Legal

Privacy Policy

Last updated: May 26, 2025

CycleFlow ("we", "us", or "our") operates cycleflow.io. This policy explains what data we collect, why we collect it, and how we handle it. By using CycleFlow you agree to these practices.

1. Information we collect

Account data. When you sign up we collect your email address and, if you choose, your name. Passwords are hashed and never stored in plain text.

Project data. Changelog entries, project settings, and any content you create are stored on our servers so we can serve them to you and your users.

Usage data. We log read counts on changelog entries (the analytics feature) and basic server-side request logs (IP address, user-agent, timestamp) for security and debugging purposes.

Payment data. Billing is handled by Stripe. We never see or store your full card number. Stripe's privacy policy governs their data handling.

Subscriber emails. If you use the email subscriber feature, your readers' email addresses are stored on our servers and used solely to send notifications on your behalf when you publish an entry.

2. How we use your information

  • Provide, maintain, and improve the service
  • Send transactional emails (account confirmation, password reset, billing receipts)
  • Send product update emails for your changelog subscribers
  • Detect and prevent abuse or unauthorized access
  • Comply with legal obligations

We do not sell your data or your subscribers' data to third parties. We do not use your data for advertising.

3. Data sharing

We share data only with the following categories of sub-processors, each bound by data processing agreements:

  • Supabase — database and authentication hosting
  • Stripe — payment processing
  • Resend — transactional email delivery
  • Vercel — application hosting and edge infrastructure

We may disclose data if required by law or to protect the rights and safety of CycleFlow and its users.

4. Data retention

We retain your account data and project data for as long as your account is active. If you delete your account, we delete your personal data and project data within 30 days, except where we are required to retain it for legal or financial compliance.

Subscriber emails are deleted immediately when a subscriber unsubscribes or when you delete the project they belong to.

5. Cookies and tracking

We use a single session cookie to keep you logged in. We do not use third-party advertising trackers or analytics pixels. Read analytics (entry view counts) are aggregated server-side without storing visitor identifiers.

6. Your rights

Depending on your jurisdiction you may have the right to access, correct, or delete your personal data. To exercise any of these rights, email privacy@cycleflow.io. We will respond within 30 days (or the shorter period required by applicable law).

7. GDPR — EEA & UK residents

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) applies to your data. Our legal bases for processing are:

  • Contract — processing necessary to provide the service you signed up for (account management, publishing changelogs, sending subscriber notifications)
  • Legitimate interests — security logging and abuse prevention, where our interests do not override your rights
  • Legal obligation — retaining billing records as required by law

You have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing based on legitimate interests. You may also lodge a complaint with your national data protection authority (e.g. ICO in the UK, CNIL in France, BfDI in Germany). Our sub-processors listed in section 3 are covered by Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms for any data transferred outside the EEA/UK.

8. CCPA — California residents

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you additional rights:

  • Right to know — the categories and specific pieces of personal information we collect about you
  • Right to delete — request deletion of personal information we hold, subject to legal exceptions
  • Right to correct — request correction of inaccurate personal information
  • Right to opt-out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising
  • Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the service
  • Right to non-discrimination — exercising your rights will not result in denial of service or different pricing

To submit a verifiable consumer request, email privacy@cycleflow.io. We will respond within 45 days.

9. LGPD — Brazilian residents

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) applies. Our legal bases for processing are contract performance and legitimate interests, as described above. You have the right to confirm whether we process your data, access it, correct incomplete or inaccurate data, anonymize or delete unnecessary data, request portability, and revoke consent where processing is consent-based. To exercise these rights contact privacy@cycleflow.io. You may also contact Brazil's national data protection authority (ANPD).

10. KVKK — Turkish residents

If you are located in Turkey, the Kişisel Verilerin Korunması Kanunu (KVKK, Law No. 6698) applies. We process personal data based on the necessity of processing for the performance of a contract and our legitimate interests. You have the right to learn whether your personal data is processed, request information about it, learn the purpose of processing and whether data is used in accordance with its purpose, know domestic or foreign third parties to whom data is transferred, request correction of incomplete or inaccurate data, and request deletion or destruction. To exercise these rights email privacy@cycleflow.io. You may also apply to Turkey's Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, KVKK).

11. Security

We use industry-standard measures including TLS in transit and encrypted storage at rest. No method of transmission over the internet is 100% secure, but we take reasonable steps to protect your data.

12. Children

CycleFlow is not directed at children under 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

13. Changes to this policy

We may update this policy from time to time. We will notify registered users by email of material changes. The "last updated" date at the top of this page reflects the most recent revision.

14. Contact

Questions about this policy? Email us at privacy@cycleflow.io.