Privacy Policy

Last updated: March 18, 2026

1. Who we are

AgencyFlow ("we," "us," or "our") operates the AgencyFlow platform, a SaaS tool for marketing agencies to capture and manage leads and client onboarding. Our contact email is support@agencyflow.app.

2. What data we collect

We collect data in two ways:

Account data — your name, email address, and organization name when you sign up or update your profile.
Lead and contact data — the names, email addresses, phone numbers, and messages submitted through your intake forms. You control this data; we process it on your behalf.
Usage data — actions you take inside the app (e.g., leads created, statuses changed) for the activity log and analytics features.
Technical data — IP address, browser type, and request metadata, collected automatically for security and rate-limiting purposes.
Billing data — your billing details are collected and stored by Lemon Squeezy; we only receive a subscription status and customer ID.

3. How we use your data

To provide and operate the AgencyFlow platform
To process leads and run AI enrichment on your behalf
To send email notifications (new leads, invites) that you have opted into
To manage your subscription via Lemon Squeezy
To detect abuse, enforce rate limits, and maintain platform security
To generate aggregate, anonymized analytics about platform usage

We do not sell your data to third parties, use it for advertising, or share it with anyone except the sub-processors listed below.

4. AI processing

Lead messages submitted through your intake form are sent to OpenAI's API for enrichment (scoring, summarising, generating follow-up questions). OpenAI processes this data as a data processor under their API Data Usage Policy. We do not use your data to train AI models.

5. Sub-processors

Processor	Purpose	Location
Supabase	Auth, database hosting	EU / US
OpenAI	AI lead enrichment	US
Resend	Transactional email	US
Lemon Squeezy	Billing and payments	US
Railway	API and worker hosting	US
Vercel	Frontend hosting	Global CDN
Sentry	Error monitoring (optional)	US

6. Data retention

Your account and lead data is retained for as long as your account is active. If you cancel and request account deletion, we will delete your data within 30 days, except where we are required to retain it for legal or billing purposes.

7. Your rights

Depending on your location, you may have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your data ("right to be forgotten")
Object to or restrict certain processing
Request a portable copy of your data

To exercise any of these rights, email support@agencyflow.app. We will respond within 30 days.

8. Cookies

AgencyFlow uses only essential cookies required for authentication (Supabase session token). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie banner is required.

9. Security

All data is transmitted over HTTPS. Passwords are managed by Supabase Auth and are never stored by AgencyFlow. We use HMAC-SHA256 to verify webhook payloads. Access to production systems is restricted to authorised personnel.

10. Children

AgencyFlow is a business tool not intended for use by anyone under the age of 18. We do not knowingly collect data from minors.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or an in-app notice. Continued use of the platform after the effective date constitutes acceptance.

12. Contact

For any privacy questions, email support@agencyflow.app.