Privacy Policy
Writerflow Inc., a Minnesota S-Corporation (“Writerflow,” “we,” “us,” or “our”), operates the Writerflow approval orchestration platform and writerflow.com website (collectively, the “Service”). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights regarding your data.
This policy applies to all users of the Service, including Account holders and clients who access content through shared links.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
1. Information We Collect
1.1 Information You Provide to Us
- Account Information. When you create an Account, we collect your name, email address, and company/organization name.
- Authentication Data. We use Stytch for authentication. Depending on your chosen method, this may include your email address, phone number, or OAuth provider identifiers (e.g., Google account).
- Reviewer Identity. When a client accesses a shared review link, we collect their first name, last name, email address, and company name through an identity gate before granting access.
- Content. Documents, files, images, comments, and approval decisions you upload or create through the Service.
- Communications. Messages you send to us via email or in-app support.
- Payment Information (planned). When paid plans become available, Stripe will collect your payment card information. Writerflow does not directly handle or store your full card number. See Section 4 for details.
1.2 Information We Collect Automatically
When you use the Service or visit our website, we automatically collect:
- Usage Data. Pages visited, features used, clicks, navigation paths, and time spent on pages.
- Device and Browser Data. Browser type and version, operating system, device type, screen resolution, and language preferences.
- Network Data. IP address, approximate location (city/region level, derived from IP), referring URL, and internet service provider.
- Performance Data. Page load times, errors encountered, and application performance metrics.
- Session Replays. In certain circumstances (described in Section 3), we may record session replays that capture your interactions with the Service. These recordings capture UI interactions (clicks, scrolls, form interactions) but are configured to mask sensitive input fields.
1.3 Information from Third Parties
- Prospecting Data. We use Apollo.io to research potential customers. This may include publicly available business contact information such as company name, job title, business email, and LinkedIn profile URL.
- Enrichment Data. We may supplement Account information with publicly available business data to improve our understanding of our customers.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service. Operate, maintain, and deliver the features of the Writerflow platform, including hosting your Content, processing approvals, and managing review workflows.
- Authenticate Users. Verify your identity and manage sessions.
- Process Payments. When applicable, process Subscription payments through Stripe.
- Communicate With You. Send transactional emails (approval notifications, account updates), respond to support requests, and share product updates. You can opt out of non-transactional communications.
- Improve the Service. Analyze usage patterns, diagnose bugs, monitor performance, and develop new features.
- Ensure Security. Detect and prevent fraud, abuse, and security threats. Monitor for unauthorized access.
- Conduct A/B Testing. Test feature variants to improve the user experience.
- Sales and Marketing. Contact prospective customers about Writerflow, manage sales pipelines, and run outreach campaigns. We do not use existing customer Content for marketing purposes.
- Comply With Law. Respond to legal obligations, enforce our Terms, and protect our rights.
What we will NOT do with your information:
- We will not sell your personal information to third parties.
- We will not use your Content to train AI or machine learning models without your explicit, separate consent.
- We will not share your Content with other customers.
4. Third-Party Service Providers (Sub-Processors)
We share your information with the following categories of third-party service providers who process data on our behalf. These providers are contractually obligated to use your data only as necessary to perform services for us and to maintain appropriate security.
4.1 Infrastructure and Hosting
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Application hosting, data storage, email delivery | All application data (ECS, RDS, S3, SES, DynamoDB) | us-east-1 (N. Virginia), us-east-2 (Ohio) |
| Vercel | Marketing website hosting | Website visitor data, page metrics | Global CDN |
| Redis (AWS-hosted) | Session caching, rate limiting | Session tokens, rate limit counters | us-east-1 / us-east-2 |
4.2 Authentication
| Provider | Purpose | Data Processed |
|---|---|---|
| Stytch | User authentication | Email, phone number, OAuth tokens, session data, IP address |
4.3 Analytics and Product Improvement
| Provider | Purpose | Data Processed |
|---|---|---|
| Amplitude | Product analytics | Events, user properties, session replays |
| Vercel Analytics | Website performance | Page views, web vitals, performance metrics |
| Google Tag Manager | Tag management (marketing site) | Events, conversions, page views |
| Statsig | Feature flags, A/B testing | Feature flag evaluations, session replays, autocapture events |
4.4 Error Monitoring
| Provider | Purpose | Data Processed |
|---|---|---|
| Sentry | Error tracking, performance monitoring | Error details, stack traces, session replays (on error), browser/device info |
4.5 Sales and Outreach
We use third-party tools to manage business relationships and communicate with prospective customers. These services may process business contact information such as name, email address, company name, and job title. Website visitor activity may be tracked for outreach purposes, subject to cookie consent.
4.6 Payments (Planned)
| Provider | Purpose | Data Processed |
|---|---|---|
| Stripe | Payment processing, subscription management | Payment card information (PCI-compliant), billing address, transaction history |
Stripe payment processing is expected to be active starting May 2026. Stripe is PCI DSS Level 1 certified. Writerflow does not directly access or store your full payment card number.
4.7 Support
| Provider | Purpose | Data Processed |
|---|---|---|
| Intercom | Customer support messaging | Messages, conversation history, email, name |
Intercom is installed but not currently active. When activated, it will process support conversations and basic user identity.
4.8 Content Delivery
| Provider | Purpose | Data Processed |
|---|---|---|
| Font Awesome (CDN) | Icon delivery | HTTP request data (IP address, user agent) |
| Google Fonts | Font delivery | HTTP request data (IP address, user agent) |
Google Fonts and Font Awesome CDN requests transmit your IP address and browser information to these providers as part of standard HTTP requests. Google's privacy policy governs their handling of this data.
5. Data Sharing and Disclosure
Beyond the sub-processors listed above, we may share your information in the following circumstances:
- With Your Consent. When you explicitly authorize us to share information.
- Within Your Organization. Account administrators can see information about users and activity within their organization's workspace.
- Reviewers and Collaborators. When you share content for review, Reviewers can see the content you shared and the names/emails of other participants in that review workflow, as necessary for the collaboration.
- Legal Requirements. When required by law, subpoena, court order, or government regulation.
- Protection of Rights. When necessary to protect the rights, property, or safety of Writerflow, our users, or the public.
- Business Transfers. In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
- Aggregated or De-identified Data. We may share aggregated or de-identified data that cannot reasonably be used to identify you.
We do not sell personal information. This applies under the California Consumer Privacy Act (CCPA) definition of “sell” and under the general meaning of the term.
6. Data Retention
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy.
- Account Data. Retained for the duration of your Account, plus 90 days after Account closure to allow for reactivation or data export requests.
- Content. Retained while your Account is active. After Account deletion, Content is removed from active systems within 30 days and from backups within 90 days.
- Reviewer Data. Retained for the duration of the associated review workflow and for 12 months after the last interaction with the review link.
- Usage and Analytics Data. Retained for up to 24 months in identifiable form. May be retained longer in aggregated or de-identified form.
- Support Communications. Retained for up to 36 months after the last interaction.
- Sales and Outreach Data. Contact information for prospective customers is retained until the individual requests deletion or the data is no longer needed for outreach purposes.
- Local Storage. Reviewer identity data in localStorage persists until the user clears their browser data.
When data is no longer needed, we delete it or de-identify it so it can no longer be associated with you.
7. Data Security
We implement technical and organizational measures to protect your data, including:
- Encryption in Transit. All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
- Encryption at Rest. Data stored in our databases and file storage (AWS RDS, S3, DynamoDB) is encrypted at rest.
- Access Controls. Access to personal data is restricted to authorized personnel on a need-to-know basis.
- Infrastructure Security. Our application runs on AWS managed services with security best practices including VPC isolation, security groups, and IAM role-based access.
- Authentication Security. User authentication is handled by Stytch, which provides secure session management and supports modern authentication methods.
- Monitoring. We use error monitoring (Sentry) and logging to detect and respond to security incidents.
While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
8.1 Rights for All Users
- Access. Request a copy of the personal information we hold about you.
- Correction. Request correction of inaccurate or incomplete information.
- Deletion. Request deletion of your personal information, subject to legal retention requirements.
- Data Export. Request a copy of your data in a portable format.
- Opt-Out of Marketing. Unsubscribe from marketing communications at any time using the link in our emails or by contacting us.
8.2 Additional Rights Under GDPR (EEA, UK, Switzerland)
If you are in the EEA, UK, or Switzerland, you also have the right to:
- Restrict Processing. Request that we limit how we use your data in certain circumstances.
- Object to Processing. Object to our processing of your data based on legitimate interests.
- Withdraw Consent. Where processing is based on consent, withdraw that consent at any time.
- Lodge a Complaint. File a complaint with your local data protection authority.
Legal Bases for Processing (GDPR):
- Contract Performance. Processing necessary to provide the Service you requested.
- Legitimate Interests. Analytics, product improvement, security, and B2B marketing outreach, where our interests do not override your rights.
- Consent. Where you have given explicit consent (e.g., optional marketing communications).
- Legal Obligation. Where required by law.
8.3 Additional Rights Under CCPA (California Residents)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose.
- Delete your personal information, subject to exceptions.
- Opt-Out of Sale. We do not sell personal information, so this right is satisfied by default.
- Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.
CCPA Categories of Information Collected:
- Identifiers (name, email, IP address)
- Internet or network activity (usage data, browsing history on our site)
- Professional information (company name, job title)
- Commercial information (subscription, payment data when applicable)
8.4 Exercising Your Rights
To exercise any of these rights, contact us at:
- Email: privacy@writerflow.com
- Response Time: We will respond to verified requests within 30 days (or sooner where required by law).
We may need to verify your identity before processing your request.
9. International Data Transfers
Writerflow is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable, and the data processing terms of our sub-processors, many of whom maintain their own transfer mechanisms (e.g., AWS, Stripe, and Amplitude participate in recognized data transfer frameworks).
10. Children’s Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected information from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@writerflow.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Post the updated policy on our website with a new "Last Updated" date.
- Notify Account holders by email at least 15 days before material changes take effect.
Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
Writerflow Inc.
Email: privacy@writerflow.com
General support: support@writerflow.com
Website: writerflow.com
For data protection inquiries or rights requests, please use privacy@writerflow.com.