Skip to main content
Get UI Flow
中文

Privacy Policy

Effective date: April 12, 2026 · Version 1.0

1. Who We Are

Get UI Flow ("we", "us", "our") is an AI-powered enterprise efficiency platform. This Privacy Policy describes how we collect, use, share, and protect your personal data when you visit our website at getuiflow.com or use our services.

Data protection contact:
Email: privacy@getuiflow.com

2. Data We Collect

We collect the following categories of personal data:

Data Category Examples Source
Account information Email address, full name, company name Provided by you at signup
Authentication data Password hash (Argon2id — we never store plaintext passwords) Generated from your password at signup
Technical data IP address, user agent, browser type Collected automatically from requests
Consent records Cookie consent acknowledgment, consent version, timestamp Recorded when you interact with consent controls
Audit logs Login events, password changes, data export/deletion requests Generated by security-relevant account activity
Demo request data Name, work email, company, role, company size, message Provided by you via the demo request form

3. Lawful Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

Data Lawful Basis Explanation
Account information Contract (Art. 6(1)(b)) Necessary to provide the service you signed up for
Authentication data Contract (Art. 6(1)(b)) Required to secure your account and verify identity
Technical data & audit logs Legitimate interest (Art. 6(1)(f)) Protecting the security and integrity of our platform
Consent records Legal obligation (Art. 6(1)(c)) Maintaining evidence of consent as required by law
Demo request data Consent (Art. 6(1)(a)) You voluntarily submit this to request contact from us

4. How We Use Your Data

We use your personal data for the following purposes:

  • Service delivery: Providing, maintaining, and improving the Get UI Flow platform.
  • Account management: Creating and managing your user account, authentication, and session management.
  • Communication: Responding to your demo requests, support inquiries, and sending transactional emails (verification, password reset).
  • Security: Detecting and preventing unauthorized access, fraud, and other security threats. This includes rate limiting, login attempt monitoring, and audit logging.
  • Legal compliance: Meeting our obligations under applicable laws, including responding to data subject requests.

We do not use your data for:

  • Behavioral advertising or ad targeting
  • Selling personal data to third parties
  • Automated decision-making with legal or similarly significant effects

5. Data Retention

Data Category Retention Period
Account information Duration of account + 30 days after deletion request
Authentication data Duration of account (deleted with account)
Session tokens 7 days (refresh token TTL), then automatically expired
Audit logs 2 years (anonymized on account deletion — user_id removed)
Login attempt records 24 hours
Demo request data 12 months, then deleted unless you become a customer
Consent records Duration of account + 3 years (legal compliance)

6. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

  • Right of access (GDPR Art. 15) — Request a copy of all personal data we hold about you. You can exercise this via your account settings or by calling GET /api/user/export.
  • Right to rectification (GDPR Art. 16) — Request correction of inaccurate personal data. Contact us at privacy@getuiflow.com.
  • Right to erasure (GDPR Art. 17) — Request deletion of your account and associated data. You can exercise this via your account settings or by calling POST /api/user/delete. Audit logs are anonymized (user_id removed) rather than deleted, to preserve platform security integrity.
  • Right to data portability (GDPR Art. 20) — Receive your data in a structured, machine-readable format (JSON). Available via the data export endpoint.
  • Right to object (GDPR Art. 21) — Object to processing based on legitimate interest. Contact us and we will assess your request.
  • Right regarding automated decision-making (GDPR Art. 22) — We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

To exercise any of these rights, email privacy@getuiflow.com. We will respond within 30 days (or sooner if required by your local law).

7. Data Processors

We use the following third-party service providers ("processors") to operate our platform. Each operates under an appropriate data processing agreement (DPA).

Processor Purpose Jurisdiction
Cloudflare, Inc. CDN, DDoS protection, DNS, compute (Pages/Workers), database (D1), object storage (R2), bot verification (Turnstile) United States
Resend, Inc. Transactional email delivery (verification, password reset) United States
Functional Software, Inc. (Sentry) Error monitoring and reporting (PII-scrubbed — emails hashed with SHA-256) United States
HubSpot, Inc. CRM and demo request management United States
Better Stack, Inc. (Better Uptime) Uptime monitoring and status page European Union

For a full list of sub-processors and their DPA status, see our Data Processing Agreement page.

8. International Transfers

Your data may be transferred to and processed in the United States and other countries where our processors operate. When personal data is transferred outside your home jurisdiction, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all processors that include transfer safeguards
  • Assessment of the legal framework of the recipient country

9. Cookies

We use only strictly necessary cookies — no analytics, marketing, or third-party tracking cookies. You do not need to consent to strictly necessary cookies under ePrivacy Directive Art. 5(3), but we inform you of their use.

Cookie Name Purpose Type Duration
access_token Authentication session token First-party, strictly necessary 15 minutes
refresh_token Session renewal without re-login First-party, strictly necessary 14 days
cookie_consent Records that you acknowledged the cookie banner First-party, strictly necessary 1 year
locale_pref Remembers your language preference (en/zh) First-party, strictly necessary 1 year
locale_notice Displays a geolocation-based notice for visitors from mainland China on Chinese-language pages First-party, strictly necessary 24 hours

If we introduce analytics or non-essential cookies in the future, we will update this policy and request your consent before setting them.

10. Children's Data

Get UI Flow is an enterprise platform not directed at children. We do not knowingly collect personal data from children under 13 years of age in the United States or under 16 years of age in the European Union. If you believe we have inadvertently collected data from a child, please contact us at privacy@getuiflow.com and we will promptly delete it.

11. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

  • Right to know: You can request details about the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You can request deletion of your personal information, subject to certain exceptions.
  • Right to opt-out: You have the right to opt out of the "sale" or "sharing" of your personal information.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

We do not sell or share your personal information as defined by the CCPA. However, you may still submit a formal opt-out request to record your preference:

Alternatively, you can email privacy@getuiflow.com with the subject line "CCPA Opt-Out Request".

12. Users in Mainland China

Get UI Flow's services are hosted outside mainland China and are not directed at residents of mainland China as a primary audience. Our Chinese-language content is provided for the convenience of overseas Chinese speakers.

If you are located in mainland China, please be aware that your data will be transferred to and processed in jurisdictions outside China. We recommend consulting local legal counsel regarding the applicability of China's Personal Information Protection Law (PIPL) to your use of our services.

13. Complaints

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority. Relevant authorities include:

  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
  • Germany: Your state data protection authority (Landesdatenschutzbeauftragte)
  • United States (California): California Attorney General's Office — oag.ca.gov/privacy

We encourage you to contact us first at privacy@getuiflow.com so we can address your concern directly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting a notice on our website and, where you have an account, by email. The "Effective date" at the top of this page indicates when this version became effective.

We encourage you to review this policy periodically. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.