Privacy Policy
CareFlow (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard information when you use our AI-powered customer service platform (the “Service”), including our web application, voice assistants, messaging integrations, and related tools.
By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service. Questions or concerns? Contact us at privacy@trycareflow.com.
1. What Information Do We Collect?
1.1 Information You Provide
Account & Profile
We collect information you provide when registering or managing your account, including your name, email address, phone number, username, and preferences such as language, timezone, and notification settings.
Business Information
We collect details about your business, including your business name, website, phone number, and email domain, which you provide to set up and configure the Service.
AI Assistant Configuration
To operate your AI assistants, we collect the configuration data you provide: assistant instructions, tone and personality settings, active hours, escalation rules, and knowledge base documents you upload.
Workflow & Integration Settings
We collect the workflow definitions and integration credentials you configure when connecting third-party services to the platform.
Billing Information
Payment processing is handled by Stripe, our third-party payment processor. We store only the identifiers necessary to manage your subscription. We do not store your full payment card details. You may find Stripe's privacy policy at https://stripe.com/privacy.
Social Login Data
If you register or log in using a third-party social media account (such as Google or Facebook), we receive certain profile information from that provider — typically your name, email address, and profile picture. We use this information only to create and manage your account.
1.2 Information Collected Automatically
Conversation Data
When your AI assistants interact with end customers, we collect conversation transcripts, message content, call metadata (such as duration and timestamps), call recordings where applicable, and the phone numbers or identifiers of participants.
Device & Session Data
We automatically collect technical information including your IP address, browser type, device identifiers, operating system, language preferences, and session timestamps to support authentication and platform security.
Usage & Performance Data
We collect aggregated data on how the Service is used, including call and message counts, response performance, workflow outcomes, and billing usage metrics.
Cookies & Browser Storage
We use a small number of strictly necessary cookies and browser storage mechanisms to maintain your login session and support platform security. We do not use advertising or third-party tracking cookies. See Section 5 for more detail.
1.3 Information From Third-Party Integrations
When you connect third-party services (such as Google, HubSpot, WhatsApp, or Slack) to your account, we receive only the data covered by the permissions you grant at the time of connection. You can review and revoke these permissions at any time through your account settings.
2. How Do We Use Your Information?
We use the information we collect to:
- Provide and operate the Service — authenticate your account, run AI voice and messaging assistants, execute workflows, and deliver notifications
- Process AI interactions — convert speech to text, generate AI responses via language models, and synthesise speech for voice assistants
- Support third-party integrations — relay data to and from services you have connected (e.g., updating CRM records, sending messages via WhatsApp)
- Analyse and improve performance — generate usage metrics, monitor service health, and calculate billing
- Communicate with you — send account-related emails, in-app alerts, and billing or usage notifications based on your preferences
- Ensure security and compliance — maintain audit logs, enforce access controls, prevent abuse, and support multi-factor authentication
- Fulfil legal obligations — comply with applicable laws, regulations, and lawful requests from authorities
We do not use your data to serve you third-party advertising, and we do not sell your personal information.
3. What Legal Bases Do We Rely On?
For users in the EEA and UK (GDPR / UK GDPR)
We process your personal data on the following legal bases:
- Contract performance — to deliver the Service you have subscribed to
- Legitimate interests — to operate, secure, and improve the platform, where those interests are not overridden by your rights
- Legal obligation — to comply with applicable laws and regulations
- Consent — where you have given explicit consent, such as for optional communications. You may withdraw consent at any time by contacting us.
For users in Canada
We process your information where you have given express or implied consent, or where applicable law otherwise permits processing (for example, fraud detection, legal compliance, or business transactions).
4. When and With Whom Do We Share Your Information?
We do not sell your personal data. We share information only as described below.
4.1 Service Providers
We share data with third-party providers who help us deliver the Service, including providers for voice and telephony infrastructure, speech recognition, AI language model inference, text-to-speech, file storage, email delivery, and payment processing. These providers are contractually required to process data only on our behalf and in accordance with this policy.
4.2 Integration Providers (At Your Direction)
When you connect a third-party integration, data is shared with that provider as necessary to fulfil your configured workflows. You control which integrations are active.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
4.4 Legal & Compliance
We may disclose information where required by law, court order, or governmental authority, or to protect our rights, users, or the public from harm.
5. Do We Use Cookies?
We use strictly necessary cookies and browser storage mechanisms to maintain your login session and support platform security. We do not use advertising cookies or third-party tracking technologies for marketing purposes.
You can set your browser to refuse cookies, but doing so may affect the functionality of the Service. For more information, see our Cookie Policy at http://www.trycareflow.com/cookies.
Global Privacy Control: We recognise and honour GPC signals. If your browser sends a GPC opt-out signal, we will treat it as a valid request to opt out of any sale or sharing of your personal information under applicable privacy laws.
6. AI-Powered Products
As part of our Service, we offer features powered by artificial intelligence, machine learning, and related technologies (“AI Products”), including voice assistants, messaging bots, and automated workflows.
AI Service Providers
We deliver AI capabilities through the following third-party AI service providers, among others: OpenAI, Groq, OpenRouter, Deepgram, Cartesia, ElevenLabs, Vapi.ai, and Mixedbread. Your input, output, and relevant personal information may be processed by these providers to enable the AI Products. You must not use the AI Products in any way that violates the terms or policies of any AI service provider.
What This Means for Your Data
Conversation content — including voice recordings and transcripts — may be processed by the AI service providers listed above solely to generate responses and improve the quality of the Service. We have data processing agreements in place with each provider.
7. Social Logins
If you register or log in using a third-party social media account, we receive certain profile information from that provider (typically name, email, and profile picture). We use this only to create and manage your CareFlow account. We are not responsible for how the third-party provider collects or uses your information, and we encourage you to review their privacy policies.
8. End Customer Data
CareFlow is a B2B platform. When your AI assistants interact with your customers (“end customers”), you are the data controller for personal data collected from those individuals, and CareFlow acts as a data processor on your behalf.
You are responsible for:
- Ensuring your end customers are informed they are interacting with an automated AI system
- Obtaining any necessary consents from end customers under applicable law
- Ensuring your use of the Service complies with applicable privacy laws in the jurisdictions where your end customers are located
Our processing of end customer data is governed by the data processing terms agreed between us. Enterprise customers may request a separate Data Processing Agreement (DPA) by contacting privacy@trycareflow.com.
9. Data Retention
We retain your data for as long as your account is active and for a reasonable period thereafter to meet legal, audit, and compliance obligations. Specific practices:
- Account and configuration data — retained for the life of your account, and up to 36 months after deletion for legal and audit purposes
- Conversation transcripts and recordings — retained for the life of your account for analytics, debugging, and billing verification
- Audit logs — retained for up to 36 months for security and compliance purposes
- Temporary authentication data (session tokens, OTP codes, password reset tokens) — deleted automatically on expiry, typically within minutes to days
You may request deletion of your account and associated data at any time. We will process deletion requests within 30 days, subject to legal retention requirements.
10. Children's Privacy
We do not knowingly collect, solicit, or process personal information from individuals under 18 years of age. By using the Service, you represent that you are at least 18 years old. If we learn that we have collected information from a minor, we will deactivate the account and delete the data promptly. To report a concern, contact us at privacy@trycareflow.com.
11. International Data Transfers
We operate globally, and your information may be transferred to and processed in countries outside your country of residence, including the United States. Where required, we rely on appropriate safeguards — such as Standard Contractual Clauses approved by the European Commission — to ensure your data receives adequate protection in accordance with applicable law.
12. Data Security
We implement industry-standard technical and organisational measures to protect your information from unauthorised access, disclosure, alteration, or destruction, including encryption of data in transit and at rest, access controls, and regular security monitoring.
No method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at privacy@trycareflow.com.
13. Automated Decision-Making
Our Service uses automated processing to generate AI responses, execute workflows, and escalate conversations based on rules you configure. These automated processes operate according to the instructions and conditions you set as the business account holder.
Where a decision produces legal or similarly significant effects on an individual, we will — upon request — explain the main factors involved and provide a means to request human review.
14. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights:
- Access — request a copy of the personal data we hold about you
- Correction — request that inaccurate or incomplete data be corrected
- Deletion — request erasure of your personal data
- Restriction — request that we limit how we process your data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
EEA / UK users:If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your local data protection authority or the UK Information Commissioner's Office (ICO).
Swiss users: You may contact the Federal Data Protection and Information Commissioner (FDPIC).
To exercise any of these rights, submit a request to privacy@trycareflow.com or use the data subject access request form at http://www.trycareflow.com/dsar.
15. US Residents — Additional Rights
If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional rights under your state's privacy law.
Categories of Personal Information Collected (Last 12 Months)
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, email address, IP address, phone number, account name | YES |
| B. Personal information (CA Customer Records) | Name, contact information, financial information | YES |
| C. Protected classifications | Gender, age, race, ethnicity | NO |
| D. Commercial information | Transaction history, payment information | YES |
| E. Biometric information | Fingerprints, voiceprints | NO |
| F. Internet / network activity | Browsing history, interaction data | NO |
| G. Geolocation data | Device location | YES (approximate, via IP) |
| H. Audio, electronic, sensory | Call recordings, conversation transcripts | YES |
| I. Professional / employment | Job title, employer | NO |
| J. Education information | Student records | NO |
| K. Inferences | Profiles drawn from collected data | NO |
| L. Sensitive personal info | — | NO |
Your US State Rights
You may have the right to:
- Know whether we are processing your personal data
- Access your personal data
- Correct inaccuracies in your personal data
- Request deletion of your personal data
- Obtain a portable copy of your personal data
- Opt out of the sale of personal data (we do not sell personal data)
- Opt out of targeted advertising (we do not conduct targeted advertising)
- Non-discrimination for exercising your rights
Depending on your state, you may also have the right to:
- Obtain a list of categories or specific third parties to whom we have disclosed personal data (California, Delaware, Maryland, Minnesota, Oregon)
- Review and correct how personal data has been profiled (Connecticut, Minnesota)
- Opt out of the collection of sensitive data via voice or facial recognition features (Florida)
How to Exercise Your Rights
Submit a request to privacy@trycareflow.com or via our data subject access request form. We will verify your identity before processing your request. You may designate an authorised agent to submit requests on your behalf, subject to written verification.
Appeals
If we decline to act on your request, you may appeal by emailing privacy@trycareflow.com. If your appeal is denied, you may contact your state Attorney General.
California “Shine the Light”
California Civil Code § 1798.83 permits California residents to request, once per year and free of charge, a list of third parties to whom we have disclosed personal information for direct marketing purposes in the preceding year. We do not share personal information for third-party direct marketing purposes.
SMS / Text Messaging
No mobile information (including SMS opt-in data and consent) will be shared with third parties or affiliates for marketing or promotional purposes.
16. Do-Not-Track and Global Privacy Control
We do not currently respond to browser Do-Not-Track (DNT) signals, as no uniform standard exists. However, we do recognise and honour Global Privacy Control (GPC) signals. If your browser or extension sends a GPC signal, we will automatically apply your opt-out preference without requiring additional action on your part.
17. Third-Party Subprocessors
The following categories of subprocessors support delivery of the Service:
| Category | Examples | Data Processed |
|---|---|---|
| Voice & telephony | Vapi.ai, Twilio | Call audio, transcripts, phone numbers |
| Speech recognition | Deepgram | Audio streams |
| AI language models | OpenAI, Groq, OpenRouter | Conversation text, system prompts |
| Text-to-speech | Cartesia, ElevenLabs | AI-generated text |
| Knowledge base & embeddings | OpenAI, OpenRouter, Mixedbread | Document text, search queries |
| Messaging | Meta (WhatsApp Cloud API) | Message content, phone numbers |
| Third-party integrations | Google, HubSpot, Slack | Per-user OAuth scope data |
| File storage | Cloudinary | Uploaded knowledge base documents |
| Email delivery | Resend | Email addresses, email content |
| Payment processing | Stripe | Subscription identifiers, amounts |
| Primary database | Cloud Database Infrastructure | Account, configuration, and transactional data |
| Session caching & rate limit | In-Memory Cache Infrastructure | Session tokens, rate limits, temporary OTP keys |
A full and current list of subprocessors is available upon request.
18. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the platform at least 14 days before changes take effect. The “Last Updated” date at the top reflects when this policy was last revised.
19. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or have a complaint, please contact us at:
Email: privacy@trycareflow.com
Mailing Address:
Careflow AI
MILE 2, OLD SECRETARIAT AREA 1
AMAC, FCT Abuja 900001
Nigeria
If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.