Privacy Policy for MFlow AI

1. Introduction

Welcome to MFlow AI ("Service", "we", "us", "our"). We value your privacy and are committed to protecting your personal data. This Privacy Policy ("Policy") explains what information we collect, how we use, share, and protect it in connection with your use of our Service, which is an AI-powered project management platform.

By using our Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, please do not use our Service.

2. Information We Collect

We collect various types of information to provide and improve our Service:

2.1. User-Provided Information:

• Registration Data: Name, email address, company name (if applicable), password, and other information you provide when creating an account. If you register using Google Sign-In, we collect information as described in Section 3.
• Project Data: Information you input into the Service for project management, including project names, tasks, descriptions, deadlines, statuses, assigned users, comments, uploaded files, and other project-related data.
• Communication Data: Information exchanged through the Service's communication features (if any), and information provided when contacting customer support.
• Payment Information: If you use paid features, our payment processors (not us directly) may collect payment information (e.g., credit card details) necessary to process payments.

2.2. Automatically Collected Information:

• Usage Data: Information about how you interact with the Service, including pages visited, features used, time spent on the platform, clicks, IP address, browser type, operating system, device type, device identifiers, and general location data.
• Cookies and Similar Technologies: We use cookies and other tracking technologies to collect information about your activity on the Service, enhance user experience, and analyze usage. See Section 12 for more details.

2.3. Information Processed by AI:

• Our artificial intelligence algorithms process your Project Data and Usage Data to provide core Service features, such as deadline predictions, task allocation suggestions, risk identification, task automation, and user experience personalization.
• We may use anonymized and aggregated data derived from your usage to train and improve our AI models, but without disclosing your specific confidential project data to other users or third parties in identifiable form.
• [Optional - If applicable, be specific]: Some AI processing may involve sending data to third-party AI service providers (e.g., OpenAI, Google AI) under strict confidentiality agreements that align with our privacy commitments. See Section 6 for details on data sharing.

3. Use of Google User Data

If you choose to connect your Google account to MFlow AI (e.g., via Google Sign-In or other integrations), we may access certain Google user data.

• Data Accessed: We access your basic Google profile information (name, email address, profile picture) primarily for authentication, account creation, and identification within the Service. In addition, depending on the features you use for automation processes, we request access to the following Google data scopes:
  • https://www.googleapis.com/auth/calendar and https://www.googleapis.com/auth/calendar.readonly (Calendar Access): Allows MFlow AI to read your calendar events (to help schedule tasks or avoid conflicts). With write permission (/auth/calendar), it also allows creating or modifying events linked to project tasks, deadlines, or meetings directly from MFlow AI, integrating your project schedule with your Google Calendar.
  • https://www.googleapis.com/auth/gmail.modify and https://www.googleapis.com/auth/gmail.readonly (Gmail Access): Allows MFlow AI to read your emails and attachments to find project-related communications, help create tasks from email content, or link emails to projects or automatically mark emails. The modify permission (/auth/gmail.modify) also allows organizing related emails (e.g., applying labels) or changing their status (e.g., mark as read) as part of automated workflows integrated within MFlow AI.
  • https://www.googleapis.com/auth/gmail.compose (Gmail Compose Access): Allows MFlow AI to draft and send emails (like project updates or notifications) directly from within the application *on your behalf*.
• Purpose of Use: Google user data is used solely to provide and improve the user-facing features of MFlow AI, such as facilitating login, associating your Google identity with your MFlow AI account, and enabling the specific automation integrations you authorize (like calendar synchronization or email-based task management).
• Compliance with Google Policies: MFlow AI's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
• No Advertising Use: We do not use Google user data for serving advertisements.
• Limited Transfer: We do not transfer Google user data to others except when necessary to provide or improve the Service's features, comply with applicable laws, or as part of a merger, acquisition, or sale of assets (with user consent where required). See Section 6 for general data sharing details.
• Limited Human Access: We do not allow humans to read your Google user data unless: (a) we have your affirmative agreement for specific messages/data; (b) it is necessary for security purposes (e.g., investigating abuse); (c) it is necessary to comply with applicable law; or (d) the data has been aggregated and anonymized for internal operations (e.g., reporting).

4. How We Use Your Information

Beyond the specific uses of Google data outlined above, we use the collected information generally for the following purposes:

• Providing and Maintaining the Service: Creating and managing your account, processing your project data with AI to deliver project management features, processing payments, providing technical support, and authenticating users (including via Google Sign-In).
• Improving and Developing the Service: Analyzing Service usage to identify trends, enhance functionality, develop new features, and train/improve our AI models (primarily using anonymized/aggregated data).
• Communication: Sending you essential service notifications, updates, security alerts, and support messages. We may also send marketing materials, but you will have the option to opt-out.
• Security and Fraud Prevention: Protecting the Service, our systems, and our users from unauthorized access, fraud, abuse, and other illegal activities.
• Legal Compliance: Fulfilling legal obligations, responding to valid legal requests (e.g., court orders, subpoenas), and enforcing our terms and policies.

5. Legal Basis for Processing (for EU/EEA Users)

If you are in the European Economic Area (EEA), our legal basis for collecting and using the personal data described above depends on the data and the specific context:

• Consent: Where you have given us explicit consent (e.g., for marketing emails, connecting your Google account).
• Contract: Processing is necessary to perform our contract with you (i.e., providing the Service as described in our Terms of Service).
• Legitimate Interests: Processing is necessary for our legitimate interests (e.g., improving the Service, security, fraud prevention), provided these interests are not overridden by your data protection rights.
• Legal Obligations: Processing is necessary to comply with our legal obligations.

6. Data Sharing and Disclosure

We do not sell your personal data, including any Google user data. We share your information only in the following limited circumstances:

• Service Providers: We engage third-party companies and individuals ("Service Providers") to perform services on our behalf (e.g., cloud hosting like AWS/GCP, payment processing, analytics, customer support, AI technology providers). These Service Providers have access to your data only to perform these tasks and are obligated contractually not to disclose or use it for other purposes. Their processing of Google user data must also comply with the Google API Services User Data Policy.
• Legal Requirements: We may disclose your information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is necessary to protect safety, rights, or property, or to investigate fraud.
• Business Transfers: If MFlow AI is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or uses of your personal data, as well as any choices you may have. Any acquiring entity will be required to adhere to the commitments made in this Policy (or provide notice of changes).
• Aggregated or Anonymized Data: We may share aggregated or anonymized data (which cannot reasonably identify you) for research, analysis, or reporting purposes.
• With Your Consent: We may share your information with third parties when we have your explicit consent to do so (e.g., if you authorize a third-party application to access your MFlow AI account).

7. Data Security

We implement reasonable technical and organizational security measures designed to protect your information from unauthorized access, alteration, disclosure, or destruction. These include, but are not limited to:

• Encryption of data in transit (using TLS/SSL) and at rest.
• Strict access controls and authentication mechanisms.
• Regular security assessments and vulnerability scanning.
• Pseudonymization or anonymization where appropriate.
• Secure software development practices.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you the Service. We will also retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Project data is retained until you delete the project or your account, subject to your subscription plan terms. Usage data may be retained for analytical purposes for a longer period, typically in an aggregated or anonymized form.

Google user data associated with your account is deleted upon your request, when you disconnect your Google account from our Service, or when you delete your MFlow AI account entirely.

9. Your Rights & Data Deletion

Depending on your jurisdiction (e.g., GDPR, CCPA), you may have rights regarding your personal data:

• Access: Request a copy of your data.
• Rectification: Request correction of inaccurate data.
• Erasure ('Deletion'): Request deletion of your data.
• Restriction: Request restriction of processing.
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Withdraw consent where processing relies on it.

You can typically manage your account information and some project data directly within the Service settings. To exercise your rights, including requesting data deletion, please contact us at support@m-flow.io. We will respond to your request within a reasonable timeframe and in accordance with applicable laws. We may need to verify your identity before processing your request. Deleting your account will result in the deletion of your personal data and project data according to our retention policies (Section 8).

10. Children's Privacy

Our Service is not directed to individuals under the age of 13 (or a higher age threshold depending on the jurisdiction, such as 16 in the EEA). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child without parental consent, we will take steps to delete such information. If you believe a child has provided us with personal data, please contact us at support@m-flow.io.

11. International Data Transfers

Your information, including personal data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ. Our primary data processing occurs in Ukraine. If you are located outside this jurisdiction, please be aware that we transfer data there. We take appropriate safeguards to ensure your data is treated securely and in accordance with this Policy, such as using Standard Contractual Clauses for transfers from the EEA/UK/Switzerland where applicable.

12. Cookies and Similar Technologies

We use cookies (small text files placed on your device) and similar technologies (e.g., web beacons, pixels) to:

• Enable essential Service functions (e.g., session management, authentication).
• Remember your preferences and settings.
• Analyze Service usage, performance, and user interaction.
• Ensure security and prevent fraud.

You can typically manage cookies through your browser settings. However, disabling essential cookies may impair the functionality of the Service.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. We will notify you of any material changes by posting the new Policy on this page and updating the "Effective Date" at the top. We may also notify you via email or through the Service. You are advised to review this Policy periodically. Changes are effective when posted on this page.