Privacy Policy
1. Introduction
Welcome to Diaflow ("we," "us," "our"). Diaflow is an AI-native workflow automation platform operated by Diaflow Pte. Ltd. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at https://diaflow.io, use our platform at https://platform.diaflow.app, our APIs, AI agents, integrations, or any related services (collectively, the "Services").
By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Services.
2. Information We Collect
2.1 Information You Provide
We may collect the following personal data that you voluntarily provide:
Identity Data: first name, last name, username, or similar identifier.
Contact Data: email address, phone number, billing address, and business address.
Account Data: login credentials (hashed and encrypted), account preferences, and profile information.
Financial Data: payment card details, billing information, and transaction records (processed via third-party payment processors).
User Content: workflow configurations, prompts, templates, agent configurations, and any data you submit through the platform.
Communication Data: messages, feedback, support tickets, and correspondence with our team.
2.2 Information Collected Automatically
When you access our Services, we automatically collect certain data:
Technical Data: IP address, browser type and version, time zone setting, operating system, device identifiers, and platform information.
Usage Data: pages visited, features used, workflow execution logs, click patterns, session duration, referring URLs, and interaction data.
AI Interaction Data: prompts submitted to AI agents, model outputs, execution metadata, and performance metrics related to workflow automations.
Cookies and Tracking Technologies: we use cookies, web beacons, pixels, and similar technologies to collect analytics data and improve user experience.
2.3 Information from Third Parties
We may receive data from third-party sources, including:
Authentication providers (e.g., Google, GitHub) when you use single sign-on (SSO).
Third-party integrations that you connect to your Diaflow workflows.
Business partners, resellers, and marketplace platforms (e.g., AppSumo).
Publicly available sources and data enrichment services.
3. How We Use Your Information
We use your personal data for the following purposes:
Service Delivery: to create and manage your account, provide and maintain our Services, execute workflows, and process transactions.
AI Processing: to operate AI agents, process prompts, execute automations, and deliver intelligent workflow outputs on your behalf.
Product Improvement: to analyze usage patterns, improve platform features, develop new capabilities, and optimize AI model performance.
Communication: to send account notifications, service updates, security alerts, technical notices, and respond to your inquiries.
Marketing: to send promotional communications (with your consent where required), personalize content, and measure campaign effectiveness.
Security and Fraud Prevention: to detect and prevent unauthorized access, abuse, and fraudulent activity.
Legal Compliance: to comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
Credit and Usage Tracking: to manage platform credits, monitor resource consumption, enforce usage limits, and process billing.
4. AI-Specific Data Practices
As an AI-native platform, Diaflow processes data through large language models (LLMs) and autonomous AI agents. The following practices apply:
Prompt Data: prompts and inputs you provide to AI agents are processed to generate outputs. We do not use your proprietary prompts to train our models without your explicit consent.
Workflow Execution Data: data processed during workflow executions is handled according to the data handling settings of your workspace and subscription tier.
Third-Party AI Providers: Diaflow may route AI processing through third-party LLM providers (e.g., OpenAI, Anthropic, Google). Data sent to these providers is subject to their respective privacy policies and data processing agreements.
Data Retention for AI: AI interaction data is retained only as long as necessary to provide the Services and may be anonymized for aggregate analytics.
5. Sharing and Disclosure of Information
We do not sell your personal data. We may share your information in the following circumstances:
Service Providers: with trusted third-party vendors who perform services on our behalf, including cloud hosting, payment processing, analytics, email delivery, and customer support.
AI Model Providers: with third-party AI/LLM providers to process your workflow requests, subject to data processing agreements.
Integration Partners: when you connect third-party services to your workflows, data is shared as necessary to execute those integrations.
Business Transfers: in connection with any merger, acquisition, reorganization, asset sale, or financing, your data may be transferred as a business asset.
Legal Requirements: when required by law, regulation, court order, or governmental authority, or when necessary to protect our rights, safety, or property.
With Your Consent: in any other circumstances where you provide explicit consent.
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:
Account data: retained for the duration of your account and for a reasonable period thereafter for legal and audit purposes.
Workflow execution data: retained according to your subscription tier settings and workspace configuration.
Financial records: retained as required by applicable tax and accounting regulations.
AI interaction logs: retained for up to 90 days for service quality and debugging, unless you configure a shorter period.
Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
7. Data Security
We implement industry-standard technical and organizational measures to protect your personal data, including:
Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Regular security assessments, penetration testing, and vulnerability scanning.
Role-based access controls and principle of least privilege.
Secure development practices and code review processes.
Incident response and breach notification procedures.
For more information, you can learn more at: https://compliance.diaflow.io/general/security-practices
While we strive to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.
8. International Data Transfers
Diaflow is headquartered in Singapore and operates globally with presence in the United States, European Union, and Vietnam. Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards for international transfers through:
Standard Contractual Clauses (SCCs) approved by the European Commission.
Data processing agreements with all sub-processors.
Compliance with applicable data transfer frameworks and regulations.
9. Your Privacy Rights
9.1 General Rights
Depending on your jurisdiction, you may have the following rights:
Access: request a copy of the personal data we hold about you.
Rectification: request correction of inaccurate or incomplete data.
Erasure: request deletion of your personal data, subject to legal retention requirements.
Restriction: request that we limit how we process your data.
Portability: request your data in a structured, machine-readable format.
Objection: object to processing based on legitimate interests or for direct marketing.
Withdraw Consent: where processing is based on consent, you may withdraw it at any time.
9.2 European Economic Area and United Kingdom
If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR, including the right to lodge a complaint with your local supervisory authority.
9.3 California Residents
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale or sharing of personal information. We do not sell personal information.
9.4 Exercising Your Rights
To exercise any of your privacy rights, please contact us at [email protected]. We will respond to your request within the timeframe required by applicable law (typically 30 days).
10. Cookies and Tracking Technologies
We use the following types of cookies and similar technologies:
Essential Cookies: required for core platform functionality, authentication, and security.
Analytics Cookies: help us understand how users interact with our Services to improve performance and features.
Marketing Cookies: used to deliver relevant advertisements and measure campaign effectiveness.
You can manage cookie preferences through your browser settings or our cookie consent banner. Disabling certain cookies may affect platform functionality.
11. Children’s Privacy
Our Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us immediately.
12. Third-Party Links and Integrations
Our Services may contain links to or integrations with third-party websites, applications, and services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service before providing your data.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by:
Posting the updated policy on our website with a revised effective date.
Sending an email notification to registered users for significant changes.
Displaying an in-platform notification upon your next login.
Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy.
14. Google API Data Practices
This section specifically governs how Diaflow accesses, uses, stores, and protects data obtained through Google APIs and Google user accounts, in accordance with Google’s API Services User Data Policy.
14.1 Data Accessed
When you connect your Google account to Diaflow, our application may access the following types of Google user data, depending on the integrations and workflows you configure:
Google Account Profile: name, email address, and profile picture (via Google OAuth/SSO).
Gmail Data: email messages, metadata, labels, and drafts (only when you explicitly enable Gmail integration in a workflow).
Google Calendar: calendar events, attendees, and scheduling information (only when you explicitly enable Google Calendar integration in a workflow).
Google Drive: files, folders, documents, and spreadsheets (only when you explicitly enable Google Drive integration in a workflow).
Google Sheets & Docs: spreadsheet and document content for reading and writing (only when you explicitly enable these integrations in a workflow).
We request only the minimum scopes necessary to perform the functions you have enabled. You may review and revoke granted permissions at any time via your Google Account settings at myaccount.google.com.
14.2 Data Usage
Google user data accessed through our integrations is used exclusively to provide the specific workflow automation functionality you have requested. In particular:
Google data is processed solely to execute the automations and AI workflows you configure within Diaflow.
We do not use Google user data to train AI or machine learning models, develop new products or features, target advertising, or for any purpose unrelated to the specific service you requested.
Google data is not read, analyzed, or used by humans except as needed to provide or improve user-facing features or as required by law, and only with your explicit permission.
Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
14.3 Data Sharing
We do not sell, rent, or share Google user data with third parties for advertising, marketing, or any other commercial purpose. Google user data may be shared only in the following limited circumstances:
Infrastructure & Hosting Providers: data may be processed by our cloud infrastructure providers (e.g., AWS) strictly to operate and deliver our Services, under data processing agreements that prohibit independent use of your data.
AI Model Providers: where you have configured an AI workflow that processes Google data, that data may be passed to third-party LLM providers (e.g., OpenAI, Anthropic, Google) solely to execute your requested automation. These providers are bound by their own privacy policies and data processing agreements.
Legal Requirements: when required by applicable law, court order, or governmental authority.
In all cases, third parties receiving Google user data are contractually prohibited from using that data for purposes other than providing services to Diaflow.
14.4 Data Storage & Protection
Google user data is protected using industry-standard security measures consistent with our overall data security practices described in Section 7, and additionally:
Encryption: all Google user data is encrypted in transit using TLS 1.2 or higher, and encrypted at rest using AES-256.
OAuth Token Security: OAuth tokens used to access Google APIs are stored securely with encryption and are never exposed in logs or to unauthorized personnel.
Access Controls: access to Google user data is restricted to authorized personnel and systems on a need-to-know basis, enforced through role-based access controls.
Security Audits: we conduct regular security assessments and vulnerability scanning to protect all user data, including Google user data. Diaflow maintains SOC 2 Type 2 certification.
14.5 Data Retention & Deletion
Google user data is retained only for as long as necessary to provide the service you have requested and as described below:
Workflow Execution Data: Google user data processed during workflow executions is retained for up to 90 days in execution logs, after which it is automatically deleted or anonymized.
OAuth Tokens: OAuth access tokens and refresh tokens are deleted immediately upon disconnecting your Google account from Diaflow or upon account deletion.
Account Deletion: upon deleting your Diaflow account, all Google user data associated with your account will be permanently deleted within 30 days.
To request deletion of your Google user data at any time, you may: (1) disconnect your Google account within your Diaflow workspace settings or (2) delete your Diaflow account entirely.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Diaflow Pte. Ltd.
114 Lavender Street, #11-83, CT-Hub 2, Singapore (338729)
Email: [email protected]
Website: https://diaflow.io
For data protection inquiries specific to the European Union, you may also contact our EU representative through the contact details above.
Last updated