Privacy Policy

Castor Flow is the data controller responsible for your personal data. If you have any questions about this policy or your data, you can contact us at:

• Email: privacy@castorflow.com
• Website: castorflow.com

We collect the following categories of personal data:

2.1 Account data

• Name and email address (required to create an account)
• Password (stored in hashed form via Firebase Authentication)
• Profile photo (optional, if provided via Google Sign-In)

2.2 Usage data

• Lead records you create or import (business names, addresses, phone numbers, websites)
• Notes, tasks, and activity logs you add inside the application
• Pipeline stages and sales data you manage in the CRM

2.3 Email integration data

• If you connect Gmail or Outlook, we read your inbox and sent items to sync emails with your contact history. We only read email metadata (sender, recipient, subject, date) and the email body; we never store emails outside your own secure Firestore collection.
• OAuth tokens are stored in an encrypted, access-restricted Firestore sub-collection accessible only via our backend (Firebase Admin SDK). They are never exposed to the frontend or third parties.

2.4 Technical data

• IP address and browser/device type (collected by Firebase and Google Cloud infrastructure)
• Log data and error reports (used to diagnose and fix issues)
• Cookies and similar tracking technologies (see our Cookie Policy)

2.5 Beta signup data

• Name, email address, and optional use-case description submitted via our beta signup form

We process your personal data for the following purposes:

We retain your personal data for as long as your account is active or as necessary to provide our services. Specifically:

• Account data: retained for the duration of your account plus 30 days after deletion
• Lead and CRM data: deleted immediately upon account deletion
• Email OAuth tokens: deleted immediately when you disconnect your email integration or delete your account
• Log data: retained for up to 90 days for security and debugging purposes
• Beta signup data: retained until we notify you of beta access, or for a maximum of 12 months if no access was granted

We do not sell your personal data. We share your data only with the following trusted sub-processors, all bound by GDPR-compliant data processing agreements:

• Google Firebase / Google Cloud Platform — authentication, database (Firestore), cloud functions, and hosting. Data is stored in the us-central1 region (United States). Google LLC is certified under the EU-US Data Privacy Framework.
• Google Maps Platform — used to search and retrieve publicly available business data from Google Maps. No personal data of our users is sent to Google Maps; only your search queries.
• Microsoft Graph API — used only when you actively connect your Outlook account. OAuth tokens are never shared beyond our own infrastructure.
• Stripe — used for payment processing. Stripe is PCI-DSS compliant. We do not store card details.

We may also disclose your data if required by law, court order, or to protect our legal rights.

Our primary infrastructure (Firebase / Google Cloud) stores data in the United States (us-central1 region). Google LLC participates in the EU-US Data Privacy Framework and provides Standard Contractual Clauses (SCCs) as an additional safeguard for international data transfers. You can review Google's data processing terms at firebase.google.com/support/privacy.

If you are in the European Economic Area (EEA), you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate data
• Right to erasure — request deletion of your data ("right to be forgotten")
• Right to restriction — ask us to limit how we use your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw consent at any time for processing based on consent (e.g. email integration)

To exercise any of these rights, email us at privacy@castorflow.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

We take security seriously. All data is transmitted over TLS/SSL encrypted connections. Sensitive tokens are stored in Firestore sub-collections with strict security rules, accessible only via our server-side Firebase Admin SDK. Passwords are never stored in plain text — authentication is handled entirely by Firebase Authentication.

Despite our measures, no system is completely secure. If you believe your account has been compromised, please contact us immediately at privacy@castorflow.com.

Our service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email or a prominent notice within the application at least 14 days before the change takes effect. The date of the most recent update is always shown at the top of this page.

If you have any questions about this Privacy Policy or how we handle your data, please contact our privacy team:

• Email: privacy@castorflow.com
• Website: castorflow.com