Privacy Policy
Effective date: July 1, 2026 · Stemflow, Inc.
Stemflow (“we”, “us”, or “our”) operates the Stemflow platform at https://stemflow.dev. This Privacy Policy explains what personal data we collect, why we collect it, and what rights you have over it.
1. Data we collect
Account data: name, email address, hashed password, and email verification timestamp when you create an account.
Organization data: organization name, slug, legal name, and postal address you provide in settings.
Billing data: your subscription plan and Stripe customer/subscription IDs. Full payment card details are processed and stored exclusively by Stripe — we never see or store raw card numbers.
Campaign audience data: visitor records that you (as a Stemflow customer) collect through your own campaigns. You are the controller of this data; we process it on your behalf as a processor.
Usage data: server logs, IP addresses, user-agent strings, and session activity collected automatically for security and rate-limiting purposes.
Media: files you upload (images, etc.) are stored on Cloudflare R2.
2. How we use your data
We use your personal data to:
- Provide, maintain, and improve the Stemflow platform.
- Send transactional emails (email verification, password reset, team invitations).
- Process payments and manage your subscription via Stripe.
- Enforce rate limits and protect against abuse.
- Respond to support requests.
- Comply with legal obligations.
We do not sell your personal data or use it for targeted advertising.
3. Third-party processors
We share data with the following sub-processors to operate the service. Each is bound by appropriate data processing agreements.
| Processor | Purpose | Location |
|---|---|---|
| Neon (Neon Inc.) | PostgreSQL database hosting | US |
| Vercel | Application hosting, CDN, analytics (cookieless) | US |
| Stripe | Payment processing and billing | US |
| Resend | Transactional email delivery | US |
| Cloudflare R2 | Media file storage | US / EU |
| Upstash | Redis-based rate limiting | US |
5. Data retention
We retain your account data as long as your account is active. If you delete your account (see below), we permanently delete your personal data within 30 days, except where required to retain it by law (e.g., financial records).
Campaign audience data you collected through your campaigns is deleted when you delete the campaign or your organization.
6. Your rights
Depending on your location, you may have the right to access, correct, export, or delete the personal data we hold about you. Stemflow provides self-service tools for all of these:
- Access & correct — update your name and email in account settings.
- Export — download a JSON copy of your personal data from account settings (Data & Privacy → Export my data).
- Delete account — permanently delete your account and all associated data from account settings (Data & Privacy → Delete account). Your organizations, campaigns, and audience data are cascade-deleted.
- Delete organization — remove a specific organization and all its campaigns from organization settings (Danger Zone → Delete organization).
If you need assistance, contact us at privacy@stemflow.dev.
7. Security
We use industry-standard security practices: encrypted session cookies (iron-session), bcrypt password hashing, CSRF tokens on all mutating requests, rate limiting, and HTTPS-only transport. No system is perfectly secure; if you discover a vulnerability, please report it to support@stemflow.dev.
8. Children
Stemflow is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@stemflow.dev and we will delete it promptly.
9. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or by a prominent notice in the app. Continued use after notice constitutes acceptance of the revised policy.
10. Contact
Stemflow, Inc.
123 Main St, Suite 100, Miami, FL 33101, USA
privacy@stemflow.dev