|

Overview

Nuvflo ("we," "us," or "our") is an AI-powered refund assistance service. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website and services, including any features that connect to your email accounts.

By using Nuvflo, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

Information We Collect

Account Information

When you create an account, we collect:

• Email address
• Name (if provided)
• Password (stored securely hashed)
• Payment information (processed by Stripe; we do not store full card numbers)

Email Data (If You Connect Your Inbox)

If you choose to connect your Gmail or other email account, we access only the data necessary to provide our refund assistance features:

• Email metadata: sender, recipient, subject line, date/time
• Email content: message body text for billing-related emails you select or that match billing/invoice patterns
• Attachments: invoice or receipt attachments you explicitly share

Usage Data

We collect standard analytics data including pages visited, features used, device type, browser, and IP address (anonymized where possible).

Google Workspace / Gmail Data Use Disclosure

Nuvflo's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

OAuth Scopes We Request

When you connect Gmail, we request only the minimum scopes necessary:

• gmail.readonly — To read billing-related emails for fact extraction
• gmail.send — To send refund request drafts you approve from your account
• gmail.compose — To create draft emails for your review before sending

We use incremental authorization—you can start with read-only access and grant send permissions only when needed.

Limited Use Compliance

In accordance with Google's Limited Use requirements:

• We only use Gmail data to provide the refund assistance features you enable
• We do not use Gmail data for advertising purposes
• We do not sell Gmail data to third parties
• We do not use Gmail data to build user profiles for advertising
• Human access to your Gmail data is restricted to support scenarios you explicitly request

How We Use Your Information

We use collected information to:

• Provide and improve our refund assistance services
• Extract relevant facts from billing emails (amounts, dates, order numbers)
• Generate draft refund request emails for your review
• Send approved communications on your behalf (only with your explicit approval)
• Process payments and manage your subscription
• Send transactional emails (receipts, account updates, security alerts)
• Respond to support requests
• Improve our AI models using aggregated, de-identified data only

Data Sharing and Third Parties

Service Providers

AI/LLM Data Handling

When we use OpenAI's API to generate draft emails:

• Data sent to OpenAI via the API is not used to train OpenAI models by default
• OpenAI retains API logs for abuse monitoring for up to 30 days
• We send only the minimum necessary context (extracted facts, not full email threads)

Data Retention and Deletion

Retention Periods

• Account data: Retained while your account is active, plus 30 days after deletion request
• OAuth tokens: Encrypted at rest; deleted immediately upon disconnection
• Extracted email facts: Retained for 90 days for case history, then automatically deleted
• Generated drafts: Retained for 30 days after creation, then deleted
• Payment records: Retained as required by law (typically 7 years)

Your Deletion Rights

You can delete your data at any time:

• Disconnect email: Revoke access in your Google Account settings or in-app
• Delete account: Use the in-app "Delete my data" option or email support@nuvflo.io
• Delete specific cases: Remove individual refund cases from your dashboard

Upon deletion request, we will delete or de-identify your data within 30 days, except where retention is required by law.

Your Rights Under GDPR (EEA Users)

If you are in the European Economic Area, you have the following rights:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request limitation of processing
• Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at support@nuvflo.io. We will respond within 30 days.

Your Rights Under CCPA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate information
• Right to Opt-Out: Opt out of the sale of personal information (we do not sell your data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To submit a request, email support@nuvflo.io with subject "CCPA Request."

Data Security

We implement industry-standard security measures:

• Encryption in transit: All data transmitted via TLS 1.3
• Encryption at rest: OAuth tokens and sensitive data encrypted using AES-256
• Access controls: Role-based access; employees cannot read your emails without explicit consent
• Infrastructure: Hosted on SOC 2 compliant providers
• Monitoring: Automated security monitoring and alerting

For more details, see our Security page.

Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights:

• Email: support@nuvflo.io

For EU residents, you also have the right to lodge a complaint with your local data protection authority.