Privacy Policy

Last updated: January 4, 2026

This Privacy Policy explains how ConsultFlow (“ConsultFlow,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you access our website, applications, software, and related services (collectively, the “Services”).

Important: This Privacy Policy is a general privacy notice and does not constitute legal advice. Enterprise customers may have additional or different privacy, security, or data processing terms in a signed agreement with ConsultFlow, such as a Data Processing Agreement (DPA), Business Associate Agreement (BAA), or Master Services Agreement (MSA). If there is a conflict, the signed agreement will control to the extent of that conflict.

---

1. Scope

This Privacy Policy applies to information we collect:

• through our website
• through our products and services
• in connection with support, sales, onboarding, and account administration
• from authorized users acting on behalf of their organizations

This Privacy Policy does not apply to third-party websites, products, or services that may link to or integrate with the Services.

---

2. Information We Collect

The information we collect depends on how you interact with the Services.

A. Contact Information

If you contact us, request a demo, fill out a form, or otherwise communicate with us, we may collect:

• name
• email address
• phone number
• company or organization name
• job title
• message content and related communication details
• request details such as demo type, organization profile, timeline, or security needs when you choose to provide them
• lead attribution information such as source or campaign parameters submitted with the request

B. Account Information

If you or your organization use our Services, we may collect account and profile information such as:

• name
• email address
• organization affiliation
• user role
• authentication identifiers
• account settings and preferences

C. Service Content

We collect and process content submitted to the Services by authorized users or their organizations, including:

• uploaded files and documents
• case-related information
• prompts, messages, notes, and reports
• workflow data and related service records

D. Operational and Technical Data

We may collect operational, diagnostic, and usage data to run, monitor, and secure the Services, including:

• IP address
• browser type and user agent information
• device information
• operating system
• access timestamps
• request and application log data
• referrer or origin information associated with form submissions or web requests
• crash, session, and performance data where available

E. Browser Storage and Similar Technologies

We may use local storage, session storage, and similar browser technologies to:

• maintain sessions and access state
• remember preferences or tenant context
• preserve drafts and workflow progress
• support reliability, security, and performance

Third-party services that support the Services may use their own cookies or similar technologies subject to their own terms and privacy policies.

---

3. How We Use Information

We use information for the following purposes:

• to provide, operate, maintain, and support the Services
• to authenticate users and enforce account access controls
• to process and display Service Content as directed by authorized users or organizations
• to improve the reliability, usability, performance, and security of the Services
• to communicate with you about support, product updates, onboarding, and service-related notices
• to respond to inquiries, requests, and customer support needs
• to detect, investigate, and prevent fraud, abuse, unauthorized access, or other security issues
• to meter usage, support billing, and administer subscriptions or payments where applicable
• to comply with legal, contractual, and regulatory obligations
• to enforce our Terms of Service and related agreements

We may also use de-identified, aggregated, or anonymized information for analytics, system improvement, and business operations where permitted by law and contract.

---

4. How We Share Information

We do not sell personal information.

We may share information in the following circumstances:

A. With Service Providers and Subprocessors

We may share information with vendors, cloud providers, hosting providers, authentication providers, storage and database providers, analytics or reporting providers, email delivery providers, payment processors, and AI or model providers that help us operate, secure, support, and improve the Services.

These providers are permitted to process information only as necessary to provide services to ConsultFlow and are subject to appropriate contractual obligations.

B. With Your Organization

If you use the Services through an organization, information associated with your account or usage may be accessible to authorized administrators, managers, or personnel designated by that organization for account administration, workflow management, support, compliance, or security.

C. For Legal and Safety Reasons

We may disclose information if we believe in good faith that disclosure is necessary to:

• comply with applicable law, regulation, subpoena, court order, or legal process
• protect the rights, safety, or property of ConsultFlow, our customers, or others
• detect, prevent, or address fraud, abuse, or security incidents

D. In Connection with Corporate Transactions

If ConsultFlow is involved in a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, information may be disclosed as part of that process, subject to appropriate confidentiality protections.

---

5. Enterprise and Customer-Controlled Data

For enterprise customers, ConsultFlow generally acts as a service provider, processor, or vendor handling data on behalf of the customer organization, subject to the applicable contract.

In those cases:

• the customer organization controls the purpose and scope of much of the data processing
• retention, deletion, access, and security obligations may be governed by contract
• additional terms such as a DPA or BAA may apply

If you are an end user of an organization using the Services, please direct privacy requests relating to your organization’s data to your organization first.

---

6. Data Retention

We retain information for as long as reasonably necessary to:

• provide and support the Services
• fulfill contractual commitments
• maintain security and audit records
• comply with legal obligations
• resolve disputes and enforce agreements

Retention periods may vary depending on the type of information, customer instructions, and legal requirements.

Where required by contract or law, we will delete or return data according to the applicable agreement and retention schedule.

---

7. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect information from unauthorized access, disclosure, alteration, or destruction.

However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

If we become aware of a security incident affecting personal information, we will respond in accordance with applicable law and contractual obligations.

---

8. Your Choices and Rights

Depending on your relationship with ConsultFlow and applicable law, you or your organization may have rights relating to personal information, including rights to:

• access
• correct or update
• delete
• restrict certain processing
• object to certain processing
• request a copy of your information, where applicable

If you use the Services through an organization, your organization may control many of these requests. Please contact your organization’s administrator first where appropriate.

You may also contact us directly using the contact information below.

---

9. International Transfers

If information is transferred across borders, we will take reasonable steps to ensure appropriate safeguards are in place as required by applicable law and contractual commitments.

---

10. Children’s Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information directly from children under 13 except where data is provided by authorized organizations in connection with the Services and subject to applicable law and contractual terms.

If you believe we have collected information from a child in a manner inconsistent with applicable law, please contact us.

---

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version on this page and update the “Last updated” date above.

Your continued use of the Services after any update becomes effective constitutes acceptance of the revised Privacy Policy, to the extent permitted by law.

---

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

ConsultFlow

Email: help@consult-flow.com

Contact page: /contact