment information: Processed by our payment provider (Stripe). We do not store full card numbers.
Communications: Messages sent to our support team, feedback, and survey responses.
Workflow content: Data entered into workflow forms, task descriptions, file attachments, and comments.

Data collected automatically

Usage data: Pages visited, features used, actions taken, timestamps, and session duration.
Device and log data: IP address, browser type, operating system, and referring URL.
Cookies and similar technologies: See Section 10 for details.

Data received from third parties

Authentication providers: If you sign in with Google, we receive your name and email address.
Email providers: If you contact us by email, your email address and message content are received via our inbound mail provider (Postmark).

3. How We Use Your Personal Data

We use your personal data to:

Create and manage your account and authenticate your identity.
Provide, operate, and improve the Service.
Process payments and manage subscriptions.
Send transactional emails (e.g., task assignments, workflow completions, invitations).
Respond to support requests, including AI-assisted responses.
Send product updates, security alerts, and administrative notices.
Detect and prevent fraud, abuse, and security incidents.
Comply with legal obligations.
Analyse usage patterns to improve the Service (using aggregated or anonymised data where possible).

We do not sell your personal data to third parties.

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA) or UK, we process your personal data under the following legal bases:

Contract (Art. 6(1)(b)): To provide the Service you have subscribed to and fulfil our contractual obligations.
Legitimate interests (Art. 6(1)(f)): To improve the Service, prevent fraud, ensure security, and send relevant product communications. We balance our interests against your rights.
Legal obligation (Art. 6(1)(c)): To comply with applicable laws (e.g., tax, anti-money laundering).
Consent (Art. 6(1)(a)): For optional marketing communications and non-essential cookies. You may withdraw consent at any time.

We share your data only with:

Service providers (processors): Cloud infrastructure (Supabase/AWS), email delivery (Resend, Postmark), payment processing (Stripe), error monitoring (Sentry). All processors are bound by data processing agreements.
Within your organisation: Workflow data is visible to administrators and other users in your Tenant as required for the Service to function.
AI providers: Customer support emails may be processed by Anthropic's Claude API to generate responses. Only the email subject, body, and relevant account context are shared. No data is used to train third-party AI models under our agreements.
Legal requirements: When required by law, court order, or to protect our rights or the safety of others.
Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to you.

6. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. Specifically:

Account data: Retained for the duration of your subscription plus 30 days after account closure.
Workflow and task data: Retained for the duration of your subscription. Exported on request before closure.
Support communications: Retained for 2 years to allow follow-up and quality improvement.
Billing records: Retained for 7 years to comply with financial regulations.
Usage logs: Retained for 90 days in identifiable form; longer in aggregated/anonymised form.

After the applicable retention period, data is securely deleted or anonymised.

7. Your Rights

If you are in the EEA or UK, you have the following rights under the GDPR:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten") where there is no overriding legitimate reason to retain it.
Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller.
Right to object (Art. 21): Object to processing based on legitimate interests, including profiling, or to direct marketing at any time.
Rights related to automated decisions (Art. 22): Not to be subject to solely automated decisions that produce significant legal effects.

To exercise these rights, email privacy@bizflow.id.vn. We will respond within 30 days. If you believe we have not adequately addressed your request, you have the right to lodge a complaint with your local data protection authority (e.g., the CNIL in France, the ICO in the UK, or the relevant supervisory authority in your EU member state).

California Residents — CCPA / CPRA Rights

If you are a California resident, you have the following rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, and the purposes for which it is used.
Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioural advertising.
Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (e.g., account login credentials) only as necessary to provide the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@bizflow.id.vn with the subject "California Privacy Request". We will verify your identity before processing the request and respond within 45 days (extendable by an additional 45 days with notice).

8. Cookies and Tracking Technologies

We use the following types of cookies:

Strictly necessary: Session cookies required for authentication and security. These cannot be disabled.
Functional: Remember your preferences (e.g., collapsed sidebar, dark mode).
Analytics: Aggregate usage statistics to improve the Service. We use privacy-friendly analytics and do not track individuals across external sites.

Non-essential cookies are only set with your consent. You can manage cookie preferences via your browser settings or by contacting us. Disabling strictly necessary cookies will prevent you from using the Service.

9. International Data Transfers

DragFlow is hosted on infrastructure in the Asia-Pacific region (Singapore). Some of our service providers are located in the United States and other countries. When we transfer personal data from the EEA or UK to countries without an EU adequacy decision, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission.
UK International Data Transfer Agreements (IDTAs) where applicable.

You may request a copy of the applicable transfer mechanisms by contacting us.

10. Security

We implement technical and organisational measures to protect your personal data, including:

Encryption in transit (TLS 1.2+) and at rest.
Row-level security on the database layer.
Multi-factor authentication (MFA) support.
Access controls limiting data access to authorised personnel.
Regular security assessments.

No system is completely secure. In the event of a data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by the GDPR.

11. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data without verified parental consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@bizflow.id.vn.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a prominent notice in the Service at least 14 days before the changes take effect. We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact and Data Protection Officer

For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact:

BizFlow — Privacy Team
Email: privacy@bizflow.id.vn
Support: support@bizflow.id.vn

If you are in the EEA and we are required to appoint a Data Protection Officer (DPO) or EU representative under the GDPR, contact details will be provided here. For complaints unresolved by us, you may contact your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.