This Privacy Policy explains what information Gravity Epoch, S.A. de C.V. (operator of the Booflow platform — referred to as "Booflow", "we" or "us") collects when you use our platform (the "Service"), why we collect it, how we handle it, and what rights you have. We try to keep it short and honest.

Legal entity: Gravity Epoch, S.A. de C.V. · RFC GEP180321P73 · Cerrada Acueducto #5713, Int. 501, Col. Zona Residencial Anexa Estrellas del Sur, C.P. 72176, Heroica Puebla de Zaragoza, Puebla, México.

1. What we collect

Information you give us

• Account data — name, email, password hash, profile picture.
• Organization data — org name, logo, brand color, team members you invite.
• Workspace content — flows, tasks, templates, comments, checklist answers, files.
• Billing data — Stripe processes your payment info; we store only the customer ID, subscription status, and invoice metadata.

Information from integrations

When you connect a third-party account (Google, Zoom, Dropbox, etc.) we receive OAuth tokens and the minimum metadata required to perform the actions you requested (e.g. create a calendar event, upload a file). We do not read anything beyond what the integration needs.

Automatic data

• Log data — IP address, user agent, request path, timestamps, for security and abuse-prevention.
• Cookies — session cookies for authentication; we do not use third-party ad tracking.

2. Why we use it

For users in the EEA/UK/Switzerland, the GDPR legal basis for each purpose is listed in brackets:

• To operate the Service (auth, flow engine, notifications) — contract performance.
• To bill your subscription via Stripe — contract performance.
• To respond to support requests — contract performance / legitimate interest.
• To send transactional email — contract performance. To send limited marketing email — consent; you can opt out anytime.
• To detect abuse, fraud, and security incidents — legitimate interest.
• To comply with legal obligations (tax, anti-money laundering, court orders) — legal obligation.

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you (no automated credit scoring, no automated profiling that denies service, etc.).

3. Sharing

We share data only with:

• Sub-processors that power our infrastructure: AWS (hosting + S3 file storage), Vercel (application deployment + edge network), Stripe (billing), SendGrid (transactional email), Pusher (real-time notifications), Upstash (rate limiting + cache). See our Sub-processors page for the canonical list with locations and roles.
• Your team — members of your organization can see your org's content according to their role.
• External collaborators you invite — they see only the flows/tasks you share with them.
• Integrations you connect — per your explicit authorization.
• Authorities — if legally required (we'll notify you unless prohibited).

We never sell personal data.

4. Data retention

We keep your data while your account is active and for up to 90 days after account or organization deletion, after which it is permanently erased, except for billing records which we retain as required by tax law.

5. Security and breach notification

We use TLS everywhere, encrypt backups at rest, hash passwords with bcrypt, and gate access with multi-factor auth on production systems. Secrets are rotated regularly and stored in a vault. Despite best efforts, no service is 100% secure — report issues to security@booflow.com.

Breach notification: If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the affected account owners by email without undue delay, and in any event within the timeframes required by applicable law (72 hours for GDPR notifications to supervisory authorities, where applicable). Notifications include what we know about the nature of the breach, the categories of data involved, and the remedial steps we are taking.

6. Your rights

6.1 Mexican law — Derechos ARCO (LFPDPPP)

As a Mexican entity (Gravity Epoch, S.A. de C.V., RFC GEP180321P73) we comply with the Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP). If you are a Mexican data subject, you have the following ARCO rights:

• Acceso (Access) — request a copy of the personal data we hold about you.
• Rectificación (Rectification) — request correction of inaccurate data.
• Cancelación (Cancellation) — request deletion of your personal data.
• Oposición (Opposition) — object to specific processing of your personal data.

You also have the right to revoke any consent previously granted, and to limit the use or disclosure of your personal data. To exercise any ARCO right, email privacy@booflow.com with the subject line "Datos Personales". We respond within the timeframes set by LFPDPPP (typically 20 business days for the initial response). If you are not satisfied with our response, you may contact the INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) at home.inai.org.mx.

6.2 Other jurisdictions

If you are located outside Mexico, you may have additional rights:

• EEA/UK/Switzerland (GDPR): Access, rectification, erasure, restriction, portability, objection, withdrawal of consent.
• California (CCPA/CPRA): Know, delete, correct, opt out of sale/sharing (we never sell), limit use of sensitive personal information.
• Brazil (LGPD): Confirmation, access, correction, anonymization, portability, deletion, information about sharing.
• Self-service: Access and export are available from Profile → Export my data. Account deletion from Profile → Delete account.

To exercise a right we don't already expose in-product, email privacy@booflow.com. We respond within 30 days (and within the shorter timeframes mandated by your local law, if applicable).

7. International transfers

Booflow is operated from Mexico (Puebla). Personal data is stored and processed in the data centers of our sub-processors, primarily in the United States. If you are in the EEA, UK, or Switzerland:

• Transfers from your jurisdiction to Booflow in Mexico are covered by the EU Standard Contractual Clauses (Module Two: Controller-to-Processor), which we incorporate into our DPA.
• Onward transfers from Booflow to sub-processors in the United States are likewise covered by the SCCs flowed down to each sub-processor.
• Mexico does not have an EU adequacy decision, so the SCCs are the legal mechanism we rely on for the EEA→Mexico leg. Where a sub-processor is certified under the EU-US Data Privacy Framework, we may also rely on that.

8. Children

Booflow is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a minor has created an account, contact us and we'll delete it.

9. Changes

We'll update this policy from time to time. Material changes will be notified at least 30 days before they take effect.

10. Contact

Privacy questions? privacy@booflow.com.
Our Data Protection Officer: dpo@booflow.com.