Privacy Policy

Updated: June 2025

1. Introduction and Scope

Cloneflow and its affiliates (collectively, “Cloneflow,” “we,” “us,” or “our”) maintain this Privacy Policy (the “Policy”) to describe in detail how any information that may be provided, submitted, or otherwise transmitted (the “Information”) is collected, processed, stored, utilized, disclosed, and otherwise handled through the website, applications, APIs, and related services (collectively, the “Services”), without identifying or specifying particular data elements beyond the general categories set forth herein.

This Policy is effective as of June 2025 and governs all individuals (“Users,” “you,” or “your”) who interact with or access the Services, irrespective of geographic location or local jurisdictional requirements.

By accessing or using any portion of the Services, you expressly consent to the practices described in this Policy, as well as to our Terms of Service, which are hereby incorporated by reference.

2. Definitions and Interpretive Principles

3. Categories of Information Collected

Without limitation, and without implying that all categories below are collected in every instance of use, the following general categories of Information may be Processed in connection with the Services:

• A. User-Generated Data: Information voluntarily submitted by Users through the Services, which may include text, code, content fragments, or analogous data that is explicitly provided to the Services in order to enable User-directed functionality.
• B. Device and Technical Metadata: Browser type, operating system, device identifiers, IP addresses, timestamps, usage statistics, and similar technical metadata collected to ensure secure access, error diagnosis, analytics, and performance optimization.
• C. Third-Party Integration Data: Any data exchanged with third-party platforms or services pursuant to connectors, plugins, or APIs authorized by the User to facilitate interoperability.
• D. Aggregated and Anonymized Analytics Data: De-identified metrics and usage patterns derived from the aggregate behavior of Users, which cannot be linked back to specific individuals, used solely for internal reporting and continuous improvement of the Services.
• E. Any Other Information: Additional categories of Information that may be necessary to comply with legal, regulatory, or security obligations, or to effectuate updates, bug fixes, or similar enhancements to the Services, as described more fully in Section 6 below.

4. Purposes of Processing

Cloneflow may Process any combination of the above-described categories of Information for one or more of the following legitimate purposes (each, a “Permitted Purpose”), without reliance on further User notice or consent, except where required under applicable law:

1. Provisioning and Support of the Services: To enable functionality requested by Users, including but not limited to storage, retrieval, rendering, or transmission of User-Provided Data; to authenticate and authorize User access; and to facilitate any third-party integrations or authorized data exchanges.
2. Service Improvement and Enhancement: To analyze usage data, identify patterns, diagnose errors, optimize performance, and develop, test, or roll out new features, enhancements, and bug fixes.
3. Security, Fraud Prevention, and Risk Management: To secure the Services against unauthorized access, credentials misuse, or malicious activity; to detect, prevent, or mitigate fraud, intrusion, or security threats; and to maintain, test, or improve resilience, audit trails, and incident response processes.
4. Compliance and Legal Obligations: To comply with applicable laws, regulations, legal processes, audits, or requests by governmental authorities; to enforce our Terms of Service, as well as to respond to lawful requests, subpoenas, or discovery obligations.
5. Business Operations: To manage internal business reporting, invoicing, billing, account management, and communications regarding updates, enhancements, or changes to the Services.
6. Consent-Based Marketing (where applicable): Only if and to the extent that Users explicitly opt in, to send marketing communications, newsletters, promotional materials, surveys, or solicit feedback.

5. Legal Bases for Processing (Where Applicable)

5.1 European Economic Area (EEA)

For Users who are residents of the European Economic Area (“EEA”), the lawful bases for Processing Information include, as applicable:

• Consent: Where we have obtained explicit consent for a specific Processing purpose.
• Performance of a Contract: Where Processing is necessary to fulfill our contractual obligations to Users or to enable Users to benefit from the Services.
• Legal Obligation: Where Processing is necessary for compliance with a legal obligation to which Cloneflow is subject.
• Legitimate Interests: Where Processing is necessary for Cloneflow’s or a third party’s legitimate interests, provided such interests are not overridden by the rights and freedoms of the User.

5.2 California (CCPA/CPRA)

For Users who are residents of California, Cloneflow collects and processes Information under the following categories:

• Business-to-Business Exemption (where applicable): For commercial or transactional purposes between businesses, exempt from certain CCPA obligations.
• No Sale of Personal Information: Cloneflow does not “sell” Information as defined under the CCPA; however, if any sale or disclosure occurs, Users have the right to opt out.
• Disclosures to Service Providers: Shared with third-party Processors under contractual obligations that prohibit the use of Information for any purposes other than those explicitly described herein.

6. Data Sharing and Disclosure

6.1 Third-Party Processors and Affiliates

Cloneflow engages certain third-party service providers and subcontractors (collectively, “Processors”) to perform functions such as cloud hosting, data storage, customer support, payment processing, analytics, and security monitoring.

All Processors are contractually bound to use Information solely for the Permitted Purposes and to implement appropriate security measures.

6.2 Legal Compliance and Enforcement

We may disclose Information if we believe in good faith that such disclosure is necessary to:

1. Comply with any applicable law, regulation, court order, subpoena, or other legal process.
2. Enforce or apply our Terms of Service, or investigate potential violations thereof.
3. Protect the rights, property, or safety of Cloneflow, our Users, or the public.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, financing, sale of assets, or other corporate transaction involving Cloneflow or its affiliates, Information may be transferred or assigned to the acquiring or surviving entity, provided that such entity agrees to comply with this Policy or a similar policy.

6.4 Aggregated or De-Identified Data

Cloneflow may aggregate or otherwise de-identify Information in a manner that no longer identifies (or is no longer reasonably capable of identifying) any particular individual or entity.

Such aggregate or de-identified data may be used by Cloneflow or shared with third parties for any purpose, including but not limited to analytics, benchmarking, research, advertising, or promotional uses.

7. Data Security Measures

Cloneflow employs a layered approach to security and data protection, including administrative, technical, and physical safeguards designed to protect Information against unauthorized access, disclosure, alteration, and destruction.

Key measures include, but are not limited to:

1. Encryption in Transit and at Rest: All Information is encrypted using Transport Layer Security (TLS 1.2 or higher) when transmitted; at rest, Information is encrypted with AES-256 or equivalent standards.
2. Access Controls: Access to Information is restricted to authorized personnel on a least-privilege basis, with multi-factor authentication (MFA) enforced for administrative accounts.
3. Network and Application Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), web application firewalls (WAF), and regular vulnerability assessments/penetration tests are employed to safeguard the infrastructure.
4. Secure Development Lifecycle: Development of the Services adheres to secure coding practices, code reviews, and automated vulnerability scanning to minimize risks of code-level vulnerabilities.
5. Incident Response and Notification: Cloneflow maintains an incident response plan to promptly investigate, mitigate, and communicate any data breach or security incident, and will comply with applicable breach notification laws (e.g., GDPR’s 72-hour rule, relevant U.S. state laws).

8. Data Retention and Deletion

8.1 Retention Periods

Cloneflow retains Information for only as long as necessary to fulfill the Permitted Purposes, subject to the following:

1. Active Account Data: Information associated with active User accounts is retained until termination or deletion of such accounts, plus a reasonable period thereafter to allow for business continuity, legal obligations, or dispute resolution (not to exceed three (3) years unless otherwise required by law).
2. Transactional and Audit Logs: Technical metadata, logs, and transaction records may be retained for regulatory compliance, auditing, or security evidence for up to seven (7) years, or as required by applicable laws or contractual obligations.
3. Aggregate and Anonymized Data: Aggregate or de-identified data may be retained indefinitely for research, analytics, or benchmarking, since it does not identify any specific individual.

8.2 Deletion Requests

Users may request deletion of their Information by submitting a request as described in Section 11 below.

Upon verification of identity, Cloneflow will delete or irreversibly anonymize the requested Information within thirty (30) days, except to the extent necessary to comply with legal obligations, resolve disputes, enforce agreements, or any other reason permitted under applicable law.

9. Cross-Border Data Transfers

Information may be transferred, stored, and processed in jurisdictions outside your country of residence, including the United States or any other region in which Cloneflow or its Processors maintain facilities.

Where such transfers occur, Cloneflow implements appropriate safeguards to ensure an adequate level of protection, such as:

1. Standard Contractual Clauses (SCCs): For transfers from the EEA or other regions where SCCs are required, Cloneflow or its affiliates execute the European Commission’s Standard Contractual Clauses with recipients of Information.
2. Binding Corporate Rules (BCRs): In certain circumstances, transfers to affiliates are governed by Binding Corporate Rules under applicable data protection frameworks.
3. Other Permissible Mechanisms: As otherwise permitted under applicable law, including explicit User consent or certification under recognized frameworks (e.g., EU-U.S. Data Privacy Framework).

10. User Rights and Choices

10.1 Access, Rectification, and Deletion

Where applicable (e.g., under GDPR, CCPA/CPRA, and similar laws), Users have the right to:

1. Access: Obtain a copy of the Information we hold about them, as well as details regarding Processing activities.
2. Rectification: Request correction of inaccurate or incomplete Information.
3. Deletion (Right to be Forgotten): Request deletion of Information, subject to exceptions for legal compliance, legitimate interest, or other statutory requirements.

10.2 Restriction of Processing and Data Portability

• Restriction: Request limitation on Processing, including suspension, when accuracy is contested or if Processing is unlawful but deletion would infringe another right.
• Portability: Receive Information in a structured, commonly used, and machine-readable format, and transmit it to another controller where technically feasible.

10.3 Objection and Opt-Out

• Objection: Object to Processing based on legitimate interests, direct marketing, or profiling.
• Opt-Out: Withdraw consent (where applicable) or opt out of certain Processing activities (e.g., marketing communications) by following the unsubscribe mechanisms or sending a request to the contact details in Section 11.

11. Contact Information and Exercising Rights

To exercise any of the rights described above, or to obtain details about our Processing, or to lodge any complaints related to this Policy, please contact us as follows:

• By Email: privacy@cloneflow.io

We will consider and respond to all verifiable requests in accordance with applicable laws, and we will endeavor to comply within thirty (30) days, or such other period required by law.

12. Changes to This Privacy Policy

Cloneflow reserves the right to modify or update this Policy at any time, in its sole discretion.

If we make material changes to this Policy, we will update the “Effective Date” above and post the revised Policy on our website, as well as provide notice via email or in-Service announcement, if required by law.

Continued use of the Services after such changes shall constitute acceptance of the revised Policy.

© 2025 Cloneflow. All rights reserved. | Back to Home