Privacy Policy

1Who we are

Crowflow is a software service operated by Crowbit Limited, a company registered in England and Wales (company number [COMPANY NUMBER]; registered office [REGISTERED OFFICE ADDRESS]). In this policy, “we”, “us” and “our” refer to Crowbit Limited; “you” and “your” refer to the individual or organisation using Crowflow. We are the controller of the personal data described below.

2Scope

This policy applies to the Crowflow website at crowflow.io, the Crowflow web application, and any related services we provide. It does not apply to third-party services that we integrate with (including Google Ads, Microsoft Advertising, Meta Ads and Google Sheets), which are governed by their own privacy policies.

3The personal data we collect

3.1 Data you give us directly

• Account data: your name, email address, and a hashed password.
• Workspace data: company or workspace name, time zone, billing contact details.
• Communications: the contents of emails or support messages you send to us.

3.2 Data we collect when you connect a platform

• OAuth tokens issued by Google, Microsoft, Meta or Google Sheets when you authorise Crowflow. These are stored encrypted at rest and are the minimum scope necessary to read your campaign data and write to your chosen Sheet.
• Platform metadata: the names and identifiers of the ad accounts and campaigns you select. We use these to display and label your data.

3.3 Data we receive from your ad platforms

When Crowflow syncs your accounts, we receive aggregated campaign-performance figures (date, platform, account, campaign, impressions, clicks, conversions, spend). This is generally not personal data — it is your business data. We process it on your behalf in order to provide the service.

3.4 Payment data

Payments are processed by Stripe. We do not receive or store your full card details. Stripe shares with us metadata such as the last four digits of your card, your billing country, and your subscription status. See Stripe’s privacy policy for how it handles your payment data.

3.5 Usage and technical data

• Usage data: pages and features you use, button clicks, sync timings — collected via our product analytics provider.
• Technical data: IP address, browser type and version, operating system, timestamps — collected via server logs and analytics.

4How we use your personal data

• To provide and operate Crowflow, including syncing your data and delivering it to your chosen Google Sheet.
• To send service-related communications (sync failures, billing notices, security alerts).
• To process payments and manage subscriptions.
• To debug, secure and improve the service.
• To send occasional product updates, with your consent (or via soft opt-in for existing customers, in line with PECR).
• To meet legal, tax, accounting and fraud-prevention obligations.
• To enforce our Terms of Service.

5Lawful bases for processing (UK GDPR / EU GDPR)

We rely on the following lawful bases, depending on the activity:

• Contract: where processing is necessary to provide the service you’ve signed up for.
• Legitimate interests: to run and improve our business safely (e.g. analytics, debugging, security, fraud prevention). We balance these interests against your rights and freedoms.
• Consent: where required by law (e.g. non-essential cookies, marketing to prospects).
• Legal obligation: where we must process data to comply with the law (e.g. retaining invoices under UK tax legislation).

6Who we share your data with

We share personal data with the following categories of recipients, each contractually bound to handle it appropriately:

We will keep a current list of sub-processors at crowflow.io/sub-processors. We do not sell your personal data.

We may also share data:

• With professional advisers (lawyers, accountants, auditors) bound by confidentiality.
• With law enforcement or regulators where required by law.
• With a successor entity in the event of a merger, acquisition or asset sale, subject to equivalent privacy protections.

7International data transfers

Some of our sub-processors are based outside the UK and EEA, primarily in the United States. Where this is the case, the transfer is protected by an appropriate safeguard recognised under UK GDPR and EU GDPR — most commonly the EU Standard Contractual Clauses combined with the UK Addendum, or the UK International Data Transfer Agreement, or a relevant adequacy decision. Copies are available on request.

8How long we keep your data

• Account data: kept while your account is active. Deleted within 30 days of account closure, except where retention is required by law (e.g. invoices retained for 7 years under UK tax law).
• Marketing data synced into Crowflow: kept while your subscription is active. Deleted on account closure.
• Server logs: retained for up to 90 days.
• Backups: rotated on a rolling 30-day schedule.

9Your rights (UK GDPR / EU GDPR)

You have the right to:

• Access a copy of the personal data we hold about you.
• Rectification of any inaccurate or incomplete data.
• Erasure(the “right to be forgotten”) in certain circumstances.
• Restriction of processing in certain circumstances.
• Portability — to receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interests or direct marketing.
• Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, email privacy@crowflow.io. We respond within one calendar month, and may need to verify your identity first.

10California residents (CCPA / CPRA)

If you are a California resident, you have additional rights to know what personal information we collect, to request deletion, to opt out of any “sale” or “sharing” of your personal information, and not to be discriminated against for exercising those rights. Crowflow does not sell or share your personal information as those terms are defined under the CCPA. To exercise any California right, email privacy@crowflow.io.

11Cookies and similar technologies

• Strictly necessary cookies: required for the application to function (e.g. your authentication session). These are set without consent.
• Analytics cookies: set only with your consent, via our cookie banner. You can change your preference at any time from your account settings.

12How we protect your data

We take security seriously. OAuth tokens are encrypted at rest using a key managed by our hosting provider’s KMS. All data in transit is encrypted with TLS 1.2 or higher. Passwords are hashed (bcrypt or equivalent). We scan dependencies and container images for known vulnerabilities, maintain access controls based on least privilege, and follow a documented incident-response plan. We aim to inform affected users of a confirmed personal-data breach within 72 hours of becoming aware of it, in line with UK GDPR Article 33.

13Children

Crowflow is a business tool and is not intended for individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, contact us and we will delete it.

14Changes to this policy

We may update this policy from time to time. If we make material changes — changes that meaningfully expand how we use your data — we will notify you by email and/or in-app notice at least 30 days before they take effect. Non-material changes (clarifications, formatting) will be posted with an updated “Last updated” date.

15Complaints

If you have a concern about how we handle your data, please contact us first — we’d like the chance to resolve it. You also have the right to complain to the UK Information Commissioner’s Office at ico.org.uk, or to your local data protection authority if you are based in the EEA.

16Contact us

Crowbit Limited
[REGISTERED OFFICE ADDRESS]
Email: privacy@crowflow.io
General: hello@crowflow.io