1. Introduction
APFlow, Inc. ("APFlow," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our accounts payable automation platform (the "Service").
This Privacy Policy applies to information we collect through the Service and in email, text, and other electronic communications. It does not apply to information collected offline or through third-party sites.
2. Information We Collect
2.1 Information You Provide to Us
We collect information you voluntarily provide when using the Service:
- Account Information: Name, email address, organization name, and role/title
- Invoice Data: Vendor names, invoice numbers, amounts, dates, payment terms, and related financial information
- Uploaded Documents: PDF invoices and supporting documentation you upload
- Communication Data: Messages, feedback, and support requests you send to us
- Payment Information: Billing details processed through our third-party payment provider (Polar)
2.2 Information Collected Automatically
When you access the Service, we automatically collect:
- Usage Data: Pages visited, features used, time spent, click patterns, and workflow interactions
- Device Information: IP address, browser type, operating system, device identifiers
- Authentication Data: Login timestamps, magic link usage (via Stytch)
- Analytics Data: Aggregated usage statistics through Umami Analytics (privacy-focused, GDPR-compliant)
2.3 Information We Do NOT Collect
APFlow does not:
- Process or store payment card information (handled by Polar)
- Access your bank accounts or payment systems
- Execute financial transactions on your behalf
- Collect sensitive personal information beyond what's necessary for the Service
3. How We Use Your Information
We use collected information for the following purposes:
3.1 Service Delivery
- Provide and maintain the accounts payable automation platform
- Perform duplicate detection and invoice analysis
- Route approvals through your custom workflows
- Generate payment timing recommendations
- Enable team collaboration features
- Maintain audit trails and compliance records
3.2 Service Improvement
- Analyze usage patterns to improve features and user experience
- Develop new features based on customer needs
- Optimize platform performance and reliability
- Conduct research and testing
3.3 Communication
- Send service-related notifications and updates
- Respond to your inquiries and support requests
- Provide important security or policy updates
- Send product updates (with your consent)
3.4 Legal and Security
- Comply with legal obligations and regulations
- Protect against fraud, abuse, and security threats
- Enforce our Terms of Service
- Respond to legal requests and prevent harm
3.5 Legal Basis (GDPR)
For users in the European Economic Area (EEA), our legal bases for processing are:
- Contract Performance: Processing necessary to provide the Service
- Legitimate Interests: Service improvement, fraud prevention, security
- Legal Obligation: Compliance with laws and regulations
- Consent: Marketing communications and optional features
4. How We Share Your Information
We do not sell your personal information. We share information only in the following circumstances:
4.1 Service Providers
We share information with trusted third-party service providers who assist in operating our Service:
- Stytch: Authentication and user management (US-based)
- Polar: Subscription billing and payment processing (US-based)
- Umami Analytics: Privacy-focused analytics (EU-based option available)
- Email Service Provider: Transactional emails and notifications
All service providers are contractually obligated to protect your information and use it only for specified purposes.
4.2 Business Transfers
If APFlow is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.
4.3 Legal Requirements
We may disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to:
- Comply with legal obligations
- Protect our rights, property, or safety
- Prevent fraud or security threats
- Protect the rights, property, or safety of others
4.4 With Your Consent
We may share information for other purposes with your explicit consent.
5. Data Security
We implement technical and organizational measures to protect your information:
5.1 Technical Security
- Encryption in transit using TLS/SSL
- Encryption at rest using industry-standard AES-256
- Secure authentication via Stytch (magic links, MFA support)
- Role-based access controls and permissions
- Regular security assessments and penetration testing
- Secure cloud infrastructure with redundancy
5.2 Organizational Security
- Employee security training and background checks
- Strict access controls (principle of least privilege)
- Incident response and breach notification procedures
- Regular security audits and compliance reviews
- Vendor security assessment program
5.3 Compliance Progress
APFlow is actively pursuing SOC 2 Type II certification. We are committed to maintaining industry-standard security practices and will update this policy as we achieve additional certifications.
Important: While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your information.
6. Data Retention
We retain your information for the following periods:
| Data Type | Retention Period |
|---|---|
| Active Account Data | Duration of customer relationship |
| Invoice & Financial Data | 7 years (standard financial record retention) |
| Audit Logs | 7 years (compliance requirement) |
| Usage Analytics | 2 years or until account deletion |
| Deleted Account Data | 30 days in backups, then permanently deleted |
| Marketing Data | Until opt-out or 2 years of inactivity |
We may retain information longer if required by law, for legal disputes, or for legitimate business purposes (e.g., fraud prevention, security).
7. Your Privacy Rights
7.1 Rights for All Users
- Access: Request a copy of your personal information
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of your information (with exceptions)
- Data Portability: Receive your data in a structured format
- Opt-Out: Unsubscribe from marketing communications
7.2 Additional Rights for EEA Residents (GDPR)
- Object: Object to processing based on legitimate interests
- Restrict: Request restriction of processing
- Withdraw Consent: Withdraw consent where processing is based on consent
- Complaint: Lodge a complaint with your local data protection authority
7.3 California Residents' Rights (CCPA/CPRA)
California residents have the right to:
- Know: Request categories and specific pieces of personal information collected
- Delete: Request deletion of personal information (with exceptions)
- Correct: Request correction of inaccurate information
- Opt-Out: Opt out of sale or sharing of personal information (we do not sell data)
- Limit: Limit use of sensitive personal information
- Non-Discrimination: Not be discriminated against for exercising these rights
7.4 How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: privacy@apflow.co
We will respond within 30 days of verification of your identity.
8. International Data Transfers
APFlow is based in the United States. If you access the Service from outside the US, your information will be transferred to, stored, and processed in the United States.
For data transfers from the EEA to the US, we rely on:
- Standard Contractual Clauses approved by the European Commission
- Appropriate safeguards required under GDPR Article 46
- Service provider agreements with data protection obligations
9. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected information from a child, we will promptly delete it. Contact us at privacy@apflow.co if you believe we have collected information from a child.
10. California "Do Not Sell" Disclosure
APFlow does not sell your personal information. We do not and will not sell your personal information to third parties for monetary or other valuable consideration.
We may share information with service providers for business purposes as described in this Privacy Policy, but this does not constitute a "sale" under California law.
11. Cookies and Tracking Technologies
APFlow uses minimal cookies and tracking technologies:
11.1 Essential Cookies
- Authentication session cookies (Stytch)
- Security and fraud prevention
- Service functionality and preferences
11.2 Analytics
We use Umami Analytics, a privacy-focused analytics tool that:
- Does not use cookies
- Does not track users across websites
- Anonymizes visitor IP addresses
- Is GDPR compliant by design
11.3 Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies may affect Service functionality.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Posting the updated policy on this page
- Updating the "Last Updated" date
- Sending email notification for significant changes
- Dashboard notification upon login
Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.
13. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
APFlow, Inc.
Privacy Inquiries: privacy@apflow.co
General Contact: info@apflow.co
We will respond to privacy requests within 30 days of verification.
Disclaimer: This Privacy Policy is provided for informational purposes and does not constitute legal advice. Consult with a qualified attorney for advice regarding your specific privacy compliance requirements.