Privacy Policy

Effective April 9, 2026

This Privacy Policy describes how SmartFlowPros ("SmartFlowPros," "we," "us," or "our") collects, uses, and discloses information when you use our Service. We operate from California in the United States.

Quick summary: We collect account and subscription information, service usage data (when enabled), and email campaign/tracking data to provide the Service. We do not sell personal information. If you enable optional marketing technologies, you can opt out at any time using cookie preferences.

1. Scope

This Privacy Policy applies to information collected through the Service. It does not apply to third-party websites or services that you access through integrations (for example, Microsoft, Google, or payment providers), which are governed by their own policies.

2. Information We Collect

2.1 Information you provide

  • Account information: name (if provided), email address, authentication and account details.
  • Subscription and billing: subscription status and payment-related metadata (payment processing is handled by third-party processors).
  • Campaign and recipient data: campaign content, recipient lists, and related information you upload or enter into the Service.
  • Support and communications: messages you send to us and information you choose to share.
  • Preferences: settings such as notification preferences and cookie choices.

2.2 Information collected automatically

  • Usage and device data: pages visited, features used, device/browser information, and performance metrics.
  • Log and security data: approximate IP address, timestamps, and related information needed to secure and operate the Service.
  • Cookies and similar technologies: see Section 6.

Note: Certain analytics endpoints in the Service are designed to store analytics only when you are logged in and have enabled the relevant cookie preferences.

2.3 Email tracking data

If you use email tracking features, the Service may collect events associated with email opens and link clicks (for example, when a tracking pixel loads or a tracked link is clicked). These events may include timestamps, device/browser data, and IP-based approximate location information.

If you upload recipient lists or send tracked emails, you are responsible for providing any notices and obtaining any required permissions from your recipients.

3. How We Use Information

  • Provide and maintain the Service, including sending emails through supported providers and generating analytics.
  • Security and fraud prevention, including protecting accounts and preventing abuse.
  • Customer support and responding to requests.
  • Improve the Service, including debugging, performance optimization, and developing new features.
  • Compliance with legal obligations and enforcing our Terms.

4. How We Disclose Information

We may disclose information in the following circumstances:

  • Service providers that help us operate the Service (for example, hosting, analytics, payment processing, and email provider integrations such as Microsoft and Google). These providers are permitted to process information only to provide services to us (subject to their own terms and applicable law).
  • AI service providers: if you enable the optional AI auto-reply feature, reply content (limited excerpts) may be sent to AI providers (such as Anthropic or OpenAI) to generate contextual draft replies on your behalf. This is opt-in only and can be disabled at any time in your account settings.
  • Legal and safety: to comply with law, respond to lawful requests, or protect rights, safety, and security.
  • Business transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets.

5. California Privacy Rights (CPRA/CCPA)

If you are a California resident, you may have certain rights regarding your personal information, subject to legal exceptions and verification.

5.1 Notice at collection (high-level)

  • Categories: identifiers (such as email), internet/network activity (such as usage), commercial information (subscription status), and other information you provide through the Service.
  • Purposes: operate the Service, security, support, improvement, and compliance.
  • Retention: we retain information as long as needed for the purposes described in this Policy, including while your account is active, and longer as required for legal/compliance reasons.

5.2 Your rights

  • Right to know/access: request the categories and specific pieces of personal information we collected about you.
  • Right to delete: request deletion of certain personal information.
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: opt out of "selling" or "sharing" (as defined by California law) personal information, if applicable.
  • Right to limit use of sensitive personal information: to the extent we use sensitive personal information beyond what is necessary to provide the Service.
  • Non-discrimination: you will not be discriminated against for exercising your rights.

5.3 How to exercise your rights

  • Privacy requests: email [email protected] with the subject "Privacy Request".
  • Cookie-based opt outs: use the cookie preferences controls (see Section 6).
  • Authorized agent: you may use an authorized agent; we may request proof of authorization and verify your identity directly.

We will take reasonable steps to verify your request and respond within the time required by California law (generally 45 days, with extensions where permitted).

5.4 Sale and sharing

We do not sell personal information. We may use optional analytics and marketing technologies depending on your cookie preferences. To the extent those technologies constitute "sharing" for cross-context behavioral advertising under California law, you can opt out by disabling marketing cookies in your cookie preferences.

6. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Service, remember preferences, understand usage, and (if enabled) support marketing and personalization features. You can manage your preferences using the cookie banner and settings controls available on the site.

  • Essential: required for login, security, and core functionality.
  • Analytics: helps us understand how the Service is used and how it performs.
  • Marketing: may be used to measure marketing performance and deliver more relevant messaging.
  • Personalization: may be used to remember preferences and improve your experience.

You can update cookie preferences at any time via the cookie settings controls or your account settings.

6.1 Opt-out preference signals (Global Privacy Control / DNT)

We honor browser-level opt-out preference signals. If your browser sends a Sec-GPC: 1 request header (Global Privacy Control) or the legacy DNT: 1 request header (Do Not Track), we treat your visit as an opt-out from analytics and marketing categories of cookies and tracking. No banner is shown, and our analytics endpoints will not record events from your session. Essential cookies still operate as required to provide the Service.

Global Privacy Control is recognized as an opt-out preference signal under California Consumer Privacy Act regulations (11 CCR §7025). You can verify the signal at globalprivacycontrol.org.

7. Data Retention

We retain information for as long as needed to provide the Service and for legitimate business purposes such as security, compliance, dispute resolution, and enforcing agreements. If you request deletion, we will delete or de-identify information where required and feasible, subject to legal exceptions.

General retention periods:

  • Email tracking and analytics data: up to 24 months from collection.
  • Account data: duration of active account, plus 30 days after account deletion request is processed.
  • Billing and transaction records: up to 7 years, as required for tax and legal compliance.
  • Security and access logs: up to 12 months.
  • Gmail-derived reply data: up to 90 days from receipt (see Section 11).

Actual retention may vary based on legal requirements, ongoing disputes, or legitimate business needs.

8. Security

We use reasonable administrative, technical, and physical safeguards designed to protect information. However, no method of transmission or storage is 100% secure.

For a high-level overview of security controls and privacy features, see our Security & Privacy page.

9. International Processing

We are based in the United States and may process information in the United States and other locations where our service providers operate.

9.1 GDPR (EEA/UK) notice

If you are located in the EEA/UK, GDPR may apply. SmartFlowPros is GDPR compliant as a data processor for customer account and campaign data processed on behalf of our customers. Customers are typically the data controller for recipient outreach (including lawful basis, notices, and consent where required).

  • DSAR support: users can submit privacy requests and export/delete account data in-app.
  • Security: we use administrative and technical safeguards designed to protect personal data.
  • Subprocessors: we use service providers for hosting, edge/CDN, and billing; email providers are used as configured by your account.

10. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact us and we will take appropriate steps.

11. Google API Data & Limited Use Disclosure

SmartFlowPros integrates with Google APIs to provide email sending and reply detection features for users who connect their Gmail or Google Workspace accounts.

11.1 What Google data we access

  • Gmail send scope: used to send emails on your behalf through your connected Gmail account.
  • Gmail read-only scope: used solely to detect replies, out-of-office auto-replies, bounces, and left-company notifications from recipients of your email campaigns. We access only inbox messages relevant to your active campaigns.
  • Profile information: your Google email address, used to associate your account with the connected Gmail inbox.

11.2 How we store and protect Google data

  • OAuth tokens: access and refresh tokens are encrypted at rest using industry-standard encryption (Fernet/AES). Tokens are never stored in browser cookies or session storage.
  • Reply content: when a reply to your campaign is detected, we store a truncated version of the reply (subject, sender, and a limited excerpt of the body) to display in your reply inbox. Reply content is encrypted at rest.
  • Retention: reply data is automatically purged after 90 days. You can also delete all Gmail-derived data at any time by disconnecting your Google account in Settings, or by deleting your account.

11.3 Limited Use disclosure

SmartFlowPros' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we confirm that Google user data accessed by SmartFlowPros is:

  • Used only to provide and improve user-facing features that are prominent in the application's user interface (reply detection, inbox display, and campaign management).
  • Not used for serving advertisements or ad targeting.
  • Not sold to or shared with third parties, except as described in Section 4 (service providers necessary to operate the Service).
  • Not used to determine creditworthiness or for lending purposes.
  • Not used to train generalized machine learning or AI models (the optional AI auto-reply feature uses your data only to generate responses for your specific account and does not contribute to model training).

Human access to Google user data is limited to cases where: (a) you provide explicit consent, (b) it is necessary for security purposes (such as investigating abuse), (c) it is required to comply with applicable law, or (d) the data has been aggregated and anonymized for internal operations.

11.4 Managing your Google data

  • Disconnect: you can disconnect your Google account at any time from Settings. This revokes our access and deletes all stored Google tokens and Gmail-derived reply data.
  • Delete account: deleting your SmartFlowPros account removes all data, including any Gmail-derived content.
  • Export: you can export your data (including reply history) from your account settings.

12. Information for Email Recipients

If you receive an email sent through the Service, the sender is responsible for the message and any required notices. If an email includes an unsubscribe link, you can use it to opt out of future messages from that sender.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to provide notice. The "Last updated" date below indicates when the policy was last revised.

14. Contact

Privacy questions or requests: [email protected].

Last updated: April 9, 2026