Privacy Policy
DataFlow-Xpert, Inc. ("DataFlow-Xpert", "we", "our", or "us") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website at dataflow-xpert.io, request a demo, or use the DataFlow-Xpert platform and its integrations — including our Salesforce, Google BigQuery, and Atlassian Jira connectors.
Please read this policy carefully. If you disagree with its terms, please discontinue use of our site.
1. Information We Collect
1.1 Information You Provide to Us
We collect information you voluntarily provide when you:
- Request a demo — first name, last name, work email address, company name, team size, and primary use case selected via the demo-request form.
- Contact us — any message content, email address, and name you supply via hello@dataflow-xpert.io or support@dataflow-xpert.io.
- Create a DataFlow-Xpert account — name, work email address, job title, and a password (stored as a salted bcrypt hash; we never store plaintext passwords).
- Configure an integration — OAuth tokens, service-account credentials, and API tokens required to connect third-party systems (see Section 3).
1.2 Information Collected Automatically
When you visit our website, our servers and third-party analytics tools automatically record:
- IP address and approximate geolocation (country/city level)
- Browser type, version, and language preference
- Operating system and device type
- Referring URL and pages visited on our site
- Time and date of each request
- UTM parameters and campaign identifiers
We use this data exclusively to understand aggregate site usage and to improve the user experience. We do not build individual behavioural profiles for advertising purposes.
1.3 Information from Third-Party Sources
If you connect DataFlow-Xpert to a third-party service (Salesforce, Google BigQuery, Atlassian Jira, or another supported connector), DataFlow-Xpert receives data from that service only to the extent required to provide the functionality you have configured. See Section 3 for full details.
2. How We Use Your Information
We use collected information for the following purposes:
| Purpose | Legal basis (GDPR) |
|---|---|
| Respond to your demo request and schedule a product walkthrough | Legitimate interest / pre-contractual steps |
| Provide, maintain, and improve the DataFlow-Xpert platform | Performance of contract |
| Process integration connections and sync your third-party data | Performance of contract |
| Send transactional emails (demo confirmations, account alerts, sync error notifications) | Performance of contract |
| Send product updates and marketing communications (opt-out available at any time) | Legitimate interest / consent |
| Detect and prevent fraud, abuse, and security incidents | Legitimate interest |
| Comply with applicable legal obligations | Legal obligation |
| Analyse aggregate usage and improve site performance | Legitimate interest |
We will never sell your personal data to third parties. We will never use your data to train machine-learning models without your explicit written consent.
3. Third-Party Integrations & Data Processing
DataFlow-Xpert connects to third-party platforms at your direction to provide analytics and reporting features. When you activate an integration, DataFlow-Xpert accesses only the data objects and fields you explicitly select. The following describes how each featured integration works:
Salesforce CRM
- Authentication: OAuth 2.0 + PKCE. DataFlow-Xpert never stores your Salesforce username or password. Only a scoped OAuth access token and refresh token are retained, encrypted with AES-256 at rest.
- Data accessed: Only the Salesforce objects and fields you select in the connector configuration (e.g. Opportunity, Account, Contact, Lead, Activity, Case, Campaign, and any custom objects you include). DataFlow-Xpert requests the minimum necessary OAuth scopes:
api,refresh_token, andcdp_query_api(for Change Data Capture). - Data movement: Aggregated metric results are cached in DataFlow-Xpert's infrastructure for dashboard rendering. Raw field-level records are streamed in memory and are not stored beyond what is necessary to compute your configured metrics.
- Write-back: If you enable bi-directional write-back, DataFlow-Xpert writes only to the specific Salesforce fields you designate in the field mapper. No other records are modified.
- Data deletion: Revoking the Salesforce OAuth connection in your DataFlow-Xpert settings immediately invalidates the stored token and triggers deletion of all cached Salesforce-sourced data within 30 days.
Google BigQuery
- Authentication: GCP service account JSON key. The key is encrypted immediately upon upload using AES-256 and stored in our secrets manager. DataFlow-Xpert never logs or transmits the key in plaintext.
- Data accessed: Only the BigQuery datasets, tables, and views you select, within the GCP project associated with your service account. DataFlow-Xpert requests only the
BigQuery Data ViewerandBigQuery Job UserIAM roles — the minimum required for read-only query access. - Data movement: Query results (aggregated metrics) are cached transiently for dashboard rendering. DataFlow-Xpert does not copy or duplicate raw BigQuery table data into its own storage layer. BigQuery column-level security and data masking rules are fully respected.
- Cost transparency: DataFlow-Xpert performs a dry-run estimate before executing every query, and displays the projected byte cost in the connector UI. You can set a monthly budget threshold; queries that would exceed it require explicit approval.
- Data deletion: Removing the BigQuery connector from your DataFlow-Xpert workspace triggers deletion of the stored service-account key and all cached query results within 30 days.
Atlassian Jira
- Authentication: Atlassian OAuth 2.0 (Jira Cloud) or API token (Jira Data Center / Server). OAuth tokens are scoped to read-only access:
read:jira-workandread:jira-user. API tokens are encrypted at rest with AES-256. - Data accessed: Only the Jira projects and boards you select. DataFlow-Xpert reads Issues, Sprints, Epics, Worklogs, Components, and SLA Metrics. Custom fields and issue types are discovered at connection time and included only if you add them in the field mapper.
- Data movement: Issue counts, sprint velocities, cycle-time measurements, and SLA statuses are aggregated and cached for dashboard display. Raw issue descriptions, comments, or attachments are not stored.
- Data deletion: Removing the Jira connector in DataFlow-Xpert settings immediately invalidates the stored token and triggers deletion of all cached Jira-sourced data within 30 days.
3.4 Other Connectors
All other DataFlow-Xpert connectors (HubSpot, Stripe, Snowflake, Slack, Notion, PostgreSQL, dbt, Segment, Looker) operate under the same principles: least-privilege access, AES-256 encryption of credentials, no storage of raw records beyond what is required for metric computation, and full deletion upon connector removal. Connector-specific data processing addenda are available on request at privacy@dataflow-xpert.io.
3.5 Sub-processors
DataFlow-Xpert uses the following categories of sub-processors to operate the platform:
| Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure | Hosting, compute, storage | USA / EU |
| Email delivery | Transactional emails (demo confirmations, alerts) | USA |
| CRM / Sales | Managing demo requests and customer relationships | USA |
| Analytics | Aggregate website usage analytics (no individual tracking) | EU |
| Secrets management | Encrypted storage of integration credentials | USA / EU |
A full list of named sub-processors is available on request at privacy@dataflow-xpert.io.
4. Sharing and Disclosure
We do not sell, rent, or trade your personal information. We may share data in the following limited circumstances:
- Service providers: Trusted sub-processors who help us deliver the platform (see Section 3.5), bound by data processing agreements that restrict their use of your data.
- Business transfers: If DataFlow-Xpert is acquired by or merged with another company, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
- Legal obligations: We may disclose information if required by law, subpoena, court order, or to protect the rights, property, or safety of DataFlow-Xpert, our users, or the public.
- Aggregate / anonymised data: We may share anonymised, aggregated usage statistics (e.g. "X% of customers use Salesforce + Jira together") that cannot reasonably identify any individual.
- With your consent: We may share information for any other purpose with your explicit prior consent.
5. Cookies & Tracking Technologies
We use cookies and similar technologies on our website. For full details, see our Cookie Policy. In summary:
- Strictly necessary cookies — required for the website to function (e.g. session management). Cannot be disabled.
- Analytics cookies — help us understand aggregate page usage. We use privacy-first analytics tools configured without cross-site tracking. You can opt out at any time.
- Marketing cookies — used only if you have opted in via our cookie consent banner. We do not use ad-retargeting cookies by default.
The marketing site does not set cookies before you interact with the cookie consent banner. The DataFlow-Xpert platform sets strictly necessary session cookies when you log in.
6. Data Retention
| Data type | Retention period |
|---|---|
| Demo request submissions | 3 years from submission date, or until you request deletion |
| Account data (active customers) | Duration of the contract + 1 year |
| Integration credentials (OAuth tokens / service-account keys) | Until the integration is removed, then deleted within 30 days |
| Cached metric results from third-party connectors | 30 days after the connector is removed, or the account is closed |
| Server access logs | 90 days, then automatically purged |
| Email correspondence | 3 years |
| Billing & payment records | 7 years (legal and tax obligation) |
When a retention period expires, data is permanently deleted or anonymised. You may request earlier deletion at any time (see Section 9).
7. Security
We implement industry-standard technical and organisational measures to protect your data:
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest is encrypted using AES-256, including integration credentials stored in our secrets manager.
- OAuth tokens and API keys are stored in a dedicated secrets-management service, never in application databases or logs.
- Access to production systems is restricted via multi-factor authentication and role-based access controls.
- We maintain a SOC 2 Type II audit programme and conduct annual penetration tests by independent third parties.
- We have an incident-response plan. In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware, as required by the GDPR.
No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.
8. International Data Transfers
DataFlow-Xpert, Inc. is incorporated in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please be aware that we transfer personal data to the USA and other jurisdictions that may have different data-protection laws than your home country.
We rely on the following transfer mechanisms to ensure your data is adequately protected:
- EU Standard Contractual Clauses (SCCs) — for transfers from the EEA to the USA and other third countries.
- UK International Data Transfer Agreements (IDTAs) — for transfers from the United Kingdom.
- DPF (Data Privacy Framework) — DataFlow-Xpert participates in the EU-US Data Privacy Framework where applicable.
A copy of our standard contractual clauses is available on request at privacy@dataflow-xpert.io.
9. Your Rights
9.1 Rights Under the GDPR (EEA / UK residents)
If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation:
- Right of access — obtain a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing — request that we limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests or for direct marketing purposes.
- Rights related to automated decision-making — DataFlow-Xpert does not make decisions about you using solely automated means that produce significant legal effects.
- Right to lodge a complaint — you may file a complaint with your local supervisory authority (e.g. ICO in the UK, or your national DPA in the EU).
9.2 Rights Under the CCPA / CPRA (California residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you the following rights:
- Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to delete — request deletion of your personal information, subject to certain exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of sale or sharing — DataFlow-Xpert does not sell or share personal information for cross-context behavioural advertising. No opt-out action is required.
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.
California residents may also designate an authorised agent to submit requests on their behalf. We will verify agent authority before processing such requests.
9.3 How to Exercise Your Rights
To exercise any of the rights listed above, email us at privacy@dataflow-xpert.io with "Privacy Request" in the subject line, or write to us at the address in Section 12. We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving a verifiable request. We may need to verify your identity before processing your request.
10. Children's Privacy
The DataFlow-Xpert platform is designed for use by business professionals. We do not knowingly collect personal information from children under the age of 16 (or the applicable minimum age in your jurisdiction). If you believe a child has provided us with personal information, please contact us immediately at privacy@dataflow-xpert.io and we will take steps to delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Send an email notification to registered users at the email address associated with their account.
- Display a notice on the DataFlow-Xpert dashboard for 30 days after the change takes effect.
Your continued use of DataFlow-Xpert after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree to the updated policy, please stop using the platform and contact us to close your account.
12. Contact Us
If you have questions, concerns, or requests relating to this Privacy Policy, please contact us:
EU/UK residents may also contact our EU Representative at eu-rep@dataflow-xpert.io (appointment in progress — details will be published here before EU market launch).