AIFlow
01 — Privacy

Privacy Policy

Effective 2026-04-15AIFlow[email protected]

We try to collect as little as possible, keep it only as long as we need to, and be honest about what we do with it. This page explains the details.

01 · Who we are

AIFlow (operating under the legal entity AIFlow, registered at #154 Patiala Hirabagh, India in India) is the data controller for the personal data processed through aiflow.in and any associated subdomains (the “Service”). If you have any question about this policy, or wish to exercise a right described below, you can reach us at [email protected].

02 · What we collect

We only collect what we need to run a small digital storefront. In practice that means:

  • Account data. Your email address, a hashed password (if you choose password auth), and your display name.
  • Billing data. Name, billing address, VAT or GST number if supplied, and the last four digits and brand of your card. Full card numbers never touch our servers — they are collected directly by Stripe in your browser.
  • Order data. The packs you bought, the price you paid, invoice numbers, refund and chargeback history, and the download tokens we generate for delivery.
  • Technical data. IP address, user-agent string, approximate city-level geolocation derived from IP, the pages you visited on aiflow.in, and timestamps.
  • Communications. Emails you send us, and our replies, retained for support history.

03 · Why we collect it (lawful bases)

Under the EU/UK GDPR we rely on the following lawful bases for processing:

  • Contract — to create your account, deliver the packs you purchased, and provide customer support.
  • Legal obligation — to issue tax-compliant invoices, retain accounting records, and respond to lawful requests from authorities.
  • Legitimate interests — to secure the Service against abuse, to prevent fraud, and to understand how visitors use our pages so we can improve them. We keep this processing minimal and documented.
  • Consent — for non-essential cookies, analytics beyond aggregate counts, and for marketing emails. You can withdraw consent at any time.

04 · Who we share it with

We do not sell personal data. We share strictly what is necessary with the following processors, each bound by a data processing agreement:

  • Stripe — payments, tax calculation, invoicing, fraud prevention. Stripe acts as an independent controller for some fraud-prevention processing.
  • Resend — transactional email delivery (receipts, download links, password resets, DMCA notices).
  • Cloudflare — CDN, DDoS mitigation, TLS termination, bot filtering.
  • Vercel — hosting, build pipelines, edge routing.
  • Plausible — privacy-respecting, cookie-less product analytics.

When a processor is located outside of the EEA, we rely on the European Commission’s Standard Contractual Clauses or an equivalent adequacy mechanism for the transfer.

05 · How long we keep it

  • Account records — for as long as your account is active, then up to 24 months after the last login, after which we anonymise or delete.
  • Invoices and tax records — retained for the minimum period required by the tax law of India (typically seven to ten years).
  • Server and access logs — retained for thirty days for security and incident response.
  • Support emails — retained for twenty-four months from the last message in the thread.

06 · Your rights

Wherever you live, you can ask us for a copy of the personal data we hold about you, ask us to correct it if it is wrong, or ask us to delete it. If you are in the EU, the UK, or another GDPR-aligned jurisdiction, you additionally have the right to object to processing based on legitimate interests, the right to restrict processing, the right to data portability, and the right to lodge a complaint with your local supervisory authority (for EU residents, this is usually the DPA of the Member State where you live).

To exercise any right, email [email protected] from the address on file. We reply within thirty days and never charge a fee for a reasonable first request.

07 · Security

We encrypt traffic in transit with TLS 1.2 or higher, encrypt database backups at rest, store passwords using a memory-hard hash (argon2id), rotate access credentials on a schedule, and scope database access to the minimum necessary engineers. No system is perfectly secure, and in the unlikely event of a breach we will notify affected users and the relevant authorities without undue delay and in any case within 72 hours of discovery, as required by Article 33 GDPR.

08 · Children

AIFlow is intended for professionals and is not directed at children under the age of sixteen. We do not knowingly collect personal data from children. If you believe a child has given us personal data, contact us and we will delete it.

09 · Changes to this policy

We will update this policy from time to time. When we do, we will change the “Effective” date at the top and, for material changes, notify registered users by email at least fourteen days before the change takes effect.