Privacy Policy
Overview
OctoFlow is built by salespeople, for salespeople. We collect the minimum data needed to run the Service and never sell your personal information. This policy explains what we collect, why, who else handles it on our behalf, and how you can control it. If you have questions after reading this, email support@octoflowus.com.
Minimum Age
OctoFlow is intended for use by adults engaged in professional sales activity. You must be 18 years or older to create an account or use the Service. We do not knowingly collect personal information from anyone under 18. If you become aware that a minor has created an account, contact support@octoflowus.com and we will delete the account and associated data.
What We Collect
We collect only what is needed to operate the Service. The table below enumerates every category of data OctoFlow processes. We do not collect: your CRM credentials, the contents of emails or messages outside of what you explicitly log inside OctoFlow, browsing history, or any data from pages you visit beyond URL-pattern detection of supported CRM platforms.
How We Use It
We use your data to: provide and improve the Service, send transactional emails (verification, password reset, support replies), respond to support requests, and aggregate anonymized usage patterns to understand how the product is used. We do not use your data to train machine-learning models or for advertising.
Service Providers (Sub-Processors)
We use the following service providers to deliver the Service. Each is a contractually-bound data processor and only handles data necessary for their function:
Public Profile
OctoFlow includes a social feature called the Arena: a weekly leaderboard and chat channel visible to all signed-in users. When you use OctoFlow, the following information is visible to other authenticated users: your Arena display name (you choose this — it does not have to be your real name), your weekly counts of logged activities and XP, your level, and any chat messages you send in the Arena. Your email address, prospects, notes, and pipeline data are never visible to other users.
CRM Page Detection
The OctoFlow extension can detect when you are viewing a page on Salesforce or HubSpot in order to surface in-product suggestions (for example, prompting you to log an activity). This detection works by URL-pattern matching on the active tab — the extension never reads page contents, CRM record data, or your CRM credentials. No CRM data is transmitted to OctoFlow servers.
Data Sharing
We share personal data only with: (a) the service providers listed in §05 above, who act as our processors under contract; (b) law-enforcement or government authorities when required by a valid legal request; and (c) parties you explicitly direct us to share with (for example, by configuring a Slack webhook in your settings, which causes outbound activity summaries to be sent to that Slack workspace). We do not sell, rent, or trade your personal data.
International Data Transfers
OctoFlow's infrastructure runs in the United States. If you access the Service from outside the United States, you understand and consent to the transfer, processing, and storage of your data in the United States. Where required (for example for EU/EEA users), we rely on Standard Contractual Clauses or equivalent transfer mechanisms put in place by our service providers (Google, Resend, Vercel).
Legal Basis for Processing (GDPR)
If you are in the EU/EEA, UK, or Switzerland, our legal bases for processing your data are: (a) performance of the contract you enter into by accepting the Terms of Service when creating an account; (b) our legitimate interests in operating, securing, and improving the Service; (c) compliance with legal obligations; and (d) your consent where required (for example, marketing communications, which we do not currently send).
Your Rights
You have the right to: access a copy of the personal data we hold about you, correct inaccurate information, delete your account and associated data (available in Settings inside the extension), export your activity log, restrict or object to certain processing, and (for EU/UK/Swiss users) lodge a complaint with your local data-protection supervisory authority. To exercise any of these rights, use Settings → Delete Account inside the extension or email support@octoflowus.com. We respond within 30 days.
California Residents (CCPA / CPRA)
California residents have specific rights under the California Consumer Privacy Act and California Privacy Rights Act: the right to know what categories of personal information we collect and the categories of third parties we share it with (see §03 and §05 above), the right to delete personal information (see §11), the right to correct inaccurate information, and the right to non-discrimination for exercising any of these rights. We do not "sell" personal information as defined by the CCPA, and we have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months.
Children's Privacy
OctoFlow is not directed to children. We do not knowingly collect personal information from children under 13 (or under 16 in EU/EEA jurisdictions). The Service requires users to confirm they are 18 or older at signup. If we learn that a child has provided us with personal information, we will delete it immediately. Parents who believe their child has created an account can request deletion at support@octoflowus.com.
Data Retention
Active account data is retained for the life of your account. When you delete your account, personal data is removed from active systems within 30 days and from backups within 90 days. Anonymized, aggregated usage data may be retained indefinitely. Specific retention windows per data category are listed in the table in §03.
Security & Breach Notification
We use industry-standard security practices: encryption in transit (TLS 1.2+), Firebase-managed encryption at rest, password hashing (scrypt) handled by Firebase Authentication, scoped service-account credentials, per-user access controls in Firestore Security Rules, rate-limiting on public endpoints, and least-privilege IAM. No system is perfectly secure. In the event of a security incident affecting your data, we will notify affected users by email within 72 hours of confirming the incident, in line with GDPR Article 33.
Storage Technology
OctoFlow does not use traditional browser cookies for tracking. The extension stores account state in chrome.storage.local (a Chrome-managed sandboxed key-value store), and Firebase Authentication uses IndexedDB to maintain your session between visits. Neither mechanism is shared with third-party advertisers or analytics platforms. The OctoFlow extension does not inject tracking code, pixels, or scripts into pages you visit.
Changes to This Policy
We will notify you of material changes to this policy via in-product notice and (for accounts with verified email addresses) via email, at least 14 days before they take effect. Continued use of the Service after that date constitutes acceptance. Older versions of this policy are available on request at support@octoflowus.com. Last updated: May 28, 2026.
Contact
Questions about this Privacy Policy or data-rights requests should be directed to support@octoflowus.com. We respond to all data-rights requests within 30 days.