Still have questions?Reach out to our founders anytime.

Privacy Policy

Last Updated: May 11, 2025

SUMMARY OF KEY POINTS

Here are the key points from our privacy policy:

  • What Information We Collect: We collect personal information you provide when registering, as well as usage data, device information, and information through cookies.
  • How We Use Your Information: We use your information to provide and improve our services, process payments, communicate with you, ensure security, and for marketing purposes (with your consent).
  • Data Storage Locations: Your data is stored in AWS data centers with options to choose between US, EU, UK, or APAC regions.
  • Data Security: We implement robust security measures including daily backups, encryption, access controls, and regular security testing to protect your data.
  • Your Rights: Depending on your location, you have rights to access, correct, delete, or restrict the processing of your personal information.
  • Data Portability: You can export your data in structured formats, including workflow designs and configurations.
  • International Data Transfers: Your data may be transferred to countries with different data protection laws, with appropriate safeguards in place.
  • AI Training Data: We do not use your uploaded data or flows to train any AI systems.
  • Third-Party Integrations: We connect with various third-party services while maintaining appropriate security controls.
  • Breach Notification: We will notify affected users within 72 hours of discovering a data breach.
  • Children's Privacy: Our services are not intended for children under 18 years of age.

This summary provides key points from our privacy notice, but you can find more details about any of these topics by reading the full policy below.

Introduction

Welcome to ActionFlows.ai, a service operated by Startbase LTD ("us", "we", or "our"). At Startbase LTD, we value your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at https://actionflows.ai/ and our services (collectively referred to as the "Service").

By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Service.

Our Terms and Conditions govern all use of our Service and together with the Privacy Policy, Cookie Policy, and Disclaimer constitute your agreement with us. We encourage you to read all of these documents:

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you still have any questions or concerns, please contact us at [email protected].

1. DEFINITIONS

SERVICE means the https://actionflows.ai/ website and platform operated by Startbase LTD.

PERSONAL DATA means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).

USAGE DATA is data collected automatically either generated by the use of Service or from Service infrastructure itself (for example, the duration of a page visit).

COOKIES are small files stored on your device (computer or mobile device).

DATA CONTROLLER means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your data.

DATA PROCESSORS (OR SERVICE PROVIDERS) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.

DATA SUBJECT is any living individual who is the subject of Personal Data.

THE USER is the individual using our Service. The User corresponds to the Data Subject, who is the subject of Personal Data.

2. WHAT INFORMATION DO WE COLLECT?

Personal Information You Disclose to Us

In Short: We collect personal information that you voluntarily provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

  • Names
  • Email addresses
  • Usernames
  • Passwords
  • Contact preferences
  • Contact or authentication data
  • Billing addresses
  • Debit/credit card numbers
  • Company/Organization name
  • Profile information (optional avatar, interests, etc.)
  • Communications between you and Startbase LTD
  • Flow designs and configurations
  • API connection information and credentials
  • Workflow automation settings

Sensitive Information. We do not process sensitive information.

Payment Data. We may collect data necessary to process your payment if you make purchases, such as your payment instrument number, and the security code associated with your payment instrument. All payment data is stored by Stripe. You may find their privacy notice link(s) here: https://stripe.com/privacy.

Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Google, GitHub, or other social media account. If you choose to register in this way, we will collect the information described in the section called 'HOW DO WE HANDLE YOUR SOCIAL LOGINS?' below.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information Automatically Collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies. You can find out more about this in our Cookie Policy.

The information we collect includes:

  • Log and Usage Data: Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports, and hardware settings).
  • Device Data: We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.
  • Location Data: We collect location data such as information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the Services. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. However, if you choose to opt out, you may not be able to use certain aspects of the Services.

3. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
  • To deliver and facilitate delivery of services to the user. We may process your information to provide you with the requested service.
  • To respond to user inquiries/offer support to users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
  • To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
  • To fulfil and manage your orders. We may process your information to fulfil and manage your orders, payments, returns, and exchanges made through the Services.
  • To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.
  • To send you marketing and promotional communications. We may process the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time. For more information, see 'WHAT ARE YOUR PRIVACY RIGHTS?' below.
  • To deliver targeted advertising to you. We may process your information to develop and display personalized content and advertising tailored to your interests, location, and more. For more information see our Cookie Policy.
  • To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
  • To identify usage trends. We may process information about how you use our Services to better understand how they are being used so we can improve them.
  • To determine the effectiveness of our marketing and promotional campaigns. We may process your information to better understand how to provide marketing and promotional campaigns that are most relevant to you.
  • To save or protect an individual's vital interest. We may process your information when necessary to save or protect an individual's vital interest, such as to prevent harm.

4. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfil our contractual obligations, to protect your rights, or to fulfil our legitimate business interests.

If you are located in the EU or UK, this section applies to you.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:

  • Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. Learn more about withdrawing your consent in the "Your Privacy Rights" section.
  • Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
  • Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:
    • Send users information about special offers and discounts on our products and services
    • Develop and display personalized and relevant advertising content for our users
    • Analyze how our Services are used so we can improve them to engage and retain users
    • Support our marketing activities
    • Diagnose problems and/or prevent fraudulent activities
    • Understand how our users use our products and services so we can improve user experience
  • Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
  • Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

If you are located in Canada, this section applies to you.

We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:

  • If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way
  • For investigations and fraud detection and prevention
  • For business transactions provided certain conditions are met
  • If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim
  • For identifying injured, ill, or deceased persons and communicating with next of kin
  • If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse
  • If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
  • If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records
  • If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced
  • If the collection is solely for journalistic, artistic, or literary purposes
  • If the information is publicly available and is specified by the regulations

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Policy.

6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your third-party social media account details (like your Google or GitHub logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, friends list, and profile picture, as well as other information you choose to make public on such a social media platform.

We will use the information we receive only for the purposes that are described in this privacy notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

Specific Retention Periods:

  • Account Information: Maintained for the duration your account is active, and for 30 days after account deletion
  • Payment Information: Maintained for 7 years as required by accounting and tax regulations
  • Log Files and Analytics Data: Retained for 90 days before being anonymized for longer-term retention
  • Marketing Communications Preferences: Retained until you opt-out or request deletion
  • Support Inquiries: Maintained for 2 years after resolution of your inquiry

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

8. WHERE DO WE STORE YOUR INFORMATION?

In Short: Your data is stored and processed primarily in AWS data centers with options for regional data localization.

Your personal information is primarily stored and processed in Amazon Web Services (AWS) data centers. By default, your data is stored in the US-East region (Virginia). However, we offer data localization options, allowing you to choose to have your data stored in the following regions:

  • European Union (EU) - Frankfurt region
  • Asia Pacific (APAC) - Singapore region
  • United Kingdom (UK) - London region

You can select your preferred data region during account setup. If you need to change your data region after setting up your account, please contact us at [email protected]. Please note that changing your data region may result in temporary service disruption as we migrate your data.

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

Our security measures include:

  • Daily backups: Our database is backed up daily to ensure we can safely restore user progress in the event of an emergency.
  • Security Testing: We regularly test our product to look for vulnerabilities, to test accessing restricted data, and to evaluate the security of our APIs from direct attack.
  • Workspace Access Control: Workspaces have restricted access by default, which restricts anyone from loading any details related to a flow unless they have been added to the workspace and explicitly granted access.
  • Static Code Analysis: We evaluate our cloud applications and infrastructure for potential security risks, ensuring compliance with industry standards and best practices for data protection.
  • Credential Protection: No user can ever access another user's personal credentials under any circumstances. This makes it more difficult to share flows but is a security decision we enforce to establish a firm foundation for credential protection.
  • Encryption: All sensitive data, including API keys and authentication credentials, are encrypted both in transit and at rest using industry-standard encryption protocols.
  • Rate Limiting: We implement rate limiting to prevent abuse and protect our services from potential attacks.

10. DATA BREACH NOTIFICATION

In Short: We will notify you promptly in the event of a data breach affecting your personal information.

In the event of a data breach that affects your personal information, we are committed to:

  1. Notifying all affected users within 72 hours of discovering the breach
  2. Providing specific information about what data was compromised
  3. Offering guidance on steps you can take to protect yourself
  4. Detailing the measures we are taking to address the breach and prevent future incidents

We maintain a dedicated incident response team and follow a comprehensive incident response plan to ensure swift and effective handling of any data security incidents. Our notification procedures comply with relevant data protection regulations including GDPR, CCPA, and other applicable laws.

11. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at [email protected].

12. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.

In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section 'HOW CAN YOU CONTACT US ABOUT THIS NOTICE?' below.

We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

Withdrawing your consent

If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section 'HOW CAN YOU CONTACT US ABOUT THIS NOTICE?' below or updating your preferences.

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Opting out of marketing and promotional communications

You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using the details provided in the section 'HOW CAN YOU CONTACT US ABOUT THIS NOTICE?' below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can:

  • Log in to your account settings and update your user account.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

Cookies and similar technologies

Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services. For further information, please see our Cookie Policy.

Data Portability

You have the right to request a copy of your data in a structured, machine-readable format. We provide multiple options for exporting your data:

  1. Flow Exports: You can export your workflow designs and configurations in JSON format
  2. User Data Export: You can request a full export of all your account data including user profile, organization settings, and workflow configurations
  3. Analytics Data: You can export your usage statistics and analytics in CSV format

To request a comprehensive data export beyond what's available in the platform interface, please contact us at [email protected]. Data export requests will be fulfilled within 30 days.

If you have questions or comments about your privacy rights, you may email us at [email protected].

13. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ('DNT') feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

14. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of Virginia, Utah, Connecticut, Colorado or California, you are granted specific rights regarding access to your personal information.

California Residents

California Civil Code Section 1798.83, also known as the 'Shine The Light' law permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.

If you are under 18 years of age, reside in California, and have a registered account with the Services, you have the right to request removal of unwanted data that you publicly post on the Services. To request removal of such data, please contact us using the contact information provided below and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from all our systems (e.g. backups, etc.).

CCPA Privacy Notice

This section applies only to California residents. Under the California Consumer Privacy Act (CCPA), you have the rights listed below.

The California Code of Regulations defines a 'residents' as:

  • every individual who is in the State of California for other than a temporary or transitory purpose and
  • every individual who is domiciled in the State of California who is outside the State of California for a temporary or transitory purpose

All other individuals are defined as 'non-residents'.

If this definition of 'resident' applies to you, we must adhere to certain rights and obligations regarding your personal information.

Your rights with respect to your personal data:

  • Right to request deletion of the data — Request to delete: You can ask for the deletion of your personal information. If you ask us to delete your personal information, we will respect your request and delete your personal information, subject to certain exceptions provided by law.
  • Right to be informed — Request to know: Depending on the circumstances, you have a right to know whether we collect and use your personal information, the categories of personal information that we collect, the purposes for which the collected personal information is used, whether we sell or share personal information to third parties, and more.
  • Right to Non-Discrimination for the Exercise of a Consumer's Privacy Rights: We will not discriminate against you if you exercise your privacy rights.

Colorado, Connecticut, Utah, and Virginia Residents

This section outlines specific rights for residents of these states. Under their respective privacy laws, you have the rights listed below:

  • Right to be informed whether or not we are processing your personal data
  • Right to access your personal data
  • Right to correct inaccuracies in your personal data
  • Right to request deletion of your personal data
  • Right to obtain a copy of the personal data you previously shared with us
  • Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

To submit a request to exercise these rights, please email [email protected] or submit a data subject access request through our website.

15. THIRD-PARTY INTEGRATIONS

In Short: We integrate with various third-party services while maintaining your privacy and security.

ActionFlows.ai is designed to connect with various third-party services through APIs and integrations. When you connect ActionFlows.ai to third-party services, we may collect and process data from these services to facilitate your workflow automations.

Common Third-Party Integrations

The most common third-party services our users connect to include:

  • Email providers (Gmail, Outlook)
  • CRM systems (Salesforce, HubSpot)
  • Messaging platforms (Slack, Discord)
  • Document management services (Google Drive, Dropbox)
  • Project management tools (Asana, Trello, Jira)
  • Database services (MongoDB, PostgreSQL)
  • AI services (OpenAI, Anthropic, Hugging Face)
  • Payment processors (Stripe, PayPal)

Data Processing for Third-Party Integrations

When you connect ActionFlows.ai to a third-party service:

  1. We store authentication credentials (OAuth tokens, API keys) in encrypted form
  2. We process only the data necessary to perform the functions you've configured
  3. We do not store raw data from third-party services longer than necessary to execute your workflows
  4. We maintain logs of integration activities for troubleshooting and security purposes

Your Responsibility

You are responsible for ensuring you have the necessary rights and permissions to connect third-party services to ActionFlows.ai and to process data from those services using our platform. We recommend reviewing the privacy policies and terms of service for any third-party services you connect to ActionFlows.ai.

16. AUTOMATED DECISION-MAKING AND PROFILING

In Short: We may use automated systems to enhance your experience but provide options for human review.

ActionFlows.ai employs automation technologies that may involve some degree of automated decision-making. These technologies are designed to enhance your experience and optimize the performance of our services.

How We Use Automated Processing

We may use automated processing for purposes such as:

  1. Workflow optimization: Suggesting improvements to your flow designs based on performance metrics and common patterns
  2. Resource allocation: Automatically adjusting computational resources based on your workflow needs
  3. Security monitoring: Detecting and responding to unusual patterns that may indicate security threats
  4. Personalization: Providing interface customizations and recommendations based on your usage patterns

Legal or Significant Effects

None of our current automated processes produce legal effects or similarly significant effects on users as defined under GDPR Article 22. Our automated systems are designed to:

  • Assist rather than replace human decision-making
  • Enhance user experience without restricting access to services or features
  • Protect security without automatically restricting legitimate user activities

Your Rights and Choices

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. For any automated processes we employ:

  1. You can request human intervention in the decision-making process
  2. You can express your point of view about an automated decision
  3. You can contest an automated decision if you believe it's incorrect

If you have concerns about how automated processing affects you, please contact us at [email protected].

17. USER ACCESS CONTROL

In Short: We provide granular access controls for administrators.

User level access to organizations, workspaces, and individual flows can be restricted as necessary by the organization administrator.

  • Users can be removed from workspaces by administrators, which revokes all access to flows and credentials within the workspace.
  • Users can have access to individual flows restricted by administrators. Users can have their ability to view, run, and/or edit flows revoked on a flow-by-flow basis.
  • Users can have their profiles and data deleted altogether at the request of their organization administrator. To request this deletion, administrators must email [email protected].

We provide robust credential management, allowing you to securely store API keys, passwords, and other sensitive information. These credentials are encrypted and only accessible to authorized users within your workspace.

We are committed to following the necessary User Access Control protocols to protect your data and respect your privacy rights.

18. AI TRAINING DATA

In Short: We do not use your data to train AI systems.

We do not use any of your uploaded data or the flows you create to train any AI whatsoever. No data that is passing through your flows on ActionFlows.ai is being used for training.

We have agreements with our AI service providers to ensure they're committed to not training on any data sent to them via ActionFlows.ai's API.

19. INTERNAL SECURITY RULES

In Short: We follow strict internal security practices.

  • Data Access: Access to internal data is restricted by default. ActionFlows.ai employees are only given access to scopes that are necessary to complete their work.
  • Offboarding: All devices are wiped and accounts deactivated as soon as an employee's employment ends. We ensure all access has been wiped of any mobile devices as well.
  • Two-Factor Authentication: We enforce all accounts related to sensitive data (Gmail, GitHub, etc.) to use two-factor authentication.

20. DATA PROTECTION OFFICER

Startbase LTD has appointed a Data Protection Officer (DPO) to be responsible for overseeing compliance with applicable data protection laws and regulations. You can contact our DPO at:

Email: [email protected]

The DPO is a point of contact for data subjects (or their authorized representatives) who have questions or requests related to their personal data under applicable data protection laws.

21. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We may share information in specific situations described in this section and/or with the following third parties.

We may need to share your personal information in the following situations:

Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

Third-Party Service Providers

We may share your information with third-party Service Providers who perform services for us or on our behalf. This may include payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance. These providers have access to your personal information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Business Partners

We may share your information with our business partners to offer you certain products, services, or promotions.

When we use Google Analytics

We may share your information with Google Analytics to track and analyze the use of the Services. The Google Analytics Advertising Features that we may use include: Remarketing with Google Analytics, Google Analytics Demographics and Interests Reporting and Google Display Network Impressions Reporting. To opt out of being tracked by Google Analytics across the Services, visit https://tools.google.com/dlpage/gaoptout. You can opt out of Google Analytics Advertising Features through Ads Settings and Ad Settings for mobile apps. Other opt out means include http://optout.networkadvertising.org/ and http://www.networkadvertising.org/mobile-choice. For more information on the privacy practices of Google, please visit the Google Privacy & Terms page.

Legal Requirements

We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).

Vital Interests and Legal Rights

We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

With Your Consent

We may disclose your personal information for any other purpose with your explicit consent.

22. CHANGES TO THIS PRIVACY POLICY

In Short: We may update this privacy policy from time to time. We will notify you of any changes.

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will notify you via email and/or a prominent notice on our Service if notable changes occur, prior to the change becoming effective and update the "Last Updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

23. EU-U.S. DATA PRIVACY FRAMEWORK

ActionFlows.ai complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. ActionFlows.ai has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, ActionFlows.ai commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner's Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Binding Arbitration: Under certain conditions, individuals have the right to invoke binding arbitration to resolve complaints regarding ActionFlows.ai's compliance with the DPF Principles not resolved by any of the other DPF mechanisms. ActionFlows.ai is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to our organization and following the procedures and subject to conditions set forth in Annex I of the Principles.

Liability for Onward Transfers: ActionFlows.ai remains responsible and liable under the DPF Principles if third-party agents it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless ActionFlows.ai proves that it is not responsible for the event giving rise to the damage. This ensures that the level of protection of personal data is not undermined when ActionFlows.ai shares your data with third parties.

The Federal Trade Commission (FTC) has jurisdiction over ActionFlows.ai's compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF. ActionFlows.ai is subject to the investigatory and enforcement powers of the FTC. This means that the FTC can investigate and take action against ActionFlows.ai if we fail to comply with our privacy commitments or the DPF Principles.

24. CONTACT US

If you have any questions about this Privacy Policy, please contact us:

By email: [email protected]

Startbase LTD 7, Coronation Road, Dephna House, LAUNCHESE London, NW10 7PQ, United Kingdom