Legal

Privacy Policy

Effective date: March 1, 2026  ·  Last updated: March 1, 2026

Summary: Maxflow collects information to deliver AI-powered marketing automation. We do not sell your personal data. We use third-party AI providers (including Google Gemini) to generate content on your behalf. You can request deletion of your data at any time.

01 Information We Collect

Account & Registration Data

When you sign up, we collect your name, email address, business name, website URL, and billing information. This is necessary to create and maintain your account.

Business & Lead Data

Maxflow is a CRM and marketing automation platform. You may import or sync contact lists, lead records, customer information, and communications history. This data belongs to you. We process it solely to provide the service.

Content & Prompts

When you use Maxflow's AI content tools, we receive the prompts, instructions, and creative briefs you provide. Generated content (images, video scripts, social copy) is stored in your account.

Usage & Analytics Data

We automatically collect information about how you use Maxflow: pages visited, features clicked, session duration, error events, and feature usage patterns. This helps us improve the product.

Device & Technical Data

We collect your IP address, browser type, operating system, and device identifiers to provide the service and detect abuse.

Category Examples Source
Identity Name, email, phone, business name You provide directly
Financial Billing address, last 4 digits of card (full card data held by Stripe) Stripe payment processor
CRM / Lead data Customer names, emails, phone numbers, purchase history, notes You import or sync
Content AI prompts, generated images/video, social posts You create via platform
Usage Feature clicks, session activity, API calls Collected automatically
Device / Technical IP address, browser, OS, device ID Collected automatically
Communications Support tickets, chat messages to our team You provide directly

02 How We Use Your Information

We use your information to:

  • Provide and operate the service — account management, lead pipeline, automations, content generation, scheduling, and reporting.
  • Process payments — via Stripe, our PCI-compliant payment processor.
  • Improve the product — aggregate, anonymized usage analytics help us prioritize features and fix bugs.
  • Send service communications — onboarding emails, billing receipts, security alerts, and product updates. You can opt out of marketing emails at any time.
  • Provide customer support — to respond to inquiries and resolve issues.
  • Detect and prevent abuse — to protect the security and integrity of our platform and comply with legal obligations.
  • Comply with law — to respond to lawful requests from courts, regulators, and law enforcement.

We do not use your personal data or your customers' data to train AI models, sell to data brokers, or share with advertisers for their own targeting purposes.

03 AI & Automated Processing

Maxflow uses artificial intelligence and machine learning to power core features. Here's what that means in practice:

Content Generation (Google Gemini)

When you request AI-generated content — images, video scripts, social copy, email drafts — your prompts and contextual data (brand voice, business type, target audience) are sent to Google's Gemini API to generate the output. Google's use of this data is governed by the Google Cloud Data Processing Addendum. Prompts submitted via the Gemini API are not used by Google to train their models by default.

Lead Scoring & Prioritization

Maxflow's AI agent ("Max") automatically scores and prioritizes leads based on engagement signals, response timing, and historical patterns. This is automated processing that influences how leads appear in your pipeline. You can override Max's recommendations at any time.

Automated Follow-Up

Max sends automated SMS and email follow-ups to leads on your behalf. The content of these messages is either AI-generated from your templates or pre-approved by you. You retain full control and can pause, edit, or disable automations at any time.

AI Accuracy: AI-generated content may contain errors or inaccuracies. We recommend reviewing AI output before publishing or sending to customers. Maxflow is not liable for AI-generated content you choose to publish.

04 Data Sharing

We share your data only as described below. We do not sell personal data.

Service Providers

We use trusted third-party providers to operate our platform. Each is bound by a data processing agreement:

  • Supabase — database and authentication infrastructure
  • Stripe — payment processing
  • Google Cloud (Gemini API) — AI content generation
  • ElevenLabs — AI voice/music generation
  • Twilio — SMS delivery for automated follow-ups
  • SendGrid / Resend — transactional email delivery
  • Cloudflare — CDN, DDoS protection, edge performance

Integrations You Enable

When you connect third-party tools (Facebook Ads, Instagram, Google Ads, HubSpot, Salesforce, etc.), data flows between Maxflow and those platforms according to your configuration and those platforms' own privacy policies. You control which integrations are active.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a materially different privacy policy.

Legal Requirements

We may disclose data if required by law, subpoena, court order, or to protect the rights, safety, or property of Maxflow or others.

05 Your Rights

For Everyone

Access

Request a copy of the personal data we hold about you.

Correction

Ask us to correct inaccurate or incomplete information.

Deletion

Request deletion of your personal data ("right to be forgotten").

Portability

Export your data in a machine-readable format.

Opt-Out

Unsubscribe from marketing emails at any time via the link in any email.

Account Deletion

Delete your account and all associated data from Settings or by contacting support.

California Residents (CCPA / CPRA)

If you are a California resident, you have the right to: (1) know what personal information we collect and how it is used; (2) delete your personal information; (3) opt out of the sale or sharing of your personal information (we do not sell or share personal information); (4) non-discrimination for exercising your rights. To submit a request, email [email protected] with "CCPA Request" in the subject line. We will respond within 45 days.

EEA/UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR including the right to restrict processing and to object to processing based on legitimate interests. Our legal bases for processing are: (a) Contract performance — to provide you the service; (b) Legitimate interests — product analytics and security; (c) Consent — marketing emails. To exercise your GDPR rights, email [email protected]. You may also lodge a complaint with your national data protection authority.

06 Data Retention

We retain your data for as long as your account is active and for a period after closure to satisfy legal and audit obligations:

  • Active account data — retained for the life of the account.
  • Account closure — we delete your personal data within 30 days of account deletion, except data we are legally required to retain.
  • Billing records — retained for 7 years for tax and accounting compliance.
  • Support communications — retained for 3 years.
  • Backup systems — encrypted backups may contain your data for up to 90 days after deletion from primary systems.
  • AI-generated content — deleted when you delete the content or close your account.

07 Cookies & Tracking

Maxflow uses cookies and similar technologies. Here's what we use and why:

Category Purpose Can Opt Out?
Essential Session authentication, security tokens, load balancing No (required for service)
Functional Remembering preferences, UI settings Yes
Analytics Understanding how the product is used to improve it (anonymized) Yes
Marketing Measuring ad campaign performance, retargeting (landing pages only) Yes

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core product functionality.

08 SMS & Text Messaging (TCPA)

Maxflow enables automated SMS follow-up to your leads and customers. This section describes your obligations and ours under the Telephone Consumer Protection Act (TCPA) and related regulations.

Your responsibility: You must obtain proper prior written consent from your leads and customers before enabling automated SMS through Maxflow. Maxflow is a tool provider — you are responsible for compliance with TCPA, CTIA guidelines, and applicable state laws governing text message marketing.

How SMS Works on Maxflow

  • Automated SMS is sent via Twilio using a dedicated long code or toll-free number registered to your business.
  • Every automated SMS must include an opt-out mechanism. By default, Maxflow appends "Reply STOP to unsubscribe" to automated messages.
  • Opt-out requests are processed automatically and immediately — contacts who reply STOP will not receive further automated messages.
  • You may not use Maxflow's SMS feature to send unsolicited messages, spam, or messages to contacts who have opted out.

Message Frequency

Message frequency varies by your automation configuration. Standard data and messaging rates may apply to your contacts depending on their carrier and plan.

09 Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access to production systems is restricted to authorized personnel and requires multi-factor authentication.
  • We conduct regular security reviews and vulnerability assessments.
  • Payment card data is handled exclusively by Stripe — we never store full card numbers.

No security system is impenetrable. In the event of a data breach affecting your personal data, we will notify affected users and regulators as required by applicable law (within 72 hours for GDPR-regulated data).

10 Children's Privacy

Maxflow is a business software product intended for use by adults 18 years of age and older. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child, please contact us at [email protected] and we will delete it promptly.

11 International Data Transfers

Maxflow is operated from the United States. If you access our service from outside the US, your data will be transferred to and processed in the United States, where data protection laws may differ from your country. For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transfer.

12 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) and by posting a notice in the Maxflow dashboard at least 14 days before changes take effect. Your continued use of Maxflow after the effective date constitutes acceptance of the updated policy.

13 Contact Us

For privacy-related questions, data requests, or to exercise your rights, contact us at:

Maxflow Inc.
Privacy Team
Email: [email protected]
Support: getmaxflow.com/support

We aim to respond to all privacy requests within 10 business days.