Privacy Policy

Last Updated: Jan 27, 2026

Reflow Systems Inc. (“Reflow,” “we,” “us,” or “our”) values your privacy and is committed to protecting personal information and being transparent about how we collect, use, and disclose it.

This Privacy Policy describes how we handle personal information when and if we act as a data controller (for example, for website visitors, prospects, and business contacts). It also explains, at a high level, how we process personal data on behalf of our customers when and if we act as a data processor or service provider, which is governed by our contractual agreements, including our Data Processing Agreement (“DPA”).

1. Scope of This Privacy Policy

This Privacy Policy applies to personal information we collect:

  • Through our services and websites, including www.reflow.ai

  • In connection with marketing, sales, and business communications

  • When administering customer accounts and contracts

  • When operating our business generally

This Privacy Policy does not replace or override customer agreements, including the DPA, which governs how we process Customer Personal Data on behalf of our customers.

2. Regulatory Alignment and Contractual Scope

Reflow designs its privacy and security practices to align with widely recognized data protection and privacy frameworks, including those reflected in the California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CPRA”), the EU General Data Protection Regulation (“GDPR”), the Health Insurance Portability and Accountability Act (“HIPAA”), and the Gramm-Leach-Bliley Act (“GLBA”), where relevant and applicable to the context in which data is processed.

The specific legal obligations applicable to the processing of customer data depend on the nature of the services provided and the terms of the applicable written agreements between Reflow and its customers, such as a master services agreement, data processing agreement, or business associate agreement.

Where required by law or expressly agreed with a customer, Reflow implements appropriate safeguards and contractual commitments consistent with applicable regulatory requirements.

3. Definitions

  • Personal Information: Information that identifies, relates to, describes, or can reasonably be linked to an identifiable individual.

  • Customer Personal Data: Personal data processed by Reflow solely on behalf of a customer in connection with the Services, as defined in the DPA.

  • Sensitive Personal Information: Personal information subject to heightened protections under applicable privacy laws (e.g., health data, government identifiers).

4. Information We Collect as a Controller

When and if Reflow acts as a data controller, we may collect the following categories of personal information:

4.1 Information You Provide Directly

  • Name, company name, job title

  • Business contact information (email address, phone number)

  • Account, billing, and payment-related information provided to processors on our behalf

  • Communications with us (e.g., inquiries, support requests)

4.2 Information Collected Automatically

  • IP address

  • Device and browser information

  • Website usage data (e.g., pages viewed, referring URLs)

  • Cookie and similar tracking technologies

4.3 Information from Third Parties

  • Business contact information from marketing partners or public sources

  • Payment confirmations from payment processors

  • Professional information provided in a business context

5. Customer Personal Data Processed on Behalf of Customers

Reflow processes certain personal data solely on behalf of its customers in connection with providing the Services.

  • The types of Customer Personal Data, categories of data subjects, and purposes of processing are determined by the customer.

  • Reflow processes such data only on documented customer instructions and does not use Customer Personal Data for its own independent purposes.

Details regarding Reflow’s processing of Customer Personal Data, including security measures, subprocessors, and international data transfers, are set out in the Reflow Data Processing Agreement, available at:

https://www.reflow.ai/dpa

6. How We Use Personal Information

We may use personal information we collect as a controller to:

  • Operate, maintain, and improve our websites and services

  • Communicate with prospects, customers, and partners

  • Provide customer support and respond to inquiries

  • Facilitate processing of  payments and manage contracts

  • Conduct marketing and business development activities

  • Maintain security, prevent fraud, and protect our rights

  • Comply with applicable legal and regulatory obligations

7. How We Share Personal Information

We may share personal information with:

  • Service providers that perform services on our behalf (e.g., hosting, analytics, payment processing)

  • Professional advisors, such as auditors, insurers, and legal counsel

  • Business partners, with your consent

  • Government or regulatory authorities, where required by law

  • Successors or acquirers, in connection with a merger, acquisition, or similar transaction

We do not sell personal information in the traditional sense and do not share personal information for cross-context behavioral advertising.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our website, analyze usage trends, and improve user experience. You can manage cookies through your browser settings.

9. Data Retention

We retain personal information for as long as necessary to:

  • Fulfill the purposes described in this Privacy Policy

  • Comply with legal, accounting, or reporting requirements

  • Resolve disputes and enforce agreements

Customer Personal Data is retained and deleted in accordance with customer instructions and the DPA.

10. Your Privacy Rights (CCPA/CPRA-Aligned)

Although Reflow does not currently meet the statutory applicability thresholds of the CCPA/CPRA, we voluntarily support the following rights, where applicable and subject to verification:

  • Right to know what personal information we collect and use

  • Right to access personal information

  • Right to request deletion

  • Right to request correction of inaccurate personal information

  • Right to opt out of the sale or sharing of personal information (if applicable)

  • Right to non-discrimination for exercising privacy rights

11. Trials and Evaluations

Reflow may offer access to its services on a trial, evaluation, or proof-of-concept basis (“Trial Services”). Unless otherwise agreed in writing, Trial Services are provided without a master services agreement, data processing agreement, or business associate agreement and strictly on an “as is” basis. Notwithstanding the foregoing, section 3 (entitled “Restrictions and Responsibilities”), section 4.2 (customer indemnity), section 6.1 (termination) section 9 (entitled “Limitation of Liability”), section 10 (“Government Matters”) and the applicable subsections of section 11 (entitled “Miscellaneous”) of the Reflow Terms of Service, shall apply, mutatis mutandis, to such Trial Services to the extent not conflicting with this section 11. 

When you use Trial Services:

  • Reflow acts as a data controller, not as a data processor or service provider.

  • Trial Services are not intended for the processing of sensitive, regulated, or confidential personal data, including protected health information (PHI), financial account information, government-issued identifiers, or special categories of data under GDPR.

  • Customers are responsible for ensuring that any data submitted during a trial is appropriate for evaluation purposes and does not require heightened legal or contractual protections.

Reflow may use information submitted during Trial Services to provide, support, evaluate, and improve the Trial Services and may delete Trial Services data at any time. Any transition from Trial Services to paid services will be governed by the applicable contractual agreements, including the DPA, once executed.

12. HIPAA Notice (If Applicable)

Reflow may act as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) only if expressly agreed to in a written Business Associate Agreement (“BAA”) signed between the parties pursuant to a Reflow paid services agreement.

Any Protected Health Information (PHI) processed by Reflow is handled solely in accordance with the applicable BAA and HIPAA requirements. This Privacy Policy does not apply to PHI governed by a BAA. Reflow’s responsibilities and any related liability for the processing of Customer Personal Data under HIPAA arise solely as set forth in a written, paid services agreement and the applicable BAA.

13. GLBA Notice (If Applicable)

Reflow is not a “financial institution” as defined under the Gramm-Leach-Bliley Act (“GLBA”). However, in limited circumstances, Reflow may process nonpublic personal information (“NPI”) subject to the Gramm-Leach-Bliley Act (“GLBA”) on behalf of its customers pursuant to a written, paid services agreement.

Such information is processed solely pursuant to such applicable customer agreement, and Reflow maintains administrative, technical, and physical safeguards designed to protect GLBA-regulated information. This Privacy Policy does not create independent GLBA obligations and does not replace or modify any customer agreement. Reflow’s responsibilities and any related liability for the processing of Customer Personal Data under GLBA arise solely as set forth in a written, paid services agreement and the applicable DPA.

14. GDPR Notice (If Applicable)

Reflow may process personal data relating to individuals located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland on behalf of customers only as set forth in the applicable paid services agreement.

Where the General Data Protection Regulation (GDPR) applies:

  • Reflow acts as a data processor for Customer Personal Data and as a data controller for its own business operations.

  • Processing details, including subprocessors and international data transfers, are governed by the DPA.

  • Data subject rights requests relating to Customer Personal Data should be directed to the relevant customer.

This Privacy Policy does not create independent GDPR obligations and does not replace or modify any customer agreement. Reflow’s responsibilities and any related liability for the processing of Customer Personal Data under GDPR arise solely as set forth in a written, paid services agreement and the applicable DPA.

15. Contact Us / Exercising Your Rights

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact:

Reflow Systems Inc.
Email: privacy[at]reflow.ai
Website: https://www.reflow.ai