New: Supaflow Claude Code Plugin -- let AI agents create, edit, and monitor your data pipelines. See how the plugin works

Privacy Policy

Last Updated April 20, 2026

This Privacy Policy ("Policy") explains how Supaflow LLC ("Supaflow," "we," "us," or "our") collects, uses, and shares information about you when you visit our website at www.supa-flow.io, use our web application at app.supa-flow.io, or otherwise interact with us (collectively, the "Site & Services"). This Policy also describes your rights and choices regarding your information.

Scope and Our Role

Website visitors and marketing interactions. When you browse our marketing website, sign up for a newsletter, contact us through a form, attend our events, or interact with our content, we act as a controller of the information we collect.

Paid Services and Customer Data. When you use our Paid Services (including the Supaflow application and data-pipeline platform) to transmit, process, or ingest your own data ("Customer Data"), we act as a processor on behalf of the Supaflow customer that owns that data. Customer Data is governed by the separate Master Subscription Agreement ("MSA") and Data Processing Addendum ("DPA") between Supaflow and the customer. If this Policy conflicts with an MSA or DPA, the MSA or DPA controls with respect to Customer Data. If your personal information is contained in Customer Data, please contact the relevant Supaflow customer (your employer or the organization whose Supaflow account you use) to exercise rights over that data.

Account and administrative data. Information you provide to create and administer a Supaflow account (name, email, login credentials, billing information) is covered by this Policy.

1. Information We Collect

The information we collect depends on how you interact with us. It falls into the following categories:

Information You Provide Directly

  • Contact information: name, work email, company name, job title, phone number, and country, when you submit a form, request a demo, subscribe to communications, or contact us.

  • Account information: username, password (hashed and managed by our authentication provider), profile information, and preferences you set in the Supaflow application.

  • Billing information: billing address, tax identifiers, and payment card details (which are collected and processed directly by our payment processor; we do not store full card numbers).

  • Communications and support: content of messages, support tickets, survey responses, and feedback you voluntarily submit.

  • Event and marketing interactions: registration information and attendance records for webinars, events, and community activities.

Information Collected Automatically

  • Device and connection data: IP address, browser type and version, operating system, device identifiers, language preferences, and referral URLs.

  • Usage data: pages viewed, features used, buttons clicked, time spent, navigation paths, search queries within the Site & Services, page-leave events, error events, and timestamps.

  • Approximate location: city- and country-level location derived from your IP address. We do not collect precise geolocation.

  • Cookies and similar technologies: as described in Section 6 below.

Information from Third Parties

  • Authentication providers: if you sign in using a third-party identity provider (e.g., Google), we receive basic profile information from that provider based on your consent.

  • Business enrichment services: we may receive publicly available professional information about you (e.g., company, role, industry) from third-party sales intelligence or marketing enrichment providers.

  • Referral partners: if a partner refers you to us, we may receive your contact information from them.

Inferences

We may generate inferences from the categories above to understand your preferences, likely interests, and fit for our products (for example, segmenting you into audience groups for relevant marketing).

Sensitive Personal Information

We do not intentionally collect categories of "sensitive personal information" as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA/CPRA"), or similar state laws (e.g., government identifiers, precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic or biometric data, health information, or information about sexual orientation). If you voluntarily provide such information to us (e.g., in a free-form support message), we will handle it in accordance with this Policy and applicable law.

2. Sources of Information

  • Directly from you, through forms, account interactions, and communications.

  • Automatically, through cookies, analytics tools, and server logs when you use the Site & Services.

  • From third-party service providers, authentication providers, partners, and publicly available sources.

3. How We Use Information

We use information for the following purposes:

  • Providing and operating the Site & Services: authenticating users, delivering features, providing customer support, processing billing, and maintaining security.

  • Improving our products: understanding how users interact with the Site & Services, diagnosing issues, and developing new features.

  • Marketing and communication: sending administrative communications, providing product updates and newsletters, promoting Supaflow, and measuring the effectiveness of our marketing. You can opt out of marketing communications at any time.

  • Analytics and advertising: measuring engagement, understanding our audience, attributing conversions from our advertising campaigns, and personalizing marketing.

  • Security and fraud prevention: protecting the Site & Services against abuse, unauthorized access, and fraud.

  • Legal compliance: complying with applicable law, responding to legal process, and enforcing our agreements.

  • Other purposes with your consent.

4. Legal Bases for Processing (EEA, UK, and Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract: to provide the Site & Services you request or enter into an agreement with you.

  • Legitimate interests: to operate, improve, and secure the Site & Services; to communicate with you about Supaflow; to measure and improve our marketing; and to prevent fraud. We balance these interests against your rights and freedoms.

  • Consent: where required — for example, for non-essential cookies and certain marketing communications. You may withdraw consent at any time.

  • Legal obligation: to comply with applicable laws and regulations.

5. How We Share Information

We share information only as described in this Policy:

Service Providers

We engage third-party service providers that process information on our behalf under written contracts. These include:

  • Authentication & identity: Clerk, Inc. (manages user authentication, sessions, and profile data).

  • Hosting & database: Supabase (provides managed database services in both the U.S. and EU regions).

  • Payments: Stripe, Inc. (processes payments and stores payment method information; we do not store full card numbers).

  • Product and website analytics: PostHog, Inc. (collects product usage and behavioral analytics within the application and on portions of our marketing website).

  • Marketing analytics & advertising: Google LLC (Google Tag Manager, Google Analytics 4, Google Ads, and related conversion measurement).

  • Email, CRM, and productivity: providers that help us send transactional and marketing email, manage prospect and customer relationships, and operate our business systems.

  • Cloud infrastructure: providers that host our application, deliver content, and store backups.

  • Professional advisors: our lawyers, accountants, auditors, and insurers, under duties of confidentiality.

Corporate Affiliates and Successors

We may share information with our corporate affiliates under this Policy. If Supaflow is involved in a merger, acquisition, reorganization, financing, or sale of assets, information may be transferred to the successor or acquirer, subject to the same protections described in this Policy.

Authorities and Legal Obligations

We may disclose information when required by law, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others; investigate fraud; or respond to a government request.

With Your Consent

We may share information with other parties when you direct or consent to the sharing.

Sale and "Sharing" for Cross-Context Behavioral Advertising

We do not sell personal information in exchange for money. However, under the broad definitions of "sale" and "share" in the CCPA/CPRA and certain other U.S. state laws, the use of advertising cookies and similar technologies (such as Google Ads) for attributing conversions and measuring campaign effectiveness may be considered a "sale" or "share" of personal information. You can opt out as described in Section 11 below, including by using the cookie controls described in this Policy or by enabling a Global Privacy Control signal in your browser.

6. Cookies and Tracking Technologies

We use cookies, similar storage technologies, and analytics SDKs to operate the Site & Services, remember preferences, measure performance, and attribute advertising conversions. The main categories are:

CategoryPurposeProviderTypical Duration
Strictly NecessaryAuthentication, session management, security, and essential site functionalitySupaflow (first-party), ClerkSession or up to 1 year
PreferencesRemembering your choices (e.g., the supaflow_consent cookie for consent, theme, language)Supaflow (first-party)Up to 1 year
Analytics — Marketing SiteMeasuring website traffic and user behaviorGoogle Analytics 4 (_ga, _ga_*)Up to 2 years
Analytics — Marketing Site and ProductMeasuring website traffic, feature usage, and product behavior within the application and on portions of our marketing websitePostHogUp to 1 year
Advertising / AttributionAttributing ad clicks to signups and measuring campaign performanceGoogle Ads (_gcl_aw, _gcl_au)Up to 90 days
Tag ManagementDeploying and managing other analytics and marketing tagsGoogle Tag ManagerN/A (loader only)

Consent and Control

By default, our marketing website blocks Google Analytics and advertising cookies. A consent banner asks you to accept or reject the Google Analytics and advertising cookies.

You can change your preference at any time by clicking "Privacy Settings" in the Site footer, which clears your stored preference and re-displays the consent banner. You can also manage cookies through your browser settings.

Within the Supaflow application (accessed after sign-in), we use essential, preference, and product analytics technologies necessary to operate the service and understand product usage. Where required by applicable law, we obtain your consent.

7. Data Retention

We retain information for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Indicative retention periods include:

  • Marketing contacts: up to 3 years after your last interaction with us, or until you opt out or request deletion, whichever is earlier.

  • Account data: for the life of your Supaflow account and up to 7 years thereafter for tax, accounting, and legal record-keeping.

  • Billing records: up to 7 years, as required by tax and accounting regulations.

  • Support tickets and communications: up to 5 years after resolution.

  • Website analytics (GA4): up to 14 months, per our Google Analytics retention settings.

  • Website and product analytics (PostHog): up to 12 months for identified user events.

  • Advertising attribution data: up to 90 days for most attribution cookies.

  • Marketing opt-out records: retained indefinitely to honor your opt-out choices.

When we no longer have a legitimate need to process your information, we will delete or anonymize it, or, if deletion is not possible (for example, because the information has been stored in backups), we will securely store your information until deletion is possible.

8. Security

We use reasonable and appropriate administrative, technical, and physical safeguards designed to protect information from unauthorized access, use, modification, disclosure, and destruction. These include encryption in transit, access controls, principle-of-least-privilege access management, and regular security reviews. However, no system is perfectly secure, and we cannot guarantee absolute security.

9. International Data Transfers

Supaflow is headquartered in the United States. When you access the Site & Services from outside the United States, your information may be transferred to, stored, and processed in the United States and other jurisdictions that may have data protection laws different from those in your country.

Where required by applicable law, we use appropriate safeguards for international transfers, which may include: (a) Standard Contractual Clauses approved by the European Commission; and (b) the United Kingdom International Data Transfer Agreement or Addendum to the EU SCCs. Where applicable and only for so long as Supaflow is self-certified under the EU-U.S. Data Privacy Framework, we may also rely on the EU-U.S. Data Privacy Framework and its UK Extension and Swiss-U.S. extensions.

EU data residency. For certain customers and user categories, we offer the option to host Customer Data in European Union data centers via our EU-region database infrastructure. Contact your Supaflow representative for details on EU data residency options.

10. Automated Decision-Making and Profiling

We do not use your personal information to make decisions that produce legal effects concerning you or similarly significantly affect you on a solely automated basis (e.g., automated credit decisions, automated pricing decisions, or automated hiring). We may use basic profiling for marketing segmentation (for example, grouping you into an audience based on company size or industry), but you may opt out of marketing at any time.

11. Your Privacy Rights and Choices

Marketing Opt-Out

You may opt out of marketing emails at any time by clicking the "Unsubscribe" link in any marketing email or by contacting us at legal@supa-flow.io. You will still receive transactional and administrative communications related to your Supaflow account and services.

Account Preferences

You may review and update your account information by signing in to the Supaflow application. If you wish to delete your account, contact us at legal@supa-flow.io.

Cookie Controls

You may manage cookies through our consent banner by clicking "Privacy Settings" in the Site footer, or use the cookie controls described above.

Global Privacy Control (GPC)

On our marketing website and documentation site, if we detect a browser-based Global Privacy Control ("GPC") signal, we treat that signal as (a) a denial of consent for non-essential cookies and similar tracking technologies controlled through our consent tools, and (b) an opt-out of the "sale" or "share" of personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA and similar U.S. state laws. A GPC signal will override any prior cookie acceptance for purposes of future processing.

Do Not Track

Because there is no consistent industry standard for "Do Not Track" browser signals, we do not currently respond to DNT signals.

12. Jurisdiction-Specific Rights

U.S. State Residents

If you are a resident of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the following rights over your personal information, subject to exceptions under the applicable law:

  • Right to know / access: the categories and specific pieces of personal information we have collected about you.

  • Right to delete: your personal information, subject to certain exceptions.

  • Right to correct: inaccurate personal information we maintain about you.

  • Right to data portability: to receive a copy of your personal information in a portable format.

  • Right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising or targeted advertising.

  • Right to opt out of profiling that produces legal or similarly significant effects (in states that recognize this right).

  • Right to limit use of Sensitive Personal Information (California).

  • Right to non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at legal@supa-flow.io. We will respond within 45 days of receipt (or the shorter period required by applicable law). We may need to verify your identity before responding — for example, by confirming information associated with your account. You may designate an authorized agent to submit a request on your behalf; we may require written authorization and independent verification of identity.

If we deny your request, you may appeal by replying to our denial with "Appeal" in the subject line. We will respond to your appeal within 60 days (or as required by applicable law). If you are unsatisfied with the outcome, you may have the right to contact your state attorney general or applicable regulator.

California Notice (CCPA/CPRA)

The table below summarizes the categories of personal information (as enumerated in the CCPA) that we collected in the preceding 12 months, the purposes for which we collected each category, and whether we "sold" or "shared" (as those terms are defined under the CCPA/CPRA) any information in that category.

CCPA CategoryExamplesSold or Shared?
IdentifiersName, email, IP address, account identifiers, cookie IDsShared for cross-context behavioral advertising (see Section 5)
Customer records (Cal. Civ. Code § 1798.80)Contact information, billing addressNo
Commercial informationSubscription and transaction recordsNo
Internet or other network activityBrowsing and clickstream, product usage, device, and log dataShared for cross-context behavioral advertising (see Section 5)
Geolocation dataApproximate location (city/country) derived from IP address; no precise locationNo
Professional or employment informationCompany name, job title, industryNo
InferencesAudience segments and preferences derived from other dataNo
Sensitive Personal InformationWe do not intentionally collect sensitive PINo

We do not knowingly sell or share the personal information of consumers under 16 years of age.

Right to Limit Use of Sensitive Personal Information. California residents may direct us to limit our use of sensitive personal information. Because we do not intentionally collect or use sensitive personal information for purposes beyond those permitted under CCPA/CPRA § 1798.121(a) (e.g., providing the requested Service), no action is required to limit such use. If this changes, we will update this Policy and offer a clear "Limit the Use of My Sensitive Personal Information" mechanism.

Non-Discrimination. We will not discriminate against you for exercising your privacy rights, and we will not deny you services, charge different prices, or provide a different level or quality of service because you exercised any of your rights.

Washington My Health My Data Act

Supaflow does not knowingly collect "consumer health data" as defined under the Washington My Health My Data Act. If you believe we have collected consumer health data about you, please contact us at legal@supa-flow.io.

EEA, UK, and Switzerland

If you are in the EEA, the UK, or Switzerland, you have the following rights under the GDPR and equivalent laws:

  • Right of access to your personal data.

  • Right to rectification of inaccurate or incomplete data.

  • Right to erasure ("right to be forgotten").

  • Right to restriction of processing.

  • Right to data portability.

  • Right to object to processing based on legitimate interests, including for direct marketing.

  • Right to withdraw consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal).

  • Right to lodge a complaint with a supervisory authority. You can find your local authority at edpb.europa.eu.

To exercise these rights, contact us at legal@supa-flow.io.

13. Children’s Privacy

The Site & Services are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us at legal@supa-flow.io, and we will take appropriate steps to delete it.

14. Third-Party Links and Services

The Site & Services may contain links to third-party websites, services, or integrations (including data-pipeline connectors you choose to enable). We are not responsible for the privacy practices of those third parties, and their privacy policies govern their handling of your information. We encourage you to review the privacy policies of any third-party service you use.

15. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will take reasonable steps to notify you (for example, by posting a notice on the Site or emailing the address associated with your account). The "Last updated" date at the top of this Policy reflects the most recent changes. Your continued use of the Site & Services after an update constitutes acceptance of the updated Policy.

16. Contact Us

Questions, requests, or complaints about this Policy or our handling of your information:

Supaflow LLC

Email: legal@supa-flow.io