Privacy Policy

Last updated: April 2026

This draft Privacy Policy is provided as a starting point. Before going live, have it reviewed by qualified counsel to ensure it meets GDPR, UK GDPR, CCPA/CPRA, DPDP, PIPEDA/Law 25, UAE PDPL, and any other jurisdiction-specific obligations applicable to your target markets.

Who we are

Secureflo (secureflo.net) provides AI-generated security intelligence and assessments. The data controller is Secureflo, reachable at karunakar@secureflo.net. Business address: Concord, USA.

What we collect

  • Business email address — required to unlock the personalized feed and assessment report.
  • Context you provide — country, industry, company size, role, tech stack, compliance frameworks, optional free-text notes on assessment questions.
  • Assessment answers — your responses to multiple-choice questions, used to generate your report.
  • Authentication data — if you sign in with Google OAuth, your email, name, and avatar URL (via Supabase Auth).
  • Usage data — timestamps of API calls, IP addresses (for rate limiting), session tokens.
  • Cookies and local storage — see "Cookies" below.

How we use your data

  • To generate personalized security intelligence and assessment reports for you.
  • To send you the verification code and optional product updates or marketing you opted into.
  • To contact you about the Secureflo consulting services you explicitly requested (via the Contact form or "Talk to an Expert" flow).
  • To operate and secure the service (rate limiting, fraud prevention, troubleshooting).
  • To improve our questions, prompts, and models in aggregate (we do not sell individual data).

We do not sell your personal data. We do not share your free-text notes or assessment answers with third parties except our AI provider (Anthropic) for the sole purpose of generating your report — and they do not use it to train models under our configuration.

Legal basis (for EU/UK/Swiss users)

  • Consent — for marketing emails, optional cookies, and assessment-context free-text notes.
  • Legitimate interest — to operate the service, prevent abuse, and offer relevant consulting follow-ups to business users.
  • Contract — to provide the assessment and report you requested.
  • Legal obligation — for retention and disclosure required by law.

Sub-processors

  • Supabase — database, authentication, and session storage.
  • Anthropic — AI generation of questions, feed articles, analysis, and Q&A answers. Data is processed per their enterprise data processing terms and not used for model training.
  • Resend — transactional email delivery (verification codes).
  • Google — optional OAuth sign-in.
  • Firebase App Hosting — application hosting.

Data retention

Verification codes expire within 10 minutes. Assessment sessions and emails are retained for as long as your account exists, plus up to 24 months afterward for customer-support and compliance purposes, unless you request deletion. Rate-limit logs are cleaned up after 24 hours.

Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, export, or restrict processing of your personal data, and to object to processing or withdraw consent at any time. For EU/UK residents, you may also lodge a complaint with your local supervisory authority.

To exercise any of these rights, email karunakar@secureflo.net. We respond within 30 days (45 days for CCPA requests).

International transfers

Secureflo is based in the United States. If you are in the EU/UK, Canada, Australia, India, Singapore, UAE, or another jurisdiction, your data will be transferred internationally. We rely on Standard Contractual Clauses (or equivalent safeguards) with our sub-processors for GDPR-subject data.

Cookies & local storage

We use cookies and browser local storage strictly necessary to operate the service (session tokens, rate-limit identifiers, assessment state so you don't lose progress on refresh). We may also use optional analytics cookies if you consent via the cookie banner. You can clear these at any time via your browser settings.

Security

We apply industry-standard controls — encryption in transit and at rest, least-privilege access to production, row-level security on the database, and rate limiting on API endpoints. No method of transmission or storage is 100% secure.

Children

Secureflo is a B2B product. We do not knowingly collect data from anyone under 16.

Changes

We may update this policy as the product evolves or as laws change. Material changes will be notified via email or in-product notice. The "Last updated" date above reflects the current version.

Contact

Questions, requests, or concerns: karunakar@secureflo.net.