Last updated: July 13, 2021
This privacy notice applies to Userflow Inc. (“Userflow,” “we,” “our,” “us”).
The privacy of your data — and it is your data, not ours! — is a big deal to us. To be crystal clear - Userflow does not and will not ever sell your data (nor your users’ data) to third parties. We’ll only ever access your account to help you with a problem or squash a software bug. We’ll never open any uploaded files unless you ask us to. We log all access to all accounts by IP address, so we can always verify that no unauthorized access has happened for as long as the logs are kept.
When you sign up for Userflow, we ask for your name, company name, and email address. That’s just so you can personalize your new account, and we can send you invoices, updates, or other essential information. We’ll never sell your personal info to third parties, and we won’t use your name or company in marketing statements without your permission, either.
You always have the right to access the personal information we store about you. And, if you wish to further limit our use of your personal information, please contact us.
Users of Userflow can store any type of information in Userflow, but Userflow does not access or share that data, and does not know what type of data you or other users are storing. The data is only used by the account owner and invited users as they intend to use it.
When you pay for Userflow, we ask for your credit card and billing address. That’s so we can charge you for service, calculate taxes due, and send you invoices. Your credit card is passed directly to our payment processor and doesn’t ever go through our servers. We store a record of the payment transaction, including the last 4 digits of the credit card number, for account history, invoicing, and billing support. We store your billing address to calculate any sales tax due in the United States, to detect fraudulent credit card transactions, and to print on your invoices. If you want to change your billing address then reach out to firstname.lastname@example.org.
When you write Userflow with a question or to ask for help, we’ll keep that correspondence, and the email address, for future reference. When you browse our marketing pages, we’ll track that for statistical purposes (like conversion rates and to test new designs). We also store any information you volunteer, like surveys, for as long as it makes sense.
The only times we’ll ever share your info:
Userflow does not share individual’s personal data with non-agent third parties. If this policy changes in the future, we will notify individuals and provide them with an opportunity to opt-out of having their data shared.
You may have heard about the General Data Protection Regulation (“GDPR”) in Europe. GDPR gives people under its protection certain rights with respect to their personal information collected by us on the Site. Accordingly, Userflow recognizes and will comply with GDPR and those rights, except as limited by applicable law. The rights under GDPR include:
Many of these rights can be exercised by signing in and directly updating your account information. If you have questions about exercising these rights or need assistance, please contact us at email@example.com.
You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en
As part of the services we provide, and only to the extent necessary, we may use certain third party processors to process some or all of your personal information. For identification of these processors, and where they are located, please see our Subprocessor listing. We have signed appropriate data processing contracts that comply with GDPR with each processor.
All data is encrypted via SSL/TLS when transmitted from our servers to your browser. The database backups are also encrypted. Data isn’t encrypted while it’s live in our database (since it needs to be ready to send to you when you need it), but we go to great lengths to secure your data at rest—you can read more about that on our security page.
For more information about how we keep your information secure, please review our security overview.
In order to improve our services and the website, and provide more convenient, relevant experiences to you, we and our vendors may use “cookies”, “web beacons”, and similar devices to track your activities.
You understand that Userflow uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to provide you with our services. A current list of vendors is available upon request.
When you cancel your account, you can request to get your data deleted on firstname.lastname@example.org. Userflow furthermore reserves the right to delete your data 60 days after you have canceled your account. This information can not be recovered once it has been permanently deleted.
The GDPR requires that any data transferred out of the EU must be treated with the same level of protection that the EU privacy laws grant. The privacy laws of the United States generally do not meet that requirement. That is why since GDPR went into effect, Userflow has offered a data processing addendum and voluntarily participated in the EU-US Privacy Shield Framework as well as the Swiss-US Privacy Shield Framework.
We have incorporated a Data Processing Addendum to our Terms of Service that is in effect when the GDPR applies to your use of Userflow Services to process Customer Data as defined in the DPA. You can find the DPA linked within clause 5 of the Security and Privacy section in the Terms. The DPA includes the European Commission’s Standard Contractual Clauses to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed. Furthermore to aid our customers, we have provided summary of GDPR in our Privacy Regulation Reference.
To get an executed copy of the Data Processing Addendum, you should sign a copy following the instructions listed in our Terms of Service and Privacy Regulation Reference. Regardless of whether you execute or not, we protect and secure your data to the high standards set out in the addendum.
There are also a few ad-hoc cases where EU personal data may be transferred to the US related to Userflow, Inc. operations. For instance, if someone in the US comments on our company blog or a customer participates in one of our infrequent surveys or someone applies to one of our open positions or buys swag on our company shop. Such transfers are only occasional and transferred under the Article 49(1)(b) derogation under GDPR.
The EU-US Privacy Shield is an agreement between certain European jurisdictions and the United States that up until July 16, 2020, allowed for the transfer of personal data from the EU to the US. Participation in the Privacy Shield program is voluntary. The Swiss-US Privacy Shield is a similar program for data transferred to the US from Switzerland that was in effect until September 8, 2020.
Userflow is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with regard to the Privacy Shield Frameworks.
Pursuant to the Privacy Shield Frameworks, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to email@example.com. If requested to remove data, we will respond within a reasonable timeframe.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to firstname.lastname@example.org.
While we may be required to disclose your personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements, Userflow won’t otherwise hand your data over to law enforcement unless a court order says we have to. We flat-out reject such other requests from local and federal law enforcement when they seek data without a court order. And unless we’re legally prevented from it, we’ll always inform you when such requests are made. We will provide delayed notice if the legal prohibition is lifted.
Userflow’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Userflow remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Userflow proves that it is not responsible for the event giving rise to the damage.
In compliance with the Privacy Shield Principles, Userflow commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union, United Kingdom, and Swiss individuals with Privacy Shield inquiries or complaints should first contact Userflow by email at email@example.com or via post at:
Userflow, Inc., 548 Market St PMB 69598, San Francisco, CA 94104-5401, USA.
Userflow has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints for more information and to file a complaint.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
This Site is operated in the United States. If you are located in the European Union or elsewhere outside of the United States, please be aware that any information you provide to us will be transferred to the United States. By using our Site, participating in any of our services and/or providing us with your information, you consent to this transfer.
Userflow may update this policy once in a blue moon — we’ll notify you about significant changes by emailing the account owner or by placing a prominent notice on our site. You can access, change or delete your personal information at any time by contacting us at firstname.lastname@example.org, or by mail at Userflow Inc., 548 Market St PMB 69598, San Francisco, CA 94104-5401, USA.
This policy have been adapted from the Basecamp open-source policies / CC BY 4.0.