Privacy Policy

Last updated:

1. Introduction & Scope

Corpflow ("we," "us," or "our") operates a corporate entity management and compliance platform consisting of:

  • The Corpflow website (the "Website")

  • The Corpflow SaaS platform (the "Platform")

  • The Corpflow Chrome browser extension (the "Chrome Extension")

  • The Corpflow Microsoft Word Add-in (the "Word Add-in")

(collectively, the "Services").

This Privacy Policy describes how we collect, use, store, share, and protect your personal information and data when you access or use any of our Services. It applies to all users, including account holders, organizational administrators, and any individual who interacts with the Services.

By accessing or using any of our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Services.

2. Information We Collect

2.1 Information You Provide to Us

Account Information. When you register for or are invited to a Corpflow account, we collect:

  • Email address

  • First and last name

  • Password (stored only in hashed form)

  • Organization affiliation

  • Role within your organization (e.g., administrator, attorney, paralegal, viewer)

Entity and Corporate Data. When you use the Platform to manage entities, you may provide:

  • Entity names, legal entity types, jurisdictions, and formation details

  • Mailing and registered addresses

  • Tax identification numbers, tax classifications, and tax elections

  • Bank account information (account numbers, routing numbers, SWIFT/BIC, IBAN)

  • Registration and governing documents

  • Corporate structure and ownership relationships

Contact and Person Data. You may store information about individuals associated with your entities, including:

  • Full legal name (first, middle, last name, suffix)

  • Date and place of birth, nationality, and country of residence

  • Identification document details (document type, number, issuing authority, issue and expiration dates)

  • Employment history (employer, job title, dates)

  • Email addresses and phone numbers

  • Physical addresses (residential and mailing)

Documents and Files. You may upload documents to the Platform, including PDFs, Word documents, Excel spreadsheets, CSV files, images, and plain text files. We store the file content, filename, file size, file type, and a cryptographic hash of the file for integrity verification.

Communications and Interactions. We collect information you provide when you submit feedback, create interaction records, leave comments, or communicate with our AI-powered assistant.

2.2 Information Collected Through the Chrome Extension

The Corpflow Chrome Extension enables you to interact with the Platform directly from your browser. When you use the Chrome Extension, we may collect:

  • Document metadata and content: When you choose to upload a document through the Extension, we access the file content and metadata (filename, file type, file size) necessary to transfer it to the Platform.

  • Authentication tokens: The Extension stores your authentication credentials locally in your browser to maintain your session with the Platform.

The Chrome Extension only accesses data when you actively choose to interact with it. It does not passively monitor your browsing activity, collect browsing history, or access data from websites you visit outside of the Extension's intended workflow.

2.3 Information Collected Through the Microsoft Word Add-in

The Corpflow Word Add-in enables you to upload and manage documents directly from Microsoft Word. When you use the Word Add-in, we collect:

  • Document content: The full content of the Word document you choose to upload, transmitted securely to our servers for storage and processing.

  • Document metadata: The document filename, URL, and file type.

  • Authentication data: Your session credentials to authenticate with the Platform.

The Word Add-in only accesses the document that is currently open and active in Microsoft Word, and only when you initiate an action (such as uploading). It does not access other files on your device or other open documents.

2.4 Information Collected Automatically

When you access or use our Services, we automatically collect certain technical information:

  • Device and browser information: Browser type and version, operating system, and device type.

  • Network information: IP address, which may be used to approximate general geographic location.

  • Usage data: Pages visited within the Platform, features used, session duration, and timestamps of activity (e.g., entities created or updated, documents uploaded, filings completed).

  • Session data: Login and logout times, session duration, and last activity timestamps.

2.5 Cookies and Local Storage

We use a limited set of cookies and browser storage mechanisms that are essential to the operation of the Services:

Mechanism

Purpose

Details

access_token (cookie)

Authentication

Maintains your authenticated session. Expires after 7 days. Transmitted securely over HTTPS in production.

refresh_token (cookie)

Authentication

Used to refresh your session. HttpOnly cookie not accessible to JavaScript. Expires after 7 days.

session_cookie (cookie)

Session management

Used for document editor authentication. Session-scoped.

access_token (localStorage)

Authentication

Stores your session token locally for API requests.

user (localStorage)

User preferences

Stores basic user profile data (name, role, organization) to personalize the interface.

We do not use third-party advertising cookies, tracking pixels, or behavioral analytics tools (such as Google Analytics, Mixpanel, or similar services) on the Platform.

3. How We Use Information

We use the information we collect for the following purposes:

Providing and Operating the Services:

  • Creating and managing user accounts and organizational workspaces

  • Enabling entity management, compliance tracking, filing management, and document storage

  • Processing document uploads, including from the Chrome Extension and Word Add-in

  • Generating documents and facilitating electronic signature workflows

  • Providing AI-powered document parsing, classification, and data extraction

  • Powering the AI assistant feature for user queries

  • Delivering real-time notifications about platform activity

Security and Access Control:

  • Authenticating users and managing sessions

  • Enforcing role-based access controls and organizational data separation (multi-tenancy)

  • Detecting and preventing unauthorized access, fraud, and abuse

  • Rate-limiting authentication attempts to prevent brute-force attacks

  • Maintaining audit logs in production environments

Service Improvement:

  • Monitoring platform engagement and usage patterns in aggregate to improve features

  • Identifying and resolving bugs, errors, and performance issues

Communication:

  • Sending transactional emails (account invitations, email verification, filing notifications)

  • Responding to support inquiries and feedback

4. Data Sharing & Disclosure

We share your information only in the following circumstances:

4.1 Service Providers

We use trusted third-party service providers to operate the Services. These providers process data on our behalf and are contractually obligated to use it only for the purposes we specify:

Provider

Purpose

Data Shared

Amazon Web Services (AWS)

Document and file storage (S3)

Uploaded documents and file metadata

MongoDB Atlas

Database hosting

All platform data (encrypted at rest)

Render

Application hosting and deployment

Application data in transit and at rest

SendGrid (Twilio)

Transactional email delivery

Recipient email addresses, email content

OpenAI

AI-powered document parsing and classification

Document text content submitted for AI processing

Anthropic

AI-powered document analysis and assistant

Document text content and user queries submitted for AI processing

PandaDoc

Document generation and electronic signatures

Recipient names, email addresses, and document template data

Google

Address lookup and validation (Places API)

Address queries entered by users

4.2 Legal Obligations

We may disclose your information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government requests.

4.3 Corporate Transactions

If Corpflow is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

4.5 No Sale of Personal Data

Corpflow does not sell, rent, or trade your personal information or your organization's data to third parties for advertising, marketing, or any other commercial purpose. This applies to all data collected through the Website, Platform, Chrome Extension, and Word Add-in.

5. Data Security

We implement industry-standard technical and organizational measures to protect your data:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.

  • Encryption at rest: Data stored in our database and file storage infrastructure is encrypted at rest.

  • Password security: User passwords are never stored in plain text. They are hashed using bcrypt, an industry-standard adaptive hashing algorithm.

  • Access controls: Role-based access controls enforce organizational data separation (multi-tenancy), ensuring users can only access data belonging to their organization.

  • Time-limited file access: Document downloads use pre-signed URLs that expire after a limited time, preventing unauthorized long-term access to file links.

  • Authentication security: Rate limiting on authentication endpoints prevents brute-force attacks. Account lockout is enforced after repeated failed login attempts.

  • Session management: Sessions expire after a period of inactivity. Refresh tokens are stored in HttpOnly cookies inaccessible to client-side scripts.

  • Infrastructure security: Our hosting providers maintain SOC 2 compliance and implement physical and network security controls.

While we take reasonable measures to protect your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Services. Specific retention practices include:

  • Account data: Retained for the duration of your account. When an account is deactivated, account data is soft-deleted (marked as inactive) and may be permanently deleted upon request.

  • Entity and corporate data: Retained for as long as your organization maintains an active account or as required by applicable legal or regulatory obligations.

  • Documents and files: Retained until deleted by you or your organization's administrator, or until account termination.

  • Session and activity logs: Retained for security and auditing purposes for a reasonable period.

  • Transactional communications: Retained as necessary for legal compliance and dispute resolution.

Upon account termination or upon your written request, we will delete or anonymize your personal data within a reasonable timeframe, except where retention is required by law or for legitimate business purposes (such as fraud prevention or legal compliance).

7. International Data Transfers

Corpflow's infrastructure is hosted in the United States. If you access the Services from outside the United States, your data will be transferred to and processed in the United States and potentially other jurisdictions where our service providers operate.

These jurisdictions may have data protection laws that differ from those in your country. By using the Services, you consent to the transfer and processing of your data in these jurisdictions. We take steps to ensure that your data receives an adequate level of protection wherever it is processed, including through contractual obligations with our service providers.

8. User Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right of Access: You may request a copy of the personal data we hold about you.

  • Right to Rectification: You may request that we correct inaccurate or incomplete personal data.

  • Right to Deletion: You may request that we delete your personal data, subject to any legal retention requirements.

  • Right to Restrict Processing: You may request that we limit our processing of your personal data in certain circumstances.

  • Right to Data Portability: You may request that we provide your personal data in a structured, commonly used, machine-readable format.

  • Right to Object: You may object to our processing of your personal data in certain circumstances.

  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time.

For California Residents (CCPA/CPRA):

  • You have the right to know what personal information we collect, use, and disclose.

  • You have the right to request deletion of your personal information.

  • You have the right to opt out of the sale of personal information. As stated above, Corpflow does not sell personal information.

  • You have the right to non-discrimination for exercising your privacy rights.

For European Economic Area / UK Residents (GDPR/UK GDPR):

  • We process your personal data on the legal bases of: (a) performance of a contract (to provide the Services), (b) legitimate interests (security, fraud prevention, service improvement), and (c) your consent (where applicable).

  • You may lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

To exercise any of these rights, please contact us at the address provided in Section 12 below. We will respond to your request within the timeframe required by applicable law.

9. Cookies & Tracking Technologies

As described in Section 2.5, we use only essential cookies and browser storage mechanisms required for the Services to function. We do not use cookies for advertising or cross-site tracking.

For a detailed list of the cookies and storage mechanisms we use, please refer to Section 2.5 above.

Because we do not use non-essential tracking cookies, no cookie consent banner is required for the operation of the Platform. If we introduce optional analytics or non-essential cookies in the future, we will update this policy and implement appropriate consent mechanisms.

10. Third-Party Services & Integrations

The Services integrate with third-party tools and platforms as described in Section 4.1. These integrations are essential to providing the core functionality of the Platform, including:

  • Cloud infrastructure: Amazon Web Services (AWS) for file storage, MongoDB Atlas for database services, Render for application hosting, and Redis for caching and task processing.

  • AI and document processing: OpenAI and Anthropic APIs for document parsing, classification, extraction, and AI-assisted analysis. When you use AI-powered features, relevant document content is sent to these providers for processing. These providers process data according to their respective privacy policies and data processing agreements.

  • Document generation and e-signatures: PandaDoc for generating documents from templates and facilitating electronic signatures. Recipient information (name and email) and document template data are shared with PandaDoc when you use these features.

  • Email delivery: SendGrid for sending transactional emails such as account invitations, email verifications, and notifications.

  • Address services: Google Places API for address lookup and validation when entering addresses in the Platform.

Each third-party provider operates under its own privacy policy. We encourage you to review the privacy policies of these providers:

11. Chrome Extension — Specific Disclosures

This section provides additional transparency specifically regarding the Corpflow Chrome Extension, as required by the Chrome Web Store Developer Program Policies.

11.1 Data the Extension Accesses

The Corpflow Chrome Extension may access:

  • Document files and metadata when you actively choose to upload a file through the Extension

  • Authentication credentials stored locally in the browser to maintain your session

11.2 Why the Data Is Collected

  • Document files and metadata are accessed solely for the purpose of uploading the file into the Corpflow Platform, where it is stored and managed as part of your organization's corporate records.

  • Authentication credentials are required to securely identify your account and ensure that uploaded documents are associated with the correct user and organization.

11.3 Data Transmission

When you upload a document through the Extension:

  1. The file content and metadata are transmitted over an encrypted HTTPS connection from your browser to Corpflow's servers.

  2. The file is stored securely in our cloud storage infrastructure (AWS S3).

  3. A document record is created in the Platform linked to the relevant entity or folder you specify.

No data is transmitted unless you actively initiate an upload. The Extension does not send data in the background or without your action.

11.4 What the Extension Does Not Do

The Corpflow Chrome Extension does not:

  • Monitor, collect, or transmit your browsing history

  • Access data from websites you visit

  • Read or modify web page content

  • Track your behavior across websites

  • Run in the background when not actively in use

  • Collect data for advertising or marketing purposes

  • Share data with third parties beyond what is described in this policy

11.5 Data Deletion

You may request deletion of any documents uploaded through the Extension by:

  • Deleting the document directly within the Corpflow Platform

  • Contacting us at the address in Section 12 to request data deletion

Uninstalling the Extension removes all locally stored data (authentication tokens and preferences) from your browser.

12. Microsoft Word Add-in — Specific Disclosures

This section provides additional transparency specifically regarding the Corpflow Microsoft Word Add-in, as required by the Microsoft Partner Center and AppSource certification policies.

12.1 Data the Add-in Accesses

The Corpflow Word Add-in accesses:

  • The content of the currently open Word document when you choose to upload it to the Platform

  • The document filename and URL for identification purposes

  • Your authentication session to connect with your Corpflow account

12.2 Why the Data Is Collected

  • Document content is accessed solely to upload the document into the Corpflow Platform for storage, management, and processing as part of your corporate records.

  • Document metadata (filename, URL) is used to properly name and identify the uploaded document within the Platform.

12.3 Data Transmission

When you upload a document through the Word Add-in:

  1. The document content is read from the currently open Word file via the Office.js API.

  2. The content is transmitted over an encrypted HTTPS connection to Corpflow's servers.

  3. The file is stored securely in our cloud storage infrastructure (AWS S3).

  4. A document record is created in the Platform.

No data is transmitted unless you actively initiate the upload. The Add-in does not access other files on your device, other open documents, or any data outside the active document.

12.4 What the Add-in Does Not Do

The Corpflow Word Add-in does not:

  • Access documents other than the one you are actively working on

  • Access files on your device or local storage outside of the open document

  • Run background processes or transmit data without your initiation

  • Collect data for advertising or marketing purposes

  • Share data with third parties beyond what is described in this policy

13. Children's Privacy

The Services are designed for business and professional use and are not intended for individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly. If you believe we have inadvertently collected data from a child, please contact us at the address in Section 14 below.

14. Contact Information

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:

Corpflow Email: [INSERT PRIVACY CONTACT EMAIL] Address: [INSERT BUSINESS ADDRESS]

For data protection inquiries, please include "Privacy Request" in the subject line to ensure prompt handling.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy

  • Notify you through the Platform or via email for significant changes

  • Where required by law, obtain your consent before applying material changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after changes become effective constitutes your acceptance of the updated policy.

This Privacy Policy was last updated on [INSERT DATE].