# Privacy Policy

**Effective Date:** 2026-05-14
**Last Updated:** 2026-05-14
**Version:** 1.0

> **DRAFT — not legal advice.** This document was generated from a code scan and is intended for review by a qualified attorney before publication. Sections marked `[LEGAL REVIEW]` require attorney calibration.

## 1. Introduction

ResolutionFlow LLC ("ResolutionFlow," "we," "us," or "our") provides a software-as-a-service platform that helps managed service providers (MSPs) triage, resolve, and document IT support tickets. This Privacy Policy explains how we handle personal information when you visit our website, create an account, or use the ResolutionFlow Services.

**Important — two distinct data categories.** ResolutionFlow processes two distinct categories of data, and they are governed by different documents:

1. **Personal information of our direct users** — for example, the MSP technician or owner who creates a ResolutionFlow account. This Privacy Policy describes how we handle that information.
2. **Customer Data** that flows through the Services on behalf of an MSP customer — for example, ticket data retrieved from a connected ConnectWise PSA instance, file uploads, and the contents of AI sessions. We process Customer Data as a service provider under the [Data Processing Agreement](dpa.md) ("DPA") between ResolutionFlow and the MSP, and the MSP's own privacy notices govern the relationship with the individuals whose data appears in that Customer Data.

If you are an end-client of an MSP and have questions about how the MSP uses ResolutionFlow to handle data about you, please contact the MSP directly. ResolutionFlow does not have a direct relationship with end-clients of our customers.

## 2. Who we are

**Controller:** ResolutionFlow LLC
**Country of operation:** United States
**Contact:** support@resolutionflow.com

We do not publish a physical mailing address on this page. For service of legal process, written notice, or to receive our address for a contractual purpose, please contact support@resolutionflow.com.

`[LEGAL REVIEW: appoint and disclose a Data Protection Officer if required under GDPR Article 37, and an EU/UK representative under Article 27 because ResolutionFlow has no EEA or UK establishment]`

## 3. Information we collect

### 3.1 Information you provide to us

- **Account information** — your name, email address, and password. We use these to create and authenticate your account and to send transactional messages about the Services. We hash passwords using bcrypt; we never store plaintext passwords.
- **Profile information** — phone number, job title, time zone, avatar image, and (for solo professionals) optional company display name and uploaded logo. Optional; collected to personalize your experience and your ticket outputs.
- **Account / organization information** — the account name, display code, optional team size, optional branding (logo, primary color, company name), and the PSA platform you primarily use. Collected so we can route subscriptions, invites, and integration data correctly.
- **Federated sign-in identifiers** — if you sign in with Google or Microsoft, we receive the provider's subject identifier and the email address the provider returns at the time you link the account, and we store the linkage so we can recognize you on future logins.
- **Integration credentials** — when you connect a ConnectWise PSA instance, you provide your ConnectWise company ID, public key, and private key. We **encrypt these credentials at rest at the application layer using Fernet (AES-128-CBC + HMAC-SHA256), with a key derived from our server secret via HKDF**. We use them only to retrieve and write data on your behalf. `[LEGAL REVIEW: verify encryption claim if material changes are made to services/psa/encryption.py]`
- **Sales / demo requests** — if you submit our contact or demo form, we collect your name, work email, company, optional team size, and any message you choose to send. We use this to contact you and to follow up on your inquiry.
- **Beta / waitlist signups** — if you sign up for our beta or waitlist, we collect your email and any other information you choose to provide.
- **Support communications** — when you contact us at support@resolutionflow.com, we receive the contents of your message and any information you choose to include.
- **Feedback** — if you submit in-product feedback, beta feedback, surveys, or session ratings, we collect what you submit and link it to your account so we can respond and learn from it.

### 3.2 Information we collect automatically

- **Usage data** — pages and features you interact with, timestamps of actions, AI-feature inputs and outputs you generate. We use this to understand how the Services are used and to bill the right account for AI usage.
- **Device and connection data** — IP address, browser type, operating system, time zone. We collect this for security, fraud prevention, and to deliver content appropriately. IP addresses are captured in our audit logs and (subject to your sampling rate) in error reports.
- **Authentication and security events** — login attempts, OAuth identity linking, password resets, refresh-token rotations, and administrative actions are recorded in our internal audit log. `[LEGAL REVIEW: today these records are retained indefinitely; we recommend implementing a defined retention window (e.g., 12 months) and stating it here]`
- **Product analytics** — when you use the Services, our analytics provider (PostHog) records page views, feature interactions ("autocapture"), and custom events, identified by your user ID and grouped by your account. Web Vitals (page-load performance metrics) are also captured.
- **Error and performance monitoring** — our error-tracking provider (Sentry) records errors, performance traces, and a sampled subset of browser sessions. By default, our backend sends error reports including user identifiers and request metadata. Our frontend captures Session Replay at 1% of normal sessions and 100% of sessions in which an error occurs; replays may capture visible page contents. `[LEGAL REVIEW: this configuration is broader than typical defaults — see implementation-verification.md. Either narrow the configuration (mask text and media, set send_default_pii=False, add scrubbing rules) or expand this disclosure with specific examples of what may be captured]`

### 3.3 Information from third-party services

- **ConnectWise PSA** — when you connect a ConnectWise instance, we retrieve ticket, company, contact, configuration, and note data on your behalf. **This data is Customer Data governed by the DPA, not this Privacy Policy.** ConnectWise is your PSA provider; it is not a ResolutionFlow subprocessor. Your relationship with ConnectWise is governed by your agreement with ConnectWise.
- **Stripe** — when you subscribe, Stripe handles your payment information directly and sends us a customer ID, a subscription ID, billing status, and webhook event metadata. We do not see or store your full payment card number.
- **Google / Microsoft (Sign-in)** — if you choose to sign in via Google or Microsoft, we receive the identifiers described in Section 3.1.

### 3.4 Information we do not collect

We do not knowingly collect:

- Sensitive personal information categories about our direct users in the ordinary course of providing the Services (health data, financial account credentials, biometrics, precise geolocation, government IDs). If a free-text field (for example, a support message or in-product feedback) contains this kind of information because you typed it, we treat the field as ordinary content; we recommend you avoid placing such information into free-text fields. `[LEGAL REVIEW: this is an honest disclosure of incidental risk]`
- Personal information from individuals under 16 years of age. The Services are designed for IT professionals and are not directed to children.
- Full credit card numbers. Payment information is collected and processed directly by Stripe; we receive only a Stripe customer ID, a subscription ID, and billing status.

## 4. How we use information

We use personal information for the following purposes, each with the indicated legal basis under GDPR / UK GDPR. Under CCPA/CPRA, we use the same information for the same business and commercial purposes.

| Purpose | Information used | Legal basis (GDPR) |
|---|---|---|
| Create and operate your account; deliver the Services | Account, profile, federated identity, integration credentials | Contract performance (Art. 6(1)(b)) |
| Authenticate you and secure the Services | Authentication and security events, device/connection data, audit logs | Legitimate interests (Art. 6(1)(f)) — securing the Services |
| Send transactional messages (invites, password resets, verification, billing receipts, security alerts) | Account, email | Contract performance |
| Process subscription billing | Stripe customer ID, billing metadata | Contract performance |
| Respond to your support, demo, sales, beta, or feedback submissions | The submission itself | Contract performance / legitimate interests (responding to your request) |
| Generate AI-assisted outputs (FlowPilot, chat, resolution notes, escalation packages, embeddings, network diagrams, scripts) | Inputs you submit, Customer Data you authorize | Contract performance (provision of Services) |
| Operate product analytics and Web Vitals via PostHog | User identifier, behavioral events, page paths | Legitimate interests + (in the EU/UK) consent where required for non-essential cookies / local storage `[LEGAL REVIEW: a consent banner is required for EU/UK before PostHog initializes]` |
| Operate error monitoring via Sentry | Error reports, request metadata, sampled Session Replay | Legitimate interests (improving and securing the Services) |
| Aggregate usage to improve the Services | Aggregated, de-identified usage data | Legitimate interests |
| Send marketing emails (if you opt in) | Email, name | Consent (you can withdraw at any time) `[LEGAL REVIEW: confirm whether marketing emails are sent today — if so, ensure opt-in capture is recorded]` |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |

We do not use Customer Data for our own purposes — including model training, advertising, or marketing — except as necessary to provide the Services to the MSP customer that supplied it. AI feature inputs are sent to our AI subprocessor (Anthropic) for the purpose of generating the response; Anthropic does not train its models on these inputs under the API tier we use. `[LEGAL REVIEW: re-verify Anthropic's no-training-on-API-traffic commitment for the current API tier at each publication]`

## 5. How we share information

We share personal information only as described below. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

### 5.1 Service providers (subprocessors)

We share information with carefully selected third parties who process personal information on our behalf to deliver the Services. The complete and current list is at [/legal/subprocessors](subprocessor-list.md). Today, our subprocessors are:

- **Railway Corp.** (United States) — application and database hosting + S3-compatible object storage for uploaded files
- **Anthropic, PBC** (United States) — large-language-model API for FlowPilot and other AI-assisted features
- **Voyage AI** (United States) — embedding model for similarity search and retrieval-augmented features
- **Stripe, Inc.** (United States) — payment processing
- **Resend** (United States) — transactional and account email delivery
- **Sentry** (United States) — error monitoring, performance traces, and Session Replay
- **PostHog** (United States) — product analytics
- **Google LLC** (Global) — Google Fonts CDN used by our website; receives your IP address as part of loading the fonts `[LEGAL REVIEW: consider self-hosting fonts to remove this disclosure for EU/UK visitors]`

Each subprocessor is bound by a data processing agreement and processes personal information only on our documented instructions.

### 5.2 Business transfers

If ResolutionFlow is involved in a merger, acquisition, financing, or asset sale, personal information may be transferred to the involved parties. We will provide notice through the Services or by email before personal information becomes subject to a materially different privacy policy.

### 5.3 Legal requirements

We may disclose personal information when we believe in good faith that disclosure is required by law, regulation, legal process, or government request, or to protect our rights, our users, or the public.

### 5.4 With your consent

For any sharing not described above, we will obtain your consent.

## 6. Data retention

We retain personal information only as long as needed for the purposes described in this Privacy Policy. The retention picture today is:

| Category | Retention |
|---|---|
| Account information | For the life of your account, plus up to **90 days** of backup retention after account deletion |
| AI flow-builder wizard conversations | **24 hours** (purged hourly) |
| Assistant chat threads | Account-configurable, **default 90 days** OR a maximum of **100 chats** (whichever first); pinned chats are exempt |
| AI chat sessions inactive for 30 days | Auto-archived; not deleted unless you delete them |
| Stripe webhook event records | Retained for idempotency and audit |
| Audit logs, authentication and security events | `[LEGAL REVIEW: today retained indefinitely; implement a 12-month default and update this row to "12 months"]` |
| AI session content, escalation packages, resolution notes, file uploads, and other Customer Data | Retained for the life of the account; deleted on customer request as described in the DPA |
| Marketing-communication opt-outs | Retained indefinitely so we can honor your preference |
| Billing records | As required by tax and accounting law (typically 7 years in the US) |

When you delete your account, we soft-delete your user record, revoke your refresh tokens, and stop your access. **`[LEGAL REVIEW: today, the account row and account-scoped content such as audit logs, session content, file uploads, and AI usage records are not automatically purged on account deletion. Either implement scheduled deletion or rewrite this paragraph to describe the actual behavior and provide a deletion-on-request path with a stated SLA. We recommend the former.]`** Personal information may persist in routine backups for up to 90 days after deletion. We will not restore deleted information from backups except to recover from a system failure.

## 7. Your rights

Depending on where you live, you may have some or all of the following rights regarding your personal information:

- **Right to know / access** — request a copy of the personal information we hold about you
- **Right to correct** — request that we correct inaccurate personal information
- **Right to delete** — request that we delete your personal information
- **Right to portability** — receive your personal information in a structured, machine-readable format
- **Right to restrict or object to processing** — limit how we process your personal information in certain circumstances
- **Right to opt out of sale or sharing for advertising** — we do not sell personal information or share it for cross-context behavioral advertising; if this ever changes, we will offer an opt-out
- **Right to limit use of sensitive personal information** — under CPRA, where applicable
- **Right to withdraw consent** — where processing is based on consent, you may withdraw it at any time without affecting prior processing
- **Right to non-discrimination** for exercising any of these rights
- **Right to appeal** — if we deny a rights request, you may appeal by replying to our response with "Appeal"
- **Right to lodge a complaint with a supervisory authority** — EU/UK residents may contact their national data protection authority (for example, the UK's Information Commissioner's Office)

To exercise these rights, email us at **support@resolutionflow.com** with the subject "Privacy Rights Request." We will respond within 45 days (extendable by an additional 45 days for complex requests) as required by applicable law. We may request information sufficient to verify your identity before responding.

You may designate an authorized agent to make a request on your behalf, subject to identity verification.

We treat Global Privacy Control (GPC) browser signals as an opt-out of sale or sharing of personal information.

## 8. International data transfers

ResolutionFlow LLC is based in the United States, and our infrastructure is hosted in the United States. When you use the Services, your personal information will be transferred to and processed in the United States, which may have different data protection laws than your home country.

For transfers of personal information from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on:

- The **Standard Contractual Clauses** approved by the European Commission in Decision 2021/914 (Module 2 or Module 3, as applicable to the parties' roles)
- The **UK Addendum** to the EU Standard Contractual Clauses for UK transfers
- Equivalent safeguards required by Swiss law for Swiss transfers

`[LEGAL REVIEW: consider EU-US Data Privacy Framework certification when ResolutionFlow LLC qualifies; until then SCCs are the baseline transfer mechanism. Designate an Art. 27 EU/UK representative if required.]`

## 9. Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include:

- **Encryption in transit** using TLS for all production traffic
- **Encryption at rest** — Railway-managed Postgres and Object Storage are encrypted at rest at the infrastructure layer, and we additionally apply **application-layer Fernet encryption to stored PSA integration credentials** (the keys we hold on your behalf to talk to ConnectWise) `[LEGAL REVIEW: verify Railway's encryption-at-rest attestation]`
- **Password hashing** using bcrypt with 12 rounds; we never store plaintext passwords
- **Authentication tokens** delivered as bearer tokens to your browser; we store hashes (not the tokens themselves) on the server
- **Role-based access control** at the application layer (super_admin / owner / admin / engineer / viewer), and PostgreSQL row-level security for tenant isolation between accounts
- **Audit logging** of administrative actions
- **Periodic security review** of subprocessors
- **OAuth-based sign-in** options via Google and Microsoft

We do not currently require multi-factor authentication. `[LEGAL REVIEW: consider whether to disclose MFA explicitly once available, or to require MFA for admin/owner roles]`

We deliberately store our short-lived access and refresh tokens in your browser's `localStorage` rather than in HTTP-only cookies. This choice carries a known trade-off: tokens in `localStorage` are accessible to any JavaScript running on the page, so a successful cross-site-scripting (XSS) attack against the Services could expose them. We mitigate this risk with content-security headers, short access-token lifetimes, idle and absolute session limits, and bulk token revocation on password change. `[LEGAL REVIEW: this is an honest disclosure; calibrate as needed]`

No security measure is perfect. If we become aware of a personal data breach affecting your information, we will notify you and supervisory authorities as required by applicable law.

## 10. Cookies and similar technologies

We use cookies and similar technologies on the Services. See the [Cookie Policy](cookie-policy.md) for the full list.

In short: we use authentication tokens stored in your browser to keep you signed in; we store a small number of UI preferences in your browser's local storage; and our product analytics provider (PostHog) sets one cookie alongside its `localStorage` data when you use authenticated parts of the Services. We do not use advertising cookies or cross-context behavioral advertising trackers.

## 11. Children's privacy

The Services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us at support@resolutionflow.com and we will delete it.

## 12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of changes by posting the updated Privacy Policy with a new "Last Updated" date. For material changes affecting how we use your personal information, we will provide notice through the Services or by email at least **30 days** before the change takes effect.

Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy.

## 13. Contact us

For privacy questions or to exercise your rights, contact us at **support@resolutionflow.com**.

For California residents:
- See Section 7 for your CCPA/CPRA rights.
- You may designate an authorized agent.
- We do not sell or share personal information for cross-context behavioral advertising.

For EU / UK residents:
- You have the right to lodge a complaint with your national data protection authority.
- `[LEGAL REVIEW: name the Art. 27 EU and UK representatives once appointed]`