Privacy Policy

Last updated: March 19, 2026

1. Who we are

AgenciesFlow ("we," "us," or "our") operates the AgenciesFlow platform, a SaaS tool for agencies to capture and manage leads and client onboarding. Our contact email is support@agenciesflow.com.

2. What data we collect

We collect data in two ways:

  • Account data — your name, email address, and organization name when you sign up or update your profile.
  • Lead and contact data — the names, email addresses, phone numbers, and messages submitted through your intake forms. You control this data; we process it on your behalf.
  • Usage data — actions you take inside the app (e.g., leads created, statuses changed) for the activity log and analytics features.
  • Technical data — IP address, browser type, and request metadata, collected automatically for security and rate-limiting purposes.
  • Billing data — your billing details are collected and stored by Paddle; we only receive a subscription status and customer ID.

3. How we use your data

  • To provide and operate the AgenciesFlow platform
  • To process leads and run AI enrichment on your behalf
  • To send email notifications (new leads, invites) that you have opted into
  • To manage your subscription via Paddle
  • To detect abuse, enforce rate limits, and maintain platform security
  • To generate aggregate, anonymized analytics about platform usage

We do not sell your data to third parties, use it for advertising, or share it with anyone except the sub-processors listed below.

3a. Legal basis for processing (GDPR)

Under the General Data Protection Regulation, we rely on the following legal bases:

  • Contract performance — processing your account data, lead data, and billing data is necessary to provide the AgenciesFlow platform you signed up for (Article 6(1)(b)).
  • Legitimate interest — we process technical data (IP address, request metadata) to maintain platform security, prevent abuse, and improve our services (Article 6(1)(f)). We have assessed that these interests do not override your rights.
  • Legal obligation — we retain certain billing records as required by applicable tax and financial regulations (Article 6(1)(c)).

Where we act as a data processor on your behalf (processing lead and contact data submitted through your intake forms), you are the data controller and are responsible for ensuring a valid legal basis for that processing.

4. AI processing

Lead messages submitted through your intake form are sent to OpenAI's API for enrichment (scoring, summarising, generating follow-up questions). OpenAI processes this data as a data processor under their API Data Usage Policy. We do not use your data to train AI models.

5. Sub-processors

ProcessorPurposeLocation
SupabaseAuth, database hostingEU / US
OpenAIAI lead enrichmentUS
ResendTransactional emailUS
PaddleBilling and paymentsUS
RailwayAPI and worker hostingUS
VercelFrontend hostingGlobal CDN
SentryError monitoring (optional)US

6. Data retention

Your account and lead data is retained for as long as your account is active. If you cancel and request account deletion, we will delete your data within 30 days, except where we are required to retain it for legal or billing purposes.

7. Your rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict certain processing
  • Request a portable copy of your data

To exercise any of these rights, email support@agenciesflow.com. We will respond within 30 days.

7a. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know — you may request what personal information we have collected, the categories of sources, and the business purpose for collection.
  • Right to delete — you may request deletion of your personal information, subject to legal exceptions.
  • Right to opt out of sale — we do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
  • Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise these rights, email support@agenciesflow.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

In the preceding 12 months, we have collected the categories of personal information described in Section 2 above. We have not sold personal information to third parties.

8. Cookies

AgenciesFlow uses only essential cookies required for authentication (Supabase session token). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie banner is required.

9. Security

All data is transmitted over HTTPS. Passwords are managed by Supabase Auth and are never stored by AgenciesFlow. We use HMAC-SHA256 to verify webhook payloads. Access to production systems is restricted to authorised personnel.

10. Children

AgenciesFlow is a business tool not intended for use by anyone under the age of 18. We do not knowingly collect data from minors.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or an in-app notice. Continued use of the platform after the effective date constitutes acceptance.

12. Contact

For any privacy questions, email support@agenciesflow.com.

Terms of ServiceRefund Policy