AgentFlow.

Legal

Privacy Policy

How AgentFlow Ventures Ltd. collects, uses and protects your information when you use AgentFlow Compliance.

Last updated: February 23, 2026

1. Introduction

This Privacy Policy explains how AgentFlow Ventures Ltd. ("AgentFlow", "we", "us", "our") collects, uses, discloses and protects personal data when you use our website, applications and related services (the "Service"). It applies to all visitors and customers regardless of jurisdiction. We have written it to meet the spirit of leading privacy frameworks including the EU GDPR, the UK GDPR and the CCPA.

2. Data controller

The data controller for personal data processed through the Service is:

AgentFlow Ventures Ltd.
Cayman Islands
Contact: support@agentflow.ventures

3. Data we collect

Information you provide directly

  • Account data: email address, name, password hash, profile preferences.
  • Workspace data: workspace name, team-member emails and roles.
  • Customer Content: documents, contracts, policies and free-form text you upload or paste into the Service for scanning.
  • Communications: messages you send to our support team.
  • Marketing data: information you enter on our waitlist or free risk-score lead form (email, business type, employee count).

Information collected automatically

  • Usage data: pages viewed, features used, error logs, request timestamps.
  • Technical data: IP address, browser type and version, operating system, device identifiers.
  • Cookies: see section 10.

Information from third parties

  • Payments: limited information from our payment processor (last four digits of card, transaction status, country). We never see or store full card numbers.
  • Authentication: if you sign in with a third-party identity provider, that provider may share basic profile information with us.

4. How we use data

We use personal data to:

  • operate, deliver and improve the Service;
  • authenticate users and prevent fraud and abuse;
  • process payments and manage subscriptions;
  • generate AI compliance scans, summaries and reports for your account;
  • send transactional emails (login links, scan alerts, weekly digests);
  • respond to support requests;
  • send marketing emails to people who have opted in (you can unsubscribe at any time);
  • comply with legal obligations and enforce our agreements.

5. Lawful basis (GDPR)

Where GDPR applies we rely on the following lawful bases:

  • Contract: to provide the Service you have purchased.
  • Legitimate interests: to secure the Service, prevent fraud, improve features and contact existing customers about product updates.
  • Consent: for marketing emails to non-customers and for non-essential cookies. You can withdraw consent at any time.
  • Legal obligation: to retain tax and billing records.

6. Third-party processors

We share personal data with carefully selected third-party processors strictly to deliver the Service. Categories include:

  • Cloud hosting — to run our application servers and databases.
  • AI model providers — to generate compliance analyses; document text is sent to the model provider for inference only and is not retained by them for training.
  • Email delivery — to send transactional and (where consented) marketing emails.
  • Payment processing — currently Paddle.com, who acts as the merchant of record and handles all card data.
  • Analytics & error monitoring — to track usage in aggregate and diagnose errors.

All processors are bound by written agreements that require appropriate technical and organisational safeguards.

7. Storage & security

We host the Service on reputable cloud infrastructure providers using global infrastructure. Personal data is encrypted in transit (TLS) and at rest (AES-256). We restrict access on a need-to-know basis, require strong authentication for our team, log access, and continuously monitor for security events. No security model is perfect; if we ever experience a breach affecting your data we will notify you and the relevant authorities as required by law.

8. AI processing

Documents you submit for scanning are sent to a large-language-model provider purely to perform that scan. We have configured the integration so that your content is not used by the provider to train shared foundation models. Outputs (risk scores, summaries, recommended fixes) are stored in your workspace for your reference and may be aggregated, in fully de-identified form, to improve AgentFlow's own product quality.

9. Google APIs & Limited Use

AgentFlow Compliance offers an optional integration with Google Drive so that workspace users can pick contracts and policies from their Drive and import them into AgentFlow for scanning. This integration uses the Google OAuth 2.0 flow and the Google Drive API.

What scopes we request

  • https://www.googleapis.com/auth/drive.file — read access limited to the specific files you explicitly select via the Google Picker. We do not request access to your entire Drive, your folders, or files you have not selected.

How we use the data we receive

  • We download the file contents you select, extract the text (using the same pipeline as direct uploads), and store the extracted text as a Document inside your AgentFlow workspace.
  • We do not read, scan, index or share any other file in your Drive. We do not enumerate your Drive structure.
  • We do not use Google user data to train, improve or otherwise develop machine-learning models, including our own. Document text sent to AI model providers for analysis is used only to generate that scan's output.
  • We do not sell, rent or transfer Google user data to data brokers, advertising networks, or any party for advertising, credit-worthiness, or any other purpose unrelated to providing AgentFlow Compliance to you.
  • Human review of Google user data is limited to: (a) with your explicit consent, (b) to comply with applicable law, (c) for security investigations, or (d) where the data has been aggregated and anonymised.

Storage & revocation

OAuth refresh tokens are stored encrypted at rest. You can disconnect Google Drive at any time from Settings → Connected accounts; doing so revokes our token with Google and deletes the credential from our database. Any Documents already imported remain in your workspace as if you had uploaded them directly.

AgentFlow's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

10. Retention

  • Account data: kept while your account is active and for up to 24 months after deletion to satisfy legal and audit obligations.
  • Customer Content: kept while your account is active. You can delete individual documents at any time. On account deletion we remove your content from production systems within 30 days; backups roll off within 60 days.
  • Billing records: kept for up to 10 years to satisfy tax and accounting laws.
  • Marketing data: kept until you unsubscribe or 36 months of inactivity.

11. Cookies & analytics

We use a small number of cookies: a session cookie to keep you logged in (strictly necessary), and aggregate analytics cookies to understand which features are used. Where required by law we ask for consent before setting non-essential cookies. You can clear or disable cookies in your browser settings; this may break parts of the Service.

12. Your rights

Depending on your location you may have the right to: access the personal data we hold about you; correct inaccurate data; request deletion; object to or restrict processing; receive a portable copy; and lodge a complaint with a supervisory authority. To exercise any of these rights email support@agentflow.ventures and we will respond within 30 days. We will not discriminate against you for exercising your rights.

13. International transfers

AgentFlow operates from the Cayman Islands and uses global infrastructure providers. Personal data may be processed in jurisdictions other than your own. Where transfers from the European Economic Area or the United Kingdom occur, we rely on the standard contractual clauses approved by the relevant authorities, or on other appropriate transfer mechanisms.

14. Children

The Service is not directed at children under 18 and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, please contact us and we will delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or in-product notice at least fourteen (14) days before they take effect. The "Last updated" date at the top of this page reflects the latest revision.

16. Contact

For any privacy questions, requests or complaints, email support@agentflow.ventures.

AgentFlow Ventures Ltd.
Cayman Islands