Privacy policy

1. Data we collect

User-Provided Data

• Account details (name, email, company affiliation)
• Project and time tracking data
• Leave requests and approvals
• Client information and communications
• User-generated content (comments, notes, reports)

Automatically Collected Data

• Usage patterns and feature engagement
• Login frequency and session duration
• IP addresses and device information
• Session tokens and authentication data
• Browser type and operating system

Third-Party Data

• Time tracking data from DeskTime integration
• Payment processor information (Stripe)
• Single Sign-On (SSO) provider data

2. How We Use Your Data

• Service Delivery: Provide and maintain Platform functionality
• Communication: Send service updates, support responses, and notifications
• Improvement: Analyze usage to enhance features and user experience
• Security: Detect and prevent fraud, abuse, and security incidents
• Compliance: Meet legal and regulatory obligations
• AI Analytics: Generate productivity insights (with user consent)

3. Data Sharing

Internal Sharing

Data is shared within your organization according to role-based access controls. Team members, managers, and administrators can access data relevant to their permissions.

External Sharing

We share data only with:

• Cloud Providers: EU-based data centers for hosting and storage
• Email Services: Brevo for transactional emails and notifications
• Payment Processors: Stripe for subscription billing
• Analytics: Anonymized usage data for service improvement
• Law Enforcement: When legally required or to protect our rights

We never sell your data to third parties for marketing purposes.

4. Data Retention & Deletion

• Active Accounts: Data retained for subscription duration plus 30 days
• Deleted Accounts: GDPR-compliant purge within 30 days of request
• Activity Logs: Automatically removed after 30 days
• Financial Records: Retained for 7 years per legal requirements
• Backups: May contain data for up to 90 days after deletion

5. Security Measures

• TLS/SSL encryption for data in transit and at rest
• Role-based access controls (RBAC)
• Regular security audits and penetration testing
• ISO 27001:2013 certified security practices
• Token-based authentication with session management
• Daily encrypted backups stored in secure locations
• Multi-factor authentication (MFA) support

6. Your GDPR Rights

Under GDPR, you have the right to:

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request permanent removal of your data ("Right to be Forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in machine-readable format
• Object: Opt out of certain data processing activities
• Automated Decisions: Request human review of automated decisions

To exercise these rights, contact: [email protected]

7. International Data Transfers

Our primary data centers are located in the EU. When data is transferred outside the EU, we ensure adequate protection through Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Cookies & Tracking

We use cookies for essential functionality and optional analytics. See our Cookie Policy for detailed information.

9. Children's Privacy

BetterFlow is not intended for users under 16 years of age. We do not knowingly collect data from children. If we discover such data, we will delete it immediately.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email 30 days in advance. Your continued use after changes constitutes acceptance.

11. Contact & Complaints