Privacy Policy

1. Introduction

GetReFlow LLC ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at getreflow.ai and use our services, including data received from third-party platform integrations such as Google, Meta/Facebook, LinkedIn, and others.

2. Information We Collect

Personal Information

We may collect personal information that you voluntarily provide when you register for an account, subscribe to a plan, fill out a form, or contact us. This includes your name, email address, business name, phone number, and billing information.

Usage Data

We automatically collect certain information when you access our platform, including your IP address, browser type, operating system, referring URLs, and information about how you interact with our services.

Integration Data

When you connect third-party integrations via OAuth or API key, we access and process data from those services as necessary to provide our automation features. We only access data that you explicitly authorize. The specific data accessed per platform includes:

Google Data

When you connect Google services, we may access: spreadsheet content and metadata (Google Sheets), form structure and response data (Google Forms), calendar events and scheduling information (Google Calendar), and email sending capability on your behalf (Gmail — send only; we do not read or access the content of your emails). All Google data is accessed via OAuth 2.0 with scopes limited to the services you connect.

Meta/Facebook Data

When you connect Facebook or Instagram, we may access: your Facebook Page listings, lead form submissions, page engagement metrics, post management capabilities, Instagram basic profile information, and Instagram content publishing capabilities. Data is accessed only for the Facebook Pages and Instagram accounts you authorize.

LinkedIn Data

When you connect LinkedIn, we access: your basic profile information (name, profile URL), email address, and the ability to create posts on your behalf. LinkedIn data is collected at the time you authorize the connection via OAuth.

Other Integrations

We also support integrations with HubSpot, Salesforce, Microsoft (Outlook Calendar and Mail), Mailchimp, Zoho CRM, TikTok, Typeform, JotForm, and Google Sheets. Each integration accesses only the data types and scopes you explicitly authorize during the connection process.

All OAuth tokens and credentials are stored in encrypted vault storage and are never stored in plain text.

3. How We Use Your Information

• To provide, operate, and maintain our services
• To process transactions and manage your subscription
• To execute automation playbooks on your behalf
• To execute automation workflows using data from your connected integrations
• To send communications on your behalf through connected platforms, only as configured in your active playbooks
• To send you service-related communications
• To improve and personalize your experience
• To monitor usage for billing purposes
• To refresh and maintain OAuth tokens to keep your integrations functioning
• To detect and prevent fraud or abuse

We do not use data from Google, Meta/Facebook, LinkedIn, or other connected platforms for advertising, user profiling, or training machine learning or artificial intelligence models. Integration data is used solely to provide the automation features you configure.

4. Third-Party Platform Data

Google User Data

GetReFlow LLC accesses Google user data as described in Section 2 (Google Data) solely to provide user-facing automation features that you configure. Google user data is:

• Used only to provide and improve user-facing features of our service
• Not sold, rented, or shared for advertising purposes
• Not used for training machine learning or artificial intelligence models
• Not transferred to third parties except to our workflow automation engine (Activepieces) for playbook execution, with your consent, or as required by law

You may revoke access to your Google data at any time by disconnecting the integration from your GetReFlow dashboard or by removing access in your Google Account settings.

Meta/Facebook Platform Data

GetReFlow LLC accesses Facebook and Instagram data as described in Section 2 (Meta/Facebook Data) solely to execute the automation playbooks you subscribe to. Specifically:

• We access Page listings, lead data, engagement metrics, and post management capabilities only for Pages you authorize
• Instagram data (basic profile and content publishing) is accessed only for accounts connected to your authorized Facebook Pages
• We do not sell Facebook or Instagram user data
• We comply with Meta Platform Terms and Developer Policies
• This privacy policy does not supersede or override Meta's own terms and data policies

You may revoke access at any time by disconnecting the integration from your GetReFlow dashboard or via Facebook Settings > Apps and Websites.

LinkedIn Member Data

Before you authenticate your LinkedIn account with GetReFlow LLC, we provide the following disclosures as required by LinkedIn's API Terms of Use:

• Data collected: Basic profile information (name, profile URL), email address, and social posting capability
• When collected: At the time you authorize the LinkedIn connection via OAuth
• How used: Solely to execute social media automation workflows you configure in your active playbooks
• How disclosed: LinkedIn data is shared only with our workflow automation engine (Activepieces) for playbook execution and is not sold or shared with other third parties
• Withdrawing consent: You may disconnect your LinkedIn integration at any time from your GetReFlow dashboard
• Requesting deletion: You may request deletion of your LinkedIn data via your dashboard settings or by emailing us at hello@getreflow.com

We comply with LinkedIn's API Terms of Use. Upon consent withdrawal or account closure, your LinkedIn data is deleted promptly.

5. Google API Services Limited Use Disclosure

GetReFlow LLC's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

1. We only use Google user data to provide or improve user-facing features that are prominent in our application's user interface
2. We do not transfer Google user data to third parties except to provide or improve user-facing features, with your affirmative consent, for security purposes, to comply with applicable law, or as part of a merger or acquisition with notice to users
3. We do not use or transfer Google user data to serve advertising, including retargeting, personalized, or interest-based advertising
4. We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data is aggregated and anonymized for internal operations

6. Data Sharing and Transfers

We do not sell your personal information or integration data to any third party. We may share your data with trusted third-party service providers who assist us in operating our platform:

• Stripe — payment processing and subscription management
• Supabase — database hosting and encrypted credential storage
• Activepieces — workflow automation engine for playbook execution
• Twilio — SMS messaging for platform notifications
• Mailgun — transactional email delivery
• Vercel — application hosting
• Sentry — error monitoring and diagnostics

These providers are contractually obligated to protect your data and may only use it to provide their services to us. Integration data from Google, Meta/Facebook, LinkedIn, and other connected platforms is shared only with our workflow automation engine (Activepieces), solely for the purpose of executing your configured playbooks.

We may also disclose your information if required by law, legal process, governmental request, or to protect the rights, property, or safety of GetReFlow LLC, our users, or others.

7. Data Security

We maintain administrative, physical, and technical safeguards designed to meet or exceed industry standards for protecting your information:

• Technical safeguards: TLS encryption in transit, AES-256 encryption at rest, row-level security policies for tenant data isolation, encrypted vault storage for OAuth credentials, PKCE and CSRF protection for OAuth flows, API rate limiting, and circuit breakers for external service resilience
• Administrative safeguards: Role-based access controls, principle of least privilege, and need-to-know access restrictions for personnel
• Physical safeguards: Our cloud infrastructure providers (Vercel, Supabase, Railway) maintain SOC 2 compliant data center security

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

8. Data Retention and Deletion

We retain your personal information for as long as your account is active or as needed to provide our services. Specific retention practices for integration data include:

• Google data: OAuth tokens are deleted when you disconnect the integration or delete your account. No Google user data is stored beyond what is needed for active playbook execution
• Meta/Facebook data: Long-lived tokens expire after 60 days and require re-authorization. Lead data is retained according to your configured settings
• LinkedIn data: Access tokens expire after 60 days; refresh tokens expire after one year. Member social activity data processed through our platform is retained for no more than 48 hours during workflow execution. All LinkedIn data is deleted promptly upon your request

Account deletion: When you request account deletion, we initiate a cleanup process that includes: deleting all OAuth tokens and credentials from our encrypted vault, removing all workflows from our automation engine, anonymizing lead event data for billing audit purposes, and cancelling active subscriptions. Your data is purged within 30 days of the deletion request.

To request deletion of your data, use the account deletion option in your dashboard settings or contact us at hello@getreflow.com.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data and integration data
• Portability: Request your data in a portable, machine-readable format
• Consent withdrawal: Disconnect any third-party integration at any time via your dashboard, revoking our access to that platform's data
• Opt-out: Opt out of non-essential data processing or marketing communications

To disconnect a third-party integration and revoke data access, visit your dashboard's Integrations page. You may also revoke access directly from the provider's settings:

• Google: myaccount.google.com/permissions
• Facebook: Facebook Settings > Apps and Websites
• LinkedIn: LinkedIn Permitted Services

We process data subject rights requests within 30 days. To exercise any of these rights, contact us at hello@getreflow.com.

10. Consent and Authorization

When you connect a third-party integration, you authorize GetReFlow LLC to access your data on that platform via the OAuth consent screen presented by the provider. By completing the authorization flow, you provide informed, affirmative consent for us to access the specific data types and capabilities described in Section 2.

You may withdraw consent at any time by disconnecting the integration from your dashboard (see Section 9). We do not build user profiles from integration data beyond what is necessary to execute your configured playbooks.

For LinkedIn integrations specifically, your consent encompasses the disclosures outlined in Section 4 (LinkedIn Member Data), including how your data will be used, disclosed, and how you may request its deletion, in accordance with LinkedIn's API Terms of Use.

11. Children's Privacy

Our service is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. We comply with the Children's Online Privacy Protection Act (COPPA) and the Video Privacy Protection Act (VPPA) where applicable. If you believe we have inadvertently collected information from a child under 13, please contact us at hello@getreflow.com and we will promptly delete it.

12. Breach Notification

In the event of a data breach affecting your personal information or integration data, we will notify affected users and relevant supervisory authorities within 72 hours as required by applicable law (including GDPR where applicable). We will also promptly notify relevant platform partners — including Google, Meta, and LinkedIn — of any breaches that may impact data received through their APIs, in accordance with their respective developer terms.

13. Legal Compliance

We comply with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and other applicable federal and state privacy laws. We also comply with the platform-specific terms and data policies of each third-party service we integrate with, including the Google API Services User Data Policy, Meta Platform Terms, and LinkedIn API Terms of Use.

14. Cookies

We use essential cookies to maintain your session and preferences. We do not use third-party advertising cookies. Analytics data is collected to improve our services.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For material changes that affect how we process your integration data, we will provide additional notice via email or in-app notification.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at hello@getreflow.com.