Privacy Policy
Last Updated: April 15, 2026
Effective Date: April 15, 2026
This Privacy Policy explains how [Company Legal Name] ("we", "us", or "our"), registered in Germany at [Company Address], collects, uses, discloses, and protects your personal data when you use the Knowflows platform ("Service") at https://knowflows.app.
We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and, where applicable, the California Consumer Privacy Act (CCPA) as amended by the CPRA.
For privacy-related inquiries, please contact us at: [[email protected]]
Data Protection Officer (DPO): [[email protected]] (if applicable)
1. Data Controller
The data controller responsible for your personal data is:
[Company Legal Name][Company Address]
Germany
Email: [[email protected]]
2. Data We Collect
We collect the following categories of personal data:
2.1 Account & Identity Data
- Email address (required for registration and authentication)
- Name or username (optional, provided by you)
- Profile information you choose to provide
2.2 Usage & Technical Data
- IP address and approximate geolocation
- Browser type, device type, and operating system
- Pages visited, features used, session duration, and click patterns
- Referrer URLs and search terms that led you to our Service
- Error logs and performance diagnostics
2.3 User-Generated Content
- Documents, knowledge items, workflows, and configurations you upload or create
- Chatbot training data and conversation histories (where applicable)
2.4 Payment & Billing Data
- Billing address and payment method details (processed by our payment provider; we do not store full card numbers)
- Transaction history and subscription status
2.5 Communications Data
- Emails and support messages you send us
- Survey responses and feedback
2.6 Cookie & Tracking Data
See the Cookie Section below for details.
3. Purposes & Legal Bases for Processing
Under the GDPR, we rely on the following legal bases to process your personal data:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account creation and authentication | Article 6(1)(b) - Contract performance |
| Providing and operating the Service | Article 6(1)(b) - Contract performance |
| Processing payments and managing subscriptions | Article 6(1)(b) - Contract performance |
| Sending transactional and service emails | Article 6(1)(b) - Contract performance |
| Complying with legal obligations | Article 6(1)(c) - Legal obligation |
| Security, fraud prevention, and abuse detection | Article 6(1)(f) - Legitimate interests |
| Analytics and Service improvement | Article 6(1)(f) - Legitimate interests |
| Marketing and promotional communications | Article 6(1)(a) - Consent (opt-in) |
| Optional cookies and third-party analytics | Article 6(1)(a) - Consent |
Where we rely on legitimate interests, you have the right to object to such processing. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
4. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy:
- Account data: Retained for the duration of your account and up to 3 years after closure for legitimate business and legal purposes.
- User content: Retained while your account is active. Deleted within 30 days of account closure upon request.
- Usage and analytics data: Retained in aggregated/anonymized form; identifiable logs kept for up to 12 months.
- Payment records: Retained for up to 10 years to comply with German tax and commercial law (HGB § 238).
- Support communications: Retained for up to 3 years after resolution.
After the applicable retention period, data is securely deleted or anonymized.
5. Data Storage & International Transfers
Your personal data is stored on servers located in Germany (European Union), operated by our cloud infrastructure provider. All primary data processing occurs within the EU/EEA.
We may transfer data to countries outside the EU/EEA in limited circumstances - for example, when using certain third-party analytics or communication tools. Where such transfers occur, we ensure an adequate level of protection through:
- European Commission adequacy decisions;
- Standard Contractual Clauses (SCCs) approved by the European Commission; or
- Other appropriate safeguards under Chapter V of the GDPR.
You may request a copy of the applicable safeguards by contacting [[email protected]].
6. Third-Party Services & Processors
We use the following categories of third-party sub-processors who may access your personal data to perform services on our behalf:
| Category | Purpose | Data Location |
|---|---|---|
| Cloud infrastructure (e.g., Hetzner, AWS EU) | Hosting, compute, storage | Germany / EU |
| Authentication provider | User sign-in and session management | EU / EEA |
| Payment processor (e.g., Stripe) | Subscription billing and invoicing | EU / USA (SCCs) |
| Transactional email (e.g., Resend, Postmark) | Account verification, notifications | EU / USA (SCCs) |
| Google Analytics (Google LLC) | Website and product usage analytics (page views, session data, user behaviour) | USA (SCCs / DPF) |
| AI model providers | AI-powered features and chatbot inference | EU / USA (SCCs) |
| Error monitoring (e.g., Sentry) | Application error tracking | EU / USA (SCCs) |
We only share data with sub-processors who have agreed to appropriate data processing agreements (DPAs) and provide sufficient security guarantees.
7. Security Measures
We implement technical and organizational security measures to protect your personal data against unauthorized access, loss, or disclosure. These measures include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Access controls and role-based permissions for internal systems.
- Regular security assessments and dependency auditing.
- Secure credential management and environment isolation.
- Incident response procedures for data breach notification in compliance with GDPR Article 33/34.
No system is completely secure. If you discover a security vulnerability, please disclose it responsibly to [[email protected]].
8. Your Rights Under GDPR
If you are located in the EU/EEA, you have the following rights regarding your personal data under the GDPR:
- Right of Access (Art. 15): Obtain a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
- Right to Restriction (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to Portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller.
- Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is consent-based.
- Right to Lodge a Complaint: File a complaint with your national data protection authority. For Germany, this is the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).
To exercise any of these rights, contact us at [[email protected]]. We will respond within 30 days. We may need to verify your identity before processing requests.
9. Rights for California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will update this Policy and provide an opt-out mechanism.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond the purposes permitted by the CPRA.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise your CCPA/CPRA rights, contact us at [[email protected]] or submit a request through your account settings. We will verify your identity and respond within 45 calendar days.
Authorized agents may submit requests on your behalf with written permission and identity verification.
11. Children's Privacy
The Service is not intended for children under the age of 16 (or the applicable minimum digital consent age in your country). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [[email protected]] and we will delete it promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in the Service, legal requirements, or our data practices. When we make material changes, we will notify you by email or a prominent in-app notice at least 14 days before the changes take effect. The "Last Updated" date at the top of this page will always reflect the most recent revision.
Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.
13. Contact & Data Requests
For any privacy-related questions, data subject requests, or to exercise your rights, please contact:
[Company Legal Name]Attn: Privacy / Data Protection
[Company Address]
Germany
Email: [[email protected]]
DPO Email: [[email protected]] (if applicable)
We aim to acknowledge all requests within 5 business days and resolve them within 30 days.