ClientsFlow.io — Privacy Policy

Effective Date: September 9, 2025
Last Updated: September 9, 2025

This Privacy Policy explains how Yuriy Rybak, d/b/a “ClientsFlow.io” ("ClientsFlow.io", "we", "us", "our") collects, uses, discloses, and protects personal information when you use our websites, applications, and services (collectively, the "Service").

If you do not agree with this Policy, please do not access or use the Service. Capitalized terms not defined here have the meanings given in our [Terms of Service].

1. Who We Are

Controller: Yuriy Rybak, d/b/a “ClientsFlow.io.”
Address: 129-314 Viscount Drive, Red Deer, AB, Canada, T4R0S4
Email: [email protected]

We primarily provide a B2B software platform. For some features (e.g., telephony, email delivery, CRM), we act as a processor/service provider on behalf of our customers, who remain the controllers of the personal data they upload to or collect via the Service (“Customer Content”).

2. Scope

This Policy applies to personal information we process:

when you visit or use our websites and apps;
when you create and manage an account;
when you communicate with us (including support);
when we process Customer Content on your behalf as a processor/service provider.

Where we process personal data on your behalf, our Data Processing Addendum (DPA) applies: https://clientsflow.io/dpa. Our current sub‑processors are listed here: https://clientsflow.io/subprocessors.

3. Information We Collect

3.1 Information You Provide

Account & Profile: name, business name, email, phone number, billing address, password.
Billing: payment method details (tokenized by our payment processor), transaction records, plan selections, invoices, and tax status.
Communications: support requests, survey responses, and other messages.
Customer Content: contact lists, leads, messages, call/SMS logs and recordings (if you enable), campaign configurations, notes, files, and other data you connect or upload.

3.2 Information Collected Automatically

Usage & Device Data: IP address, device identifiers, browser type, operating system, pages viewed, referring/exit pages, timestamps, and feature usage.
Cookies & Similar Technologies: essential cookies for authentication, security, and session continuity; and, if enabled, preference cookies. (We do not deploy analytics/advertising cookies at this time. If we add them in the future, we will update this Policy and seek consent where required.)

3.3 Information From Third Parties

Payment Processor: confirmations of payment, refunds, or chargebacks (via Stripe).
Telephony/Email Providers: delivery statuses, metadata, and compliance signals from LeadConnector/LC Phone (via Twilio) and Mailgun.
Integrations You Connect: if you connect third‑party tools, we receive the data those tools share according to their settings and policies.

4. How We Use Information (Purposes & Legal Bases)

We use personal information to:

Provide and maintain the Service (create accounts, authenticate users, route calls/SMS, send emails, host content).
Legal bases: contract necessity; legitimate interests.
Process transactions and billing (subscribe you to plans, charge fees, detect/prevent fraud).
Legal bases: contract necessity; legitimate interests; legal obligations.
Support and communicate (respond to tickets, product updates, service notices).
Legal bases: contract necessity; legitimate interests; consent where required.
Secure and improve the Service (monitoring, debugging, preventing abuse, enhancing features).
Legal bases: legitimate interests.
Comply with laws (records retention, lawful requests, sanctions and export screening).
Legal bases: legal obligations; legitimate interests.
Marketing (B2B) (with appropriate consent where required; you can opt out at any time).
Legal bases: consent; legitimate interests.

When we process Customer Content, we do so on your instructions under the DPA.

5. Sharing and Disclosure

We do not sell or share personal information for cross‑context behavioral advertising. We disclose information only to:

Service Providers/Sub‑Processors acting on our behalf to deliver the Service, including:
- Stripe, Inc. (payments),
- LeadConnector / LC Phone (via Twilio) (telephony/SMS),
- Mailgun Technologies, Inc. (email delivery/verification),
- HighLevel, LLC (GoHighLevel) and its cloud providers (hosting/application operations).
  The current list is maintained at https://clientsflow.io/subprocessors.
Professional advisors (legal, accounting) under confidentiality.
Authorities when required by law or to protect rights, safety, and security.
Corporate transactions (merger, acquisition) subject to appropriate safeguards.

We impose contractual obligations on service providers to use data only as instructed and to protect it appropriately.

6. International Transfers

We are based in Canada and use service providers located in Canada and the United States (and potentially other countries). Where applicable law (e.g., EU/UK GDPR) requires a legal mechanism for cross‑border transfers, we rely on Standard Contractual Clauses and/or other approved mechanisms, implemented through our DPA.

7. Retention

We retain personal information for as long as necessary to fulfill the purposes described above:

Account & Customer Content: retained for the life of the account; available for export for 30 days after termination, then deleted from active systems per our data retention routines (backups may persist for limited periods).
Billing & transactional records: retained for up to 7 years (or longer as required by law and for audit purposes).
Support communications: typically retained for 24 months to improve service and maintain records.

8. Your Rights & Choices

Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, object, or port your personal data, and to withdraw consent where processing is based on consent.

How to exercise: use in‑app settings where available or email [email protected] from your account email. We may request verification to protect your account.
Marketing choices: you can opt out of marketing emails by using the unsubscribe link. For SMS, reply STOP to opt out and HELP for help.
Controller vs. Processor: for requests about data that our customers control (Customer Content), please contact the relevant customer directly. We will support them in responding to your request.

You may also have the right to lodge a complaint with a supervisory authority, such as the Office of the Privacy Commissioner of Canada, your local EEA data protection authority, or the UK ICO.

9. Security

We implement commercially reasonable technical and organizational measures to protect personal information, including access controls, encryption in transit, network monitoring, and least‑privilege practices. No online service can guarantee absolute security.

10. Cookies & Similar Technologies

We use essential cookies necessary to operate the Service (e.g., authentication, security, load‑balancing, preferences). If we introduce analytics or advertising cookies in the future, we will update this Policy and, where required, request your consent via a banner or settings interface.

Do Not Track: we do not respond to browser DNT signals.

11. SMS/Telephony & Email Compliance

If you enable messaging or telephony features, you are responsible for obtaining and recording the necessary consents and providing legally required disclosures (e.g., under CASL, CAN‑SPAM, TCPA, A2P 10DLC). We and our telephony/email providers may collect metadata and deliverability/verification information to comply with carrier and regulatory requirements. You can opt out of marketing SMS by replying STOP.

12. Children

The Service is not directed to children, and we do not knowingly collect personal information from individuals under 16 (or the age of digital consent in their jurisdiction). If you believe a child has provided us personal information, contact [email protected] and we will take appropriate steps to delete it.

13. California & Virginia Notices (U.S.)

No sale or sharing: we do not sell personal information and do not share it for cross‑context behavioral advertising.
Sensitive information: we do not use sensitive personal information for inferring characteristics.
Rights: California/Virginia residents may exercise rights described in Section 8. Authorized agents may submit requests subject to verification.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified via email or in‑app prior to the effective date. Your continued use of the Service after the effective date signifies your acceptance of the updated Policy.

15. Contact Us