Privacy Policy

When you use WatchFlow, we collect information necessary to provide and improve our services. This includes:

Account Information

• Name, email address, and phone number provided during registration
• Business name and billing address
• Password (stored in hashed form; we never store plaintext passwords)

Business Data

• Inventory records, listings, and associated images you create within the platform
• Deals, contacts, invoices, and notes managed through the CRM and pipeline features

Usage & Analytics Data

• Log data such as IP address, browser type, pages visited, and timestamps
• Device information including operating system and screen resolution

Payment Information

• Billing details required to process your subscription
• Payment card information is handled entirely by Stripe and is never stored on our servers

Communication Data

• When distributing listings via WhatsApp or Telegram, message content passes through their respective infrastructure

We use the information we collect for the following purposes:

• To operate, maintain, and improve the WatchFlow platform
• To process transactions and manage your subscription
• To distribute your listings to the platforms and channels you select
• To generate AutoCaption listing captions (processed securely)
• To provide dealer storefront functionality
• To send transactional emails such as billing receipts and account notifications
• To provide customer support and respond to your inquiries
• To detect and prevent fraud, abuse, or security incidents
• To analyze aggregated usage trends and improve our product

We will never sell your personal information to third parties. We do not use your listing data or inventory information for any purpose other than delivering the services you have requested.

We process your personal data under the following legal bases:

• Contract Performance -- Processing necessary to provide the WatchFlow service you signed up for, including account management, listing distribution, and deal tracking
• Legitimate Interest -- Platform security, fraud prevention, service improvement, and aggregated analytics
• Consent -- Marketing communications and optional third-party integrations. You may withdraw consent at any time
• Legal Obligation -- Tax records, regulatory compliance, and responding to lawful data requests

WatchFlow administrators may access your account under strictly controlled conditions for customer support, troubleshooting, and security purposes. All administrative access is:

• Logged and auditable -- Every access is recorded with timestamp, reason, and duration
• Time-limited -- Sessions are capped at 15 minutes and auto-expire
• Read-only by default -- Administrators can view your data but cannot modify it unless write access is explicitly justified and approved
• Requires documented reason -- A minimum 10-character justification must be provided before any access
• Notified to you -- You receive an in-app notification after every administrative access session, including the reason provided

You can view your complete account activity log at any time from Settings > Account Activity. We will never access your account without a legitimate business or support reason.

WatchFlow integrates with select third-party services to deliver core functionality. These services have their own privacy policies, and we encourage you to review them:

• Stripe -- We use Stripe to process all subscription payments. Your payment card details are collected and stored by Stripe, not by WatchFlow. See Stripe's Privacy Policy.
• WhatsApp -- If you choose to distribute listings via WhatsApp, your messages and media are transmitted through WhatsApp's infrastructure. See WhatsApp's Privacy Policy.
• Telegram -- If you choose to distribute listings to Telegram groups, your messages and media are transmitted through Telegram's infrastructure. See Telegram's Privacy Policy.
• Shopify -- If you connect your Shopify store, inventory data is synced between WatchFlow and Shopify. See Shopify's Privacy Policy.
• QuickBooks -- If you connect QuickBooks, invoice data is synced for accounting purposes. See Intuit's Privacy Policy.

We only share the minimum data necessary for these services to function on your behalf. We do not sell your data to third-party advertising networks or data brokers.

We retain your data only as long as necessary to provide our services and meet our legal obligations:

• Active account data -- Retained while your account is active and for 30 days after account closure
• Deleted account data -- Permanently purged within 30 days of a deletion request
• Audit logs -- Retained for 2 years for security and compliance purposes
• Backup data -- Purged within 90 days of a deletion request
• Session data -- Expired sessions are automatically cleaned up
• Notifications -- Read notifications deleted after 90 days; all notifications after 1 year

You may request early deletion at any time by contacting us or using the in-app deletion request feature.

Your data may be transferred and processed in jurisdictions outside your own:

• Data is primarily stored and processed in secure data centers
• If data is transferred internationally, we ensure adequate protection through standard contractual clauses and equivalent safeguards
• We will always inform you if your data is processed outside your jurisdiction

We take the security of your data seriously and implement industry-standard measures to protect it:

• All data is encrypted in transit using TLS/SSL protocols
• Sensitive data is encrypted at rest using AES-256 encryption
• Access to production systems is restricted and audited
• We perform regular backups to prevent data loss
• Our infrastructure is hosted on secure, reputable cloud providers

While we employ rigorous security practices, no method of transmission or storage is 100% secure. We encourage you to use a strong, unique password for your WatchFlow account and to notify us immediately if you suspect any unauthorized access.

You have the following rights regarding your personal data:

• Right of Access (GDPR Art. 15) -- Request a copy of all personal data we hold about you
• Right to Rectification (GDPR Art. 16) -- Update or correct your information from your dashboard or by contacting us
• Right to Erasure (GDPR Art. 17) -- Request deletion of your account and data via the in-app feature or email; processed within 30 days
• Right to Restriction (GDPR Art. 18) -- Request restriction of processing while a complaint is being investigated
• Right to Data Portability (GDPR Art. 20) -- Export your data in a standard machine-readable JSON format via Settings
• Right to Object (GDPR Art. 21) -- Object to processing based on legitimate interests

CCPA Rights

California residents have additional rights including the right to know what data is collected, the right to delete, the right to opt-out of sale (we do not sell your data), and the right to non-discrimination for exercising your privacy rights.

Automated Decision-Making

We do not make any automated decisions that have significant legal effects on you.

You may lodge a complaint with your local data protection supervisory authority at any time. To exercise any of these rights, please contact us at the address provided below. We will respond to all requests within 30 days.

WatchFlow uses a limited number of cookies and local storage entries to operate the platform:

• Authentication cookies -- Required to keep you logged in and maintain your session
• Preference storage -- Used to remember your settings such as theme preference (light/dark mode)
• Analytics -- We may use privacy-respecting analytics to understand how the platform is used in aggregate

We do not use third-party tracking cookies or advertising cookies. You can manage cookies through your browser settings, though disabling essential cookies may affect your ability to use WatchFlow.

If you have any questions about this Privacy Policy, your data, or your rights, please reach out to us:

• Email: privacy@watchflow.app
• Contact page: watchflow.app/contact

If you are in the EU, you have the right to lodge a complaint with your local Data Protection Authority.

We are committed to resolving any concerns about your privacy promptly and transparently. We aim to respond to all data protection requests within 30 days.