Privacy Policy

Introduction

ZeitFlow ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI workflow automation platform ("the Service").

We do not sell your personal information. We do not use your data for advertising. We do not train AI models on your data.

1. Information We Collect

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: Processing your workflow requests, executing AI prompts, and delivering results.
• Account Management: Creating and managing your account, authenticating your identity, and processing payments.
• Service Improvement: Analyzing aggregate, anonymized usage patterns to improve the Service. We do not use individual prompt content for this purpose.
• Communication: Sending you account-related notifications, security alerts, and (with your consent) product updates.
• Security: Detecting, preventing, and addressing fraud, abuse, and security issues.
• Legal Compliance: Complying with applicable laws, regulations, and legal processes.

3. Data Processing & Third-Party Sub-Processors

To provide the Service, your data is shared with the following categories of third-party sub-processors. When you submit a prompt or execute a workflow, your data may pass through these services:

Each sub-processor is bound by their own privacy policies and data processing agreements. We select sub-processors that maintain appropriate security standards and data protection practices.

4. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

• Account Data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
• Workflow Data & Prompts: Retained while your account is active. Deleted within 30 days of account deletion.
• Workflow Execution Logs: Retained for 90 days, then automatically purged.
• Debug & Server Logs: Automatically scrubbed and deleted every 30 days.
• Payment Records: Retained as required by tax and accounting regulations (typically 7 years for financial records).
• AI Prompt Data: Prompts are sent to AI providers in real-time for processing and are not stored by us beyond the workflow execution log retention period. Refer to each AI provider's data retention policies for their handling of prompt data.

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data. We honor these rights for all users regardless of jurisdiction:

• Right to Access: You can request a copy of the personal data we hold about you. We will provide this in a commonly used, machine-readable format within 30 days of your request.
• Right to Rectification: You can request that we correct any inaccurate or incomplete personal data. You can also update most information directly through your account settings.
• Right to Deletion (Right to be Forgotten): You can request that we delete your personal data. You can initiate account deletion from your account settings page. We will fulfill deletion requests within 30 days. Note: some data may be retained where required by law (e.g., financial records for tax compliance).
• Right to Data Portability: You can request a copy of your data in a structured, commonly used, machine-readable format (JSON or CSV).
• Right to Opt-Out of Data Sharing: We do not sell your data. However, you may opt out of analytics tracking by disabling cookies in your browser or by contacting us.
• Right to Restrict Processing: You can request that we limit how we process your personal data in certain circumstances.
• Right to Object: You can object to the processing of your personal data for certain purposes, such as direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing conducted before withdrawal.

To exercise any of these rights, contact us at privacy@zeitflow.io. We will respond to your request within 30 days. If we need additional time, we will notify you of the reason and extension period.

6. For Users in the European Economic Area & United Kingdom

If you are located in the EEA or UK, the following additional provisions apply:

• Legal Basis for Processing: We process your data based on: (a) performance of our contract with you (providing the Service), (b) your consent (for optional features like analytics), (c) our legitimate interests (security, fraud prevention, service improvement), and (d) legal obligations.
• International Data Transfers: Your data may be transferred to and processed in the United States and other countries where our sub-processors operate. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards to protect your data during international transfers.
• Data Protection Officer: For GDPR-related inquiries, contact us at privacy@zeitflow.io.
• Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws.

7. For California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell your personal information. As such, we do not offer an opt-out of sale mechanism because there is no sale to opt out of.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Shine the Light: We do not disclose personal information to third parties for their direct marketing purposes.

To exercise your CCPA/CPRA rights, contact us at privacy@zeitflow.io.

8. Cookies & Tracking Technologies

We use the following cookies and similar technologies:

9. Children's Privacy (COPPA)

The Service is intended solely for users 18 or older (or 16 in certain jurisdictions). We do not knowingly collect personal information from children under the age of 13.

If we learn that a user is under 13, we will:

• Terminate the account immediately
• Delete all associated personal data within 48 hours
• Notify the parent or guardian if contact information is available

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at privacy@zeitflow.io so we can take appropriate action.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS/HTTPS) and sensitive data at rest
• Secure password hashing (bcrypt)
• OAuth token encryption for third-party integrations
• Rate limiting and abuse prevention mechanisms
• Regular security reviews of our codebase and infrastructure
• Access controls limiting employee access to personal data on a need-to-know basis

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to implementing industry-standard protections.

11. Security Incident Response

In the event of a data breach that affects your personal information:

• Notification Timeline: We will notify affected users via email within 72 hours of discovering the breach, in compliance with GDPR requirements. For California residents, we will comply with applicable state notification deadlines.
• Notification Content: Our notification will include the nature of the breach, the types of data affected, the steps we are taking to address it, and recommendations for protecting yourself.
• Regulatory Reporting: We will report the breach to relevant supervisory authorities as required by applicable law.
• Sub-Processor Breaches: If a breach occurs at one of our sub-processors (e.g., OpenRouter, Neon, Vercel), we will notify affected users as soon as we are informed by the sub-processor.

12. Account Deletion

You can delete your account at any time from your account settings page. When you request account deletion:

• Your account will be deactivated immediately
• All personal data, workflows, chains, execution logs, and associated content will be permanently deleted within 30 days
• Integration tokens (Slack, Google, etc.) will be revoked and deleted
• Data that has already been sent to third-party services (e.g., emails sent via Resend, SMS sent via Twilio) cannot be recalled
• Financial records may be retained as required by law
• We will request deletion of your data from our sub-processors where technically feasible

If you need assistance with account deletion or have questions about data removal, contact us at privacy@zeitflow.io.

13. Data Minimization

We adhere to the principle of data minimization. We only collect and retain the minimum amount of personal data necessary to provide the Service and fulfill our legal obligations. We do not collect data "just in case" or for speculative future use. Workflow execution data is automatically purged according to the retention schedules outlined in Section 4. Debug logs are automatically scrubbed and deleted every 30 days.

14. Law Enforcement & Third-Party Data Requests

15. We Do Not Sell Your Information

We want to be unambiguous about this: we do not sell, rent, lease, or trade your personal information to any third party for any purpose. Your prompts, workflow data, personal details, and usage information are never monetized through data brokerage or advertising. Your data is used solely to provide and improve the Service as described in this policy.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to the address associated with your account and/or by placing a prominent notice on the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

17. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern, please contact us:

• Privacy Inquiries: privacy@zeitflow.io
• General Support: support@zeitflow.io
• Data Deletion Requests: privacy@zeitflow.io (or use the account settings page)

We aim to respond to all privacy-related inquiries within 30 days. You can also reach us through our Contact page.