Privacy Policy

1. Introduction

Archflow ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use the Archflow platform at https://archflow.dev (the "Service").

This policy is issued in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we refer to "GDPR" in this policy, we mean the UK GDPR as retained in domestic law.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller

Archflow is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, you may contact us at [email protected].

3. Personal Data We Collect

3.1 Information you provide directly

• Account information: your full name, email address, and password (stored in hashed form) when you register for an account.
• Profile information: your profile avatar image, which is processed and stored in multiple sizes on our servers.
• Project content: user stories, scope cards, system diagrams, documentation, and comments you create within the Service.
• Communications: any messages or feedback you send to us directly.
• Voucher codes: promotional or referral codes you redeem on the platform.

3.2 Information collected through third-party authentication

If you choose to sign in via GitHub or Google OAuth, we receive your name, email address, and profile avatar URL from the respective provider. We store your OAuth provider identifier to link your account.

3.3 Payment information

We use Stripe to process subscription payments. We do not store your full payment card details on our servers. Stripe collects and processes your payment information directly. We store only your Stripe Customer ID, Subscription ID, subscription status, and subscription period dates to manage your account tier.

3.4 Automatically collected information

• Usage data: we log your interactions with the Service, including project activities (e.g. creating stories, editing diagrams), AI feature usage (request counts and token consumption), and timestamps.
• Session data: we maintain server-side session records for authentication, including session identifiers and expiry timestamps.
• AI interaction data: when you use the AI assistant ("Flowy") or AI generation features, we store your prompts, the AI-generated responses, session identifiers, and token usage metrics to deliver and improve the service.

4. Lawful Basis for Processing

We process your personal data on the following lawful bases:

• Performance of a contract (Article 6(1)(b)): processing necessary to provide the Service to you, including account creation, authentication, project management, and subscription billing.
• Legitimate interests (Article 6(1)(f)): processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement, and usage analytics. We have assessed that these interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a)): where you explicitly consent, such as opting in to receive marketing communications or connecting third-party OAuth providers.
• Legal obligation (Article 6(1)(c)): where processing is required to comply with applicable law, such as tax record-keeping for subscription payments.

5. How We Use Your Data

We use the personal data we collect to:

• Create and manage your account, including email verification and password reset functionality.
• Provide the core Service features: project management, user stories, scope cards, diagrams, documentation, and real-time collaboration.
• Deliver AI-powered features, including the AI assistant and content generation, by transmitting your prompts and contextual project data to our AI provider.
• Process subscription payments and manage your account tier through our payment processor.
• Send transactional emails including account verification, welcome messages, password resets, and project invitation notifications.
• Enable real-time collaboration features including live cursors, presence indicators, and synchronised editing.
• Provide full-text search across your project content to improve usability.
• Monitor platform usage and enforce fair-use limits on AI features based on your subscription tier.
• Protect the security and integrity of the Service, including rate limiting and fraud detection.

6. Data Sharing and Third-Party Processors

We share your personal data with the following categories of third parties, each acting as a data processor on our behalf under appropriate contractual safeguards:

• Stripe, Inc. — payment processing. Stripe receives your payment information and billing details to process subscription transactions. Stripe's privacy policy: stripe.com/privacy.
• Resend — transactional email delivery. Resend receives your email address and name to deliver account-related emails on our behalf.
• Anthropic — AI service provider. When you use AI features, your prompts and relevant project context are transmitted to Anthropic's API to generate responses. We do not send your personal account details (such as name or email) to Anthropic; only the content you choose to include in your prompts and the project data necessary for generation.
• GitHub / Google — OAuth authentication providers. If you use social login, these providers share your basic profile information with us as described in Section 3.2.

We do not sell, rent, or trade your personal data to any third party. We do not use third-party advertising or behavioural tracking services.

7. International Data Transfers

Some of our third-party processors (Stripe, Anthropic, Resend) are based in the United States. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO).
• Transfer Risk Assessments conducted in accordance with ICO guidance.
• Reliance on the UK Extension to the EU-US Data Privacy Framework where applicable.

8. Cookies and Local Storage

The Service uses the following cookies and browser storage:

• Session cookie (connect.sid): a strictly necessary HTTP-only session cookie used for authentication. Expires after 7 days.
• Authentication token (auth_token): stored in a cookie and localStorage for maintaining your login session. Expires after 7 days.
• UI preference (sidebar_state): a cookie storing your sidebar layout preference. Expires after 7 days.
• Theme preference: stored via localStorage by the theme provider to remember your light/dark mode selection.

All cookies used by the Service are strictly necessary or functional cookies required to provide the Service. We do not use analytics, advertising, or tracking cookies. Under ICO guidance, strictly necessary cookies do not require consent.

9. Data Retention

We retain your personal data as follows:

• Account data: retained for as long as your account remains active. Upon account deletion, your personal data is deleted or anonymised within 30 days, except where retention is required by law.
• Project content: retained for the duration of your account. When a project is deleted, associated content (stories, diagrams, scope cards, documentation, comments) is permanently deleted.
• AI interaction history: retained for up to 12 months for service improvement purposes, then automatically purged.
• Activity logs: retained for up to 12 months for security and auditing purposes.
• Payment records: retained for 7 years after the end of your subscription, as required by UK tax legislation.
• Session data: automatically purged upon session expiry (7 days).

10. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete personal data.
• Right to erasure: request deletion of your personal data where there is no compelling reason for continued processing.
• Right to restrict processing: request restriction of processing in certain circumstances.
• Right to data portability: receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object: object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, as required by law. In complex cases, we may extend this period by a further two months, in which case we will inform you within the initial one-month period.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Passwords are hashed using bcrypt with industry-standard salt rounds; we never store plaintext passwords.
• All data in transit is encrypted using TLS/HTTPS.
• Session cookies are configured as HTTP-only and Secure in production environments.
• Authentication rate limiting is applied to prevent brute-force attacks.
• Security headers are enforced via Helmet.js, including Content Security Policy.
• Access to production systems is restricted to authorised personnel.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your personal data.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 of the UK GDPR.

13. AI-Specific Data Processing

When you use the AI features of the Service (including the AI assistant "Flowy", AI-generated stories, scope cards, diagrams, and documentation):

• Your prompts and selected project context are transmitted to Anthropic's Claude API for processing.
• AI-generated outputs are stored within your project data and treated as project content under this policy.
• We track AI usage metrics (request counts and token consumption) to enforce fair-use limits based on your subscription tier.
• AI chat conversation history is stored on our servers to provide contextual continuity within sessions.
• Anthropic processes data in accordance with their data processing terms. We recommend reviewing Anthropic's privacy policy for further information.

14. Children's Data

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at [email protected] and we will take steps to delete such information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Where changes are significant, we may also notify you by email. Your continued use of the Service after any changes constitutes acceptance of the revised policy.

16. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

• Email: [email protected]
• Website: https://archflow.dev

You may also contact the Information Commissioner's Office (ICO) for independent advice about data protection, privacy, and data sharing issues:

• Website: ico.org.uk
• Telephone: 0303 123 1113