Into the Flavor Inc. - CloseFlow
Data Usage & Retention Policy
Effective date: 24 June 2026 · Last updated: 15 July 2026
In short: this document is a technical companion to our
Privacy Policy.
It describes, in operational detail, where data lives, how it is protected, how long it is kept, and how it is
exported and deleted. Where this document and the Privacy Policy address the same topic, read them together.
1. Purpose
This document explains how CloseFlow handles data through its full lifecycle, from collection to deletion. It is
intended to give Agents and the individuals they serve clear, operational visibility into our practices. It
complements, and does not replace, our Privacy Policy and Terms of Service.
2. Data categories and storage
The table below summarises where each category of data is stored and how it is protected.
| Category | Where it is stored | Encryption | Who can access it |
| Account and Lead records | Primary application database (Hetzner, Germany) | In transit (TLS); secrets within records encrypted at rest | The owning Agent only, enforced at the query layer |
| Communication content and metadata | Primary application database (Hetzner, Germany) | In transit (TLS) | The owning Agent; send pipeline |
| Consent records | Primary application database, append-only log | In transit (TLS) | The owning Agent; read-only in normal use |
| Profile and listing photos | Hetzner Object Storage (Germany), served via uploads.closeflow.ca | In transit (TLS) | Public-read by design (published media) |
| Content assets and document attachments | Cloudflare R2, served via assets.closeflow.ca | In transit (TLS) | The owning Agent; recipients via time-limited links |
| Calendar authorisation tokens | Primary application database | Encrypted at rest (Fernet with HKDF-derived keys) | Calendar sync process only |
| Passwords | Primary application database | Salted hash (bcrypt); never stored in plain text | Authentication process only |
| Backups | Encrypted database backups (Hetzner, Germany) | Encrypted backup archives | Operations, for recovery only |
3. Data lifecycle
Every category of data follows the same general lifecycle:
Collection → Processing → Storage → Retention → Deletion or anonymisation
- Collection: data enters the Service when an Agent signs up, enters a Lead, composes a message, connects an integration, or interacts with a feature.
- Processing: data is used only for the purposes described in the Privacy Policy, such as delivering a message or syncing a calendar.
- Storage: data is stored in the locations set out in Section 2.
- Retention: data is kept for the periods in Section 9 of the Privacy Policy.
- Deletion: at the end of the retention period, or on a valid deletion request, data is securely deleted or anonymised, subject to legally required retention.
4. Artificial-intelligence processing
When an Agent uses an artificial-intelligence feature to draft content:
- The prompt and supporting context the Agent submits are sent to Anthropic (the Claude service) to generate a draft. This context may include a Lead's name and relationship details so that the draft can be personalised.
- The draft returned is shown to the Agent. Only the Agent's reviewed and adopted version is sent to a Lead, never raw output sent automatically.
- Anthropic processes this data as a service provider. Its handling of data is governed by its own privacy policy.
- Where the Service stores voice or style profile samples to match an Agent's tone, those samples are stored within CloseFlow and are not provided to Anthropic to train its models.
The in-app support assistant is a separate AI feature with its own, narrower data flow:
- It answers from CloseFlow's own documentation plus a small set of verified, server-computed account-status facts (plan, plan status, and which integrations are connected). It does not read Lead, message, or billing records, and has no access to an Agent's pipeline data.
- Conversations with the assistant are sent to Anthropic to classify the question and generate an answer, under the same processor terms described above, and are retained for 6 months (see Section 8).
- Questions the assistant cannot answer confidently are routed to a person rather than guessed at; that handoff may create a support ticket containing a summary of the conversation.
5. Communication content handling
- The content of email and SMS messages sent through the Service, together with their metadata, is retained for 7 years to support consent and electronic-message record-keeping aligned with CASL and general business-record practice.
- Each message carries an audit trail recording the sender, recipient, timestamp, the consent reference relied on, and the send status.
- Email delivery and engagement events (delivered, opened, clicked, bounced) are recorded through our email provider to help Agents understand deliverability.
6. Consent management
- The Service maintains a CASL consent log that records, for each consent event, the timestamp, the method and source of consent, and the relevant consent context.
- The consent log is append-only: entries are written once and are not edited by Agents, so the audit trail remains intact.
- Consent records are retained for the lifetime of the account plus a minimum of 3 years after the relevant consent event, consistent with the CASL limitation period.
7. Calendar data lifecycle
Calendar synchronisation is built around data minimisation.
- Authorisation: when an Agent connects Google Calendar, the resulting tokens are encrypted at rest (Fernet with HKDF-derived keys) and used only by the sync process.
- What we read: for external events on a connected calendar, we store only the time ranges of busy periods. We do not read or store event titles, descriptions, locations, or attendees.
- Disconnection: when an Agent disconnects the calendar, we delete the stored tokens and the stored busy-time ranges. Appointments that CloseFlow created in the Agent's Google Calendar remain in Google Calendar; an Agent who wishes to remove them must delete them in Google Calendar directly.
8. Data deletion procedures
- How to request: an Agent can delete their account through in-application settings, or by emailing [email protected].
- Soft deletion: on request, the account is marked deleted and hidden from the interface, with a 30-day grace period during which it can be recovered.
- Hard deletion: after 30 days, personal information is purged from the primary database, and our processors are instructed to delete the relevant data through their own deletion mechanisms.
- Exceptions: some records are retained after account closure where the law requires it. Communication content and metadata are retained for 7 years; consent records for a minimum of 3 years after the consent event; and financial records for 7 years under Canada Revenue Agency rules. Retained data is restricted to those legal purposes.
- Support assistant conversations: chat transcripts with the in-app support assistant are retained for 6 months from the last message in the conversation, then deleted. This is separate from and shorter than the communication-content retention above, reflecting that support conversations are a service-improvement and quality record, not a CASL/consent record. Support tickets and their escalation records (the ticket summary and question, not the full transcript) are business records and are retained for the life of the account, then deleted with it.
- Confirmation: a confirmation of deletion is available on request, normally within 30 days of completion.
9. Data portability
- Self-service export: an Agent can export their data from the account settings area.
- Format: the export is a structured archive containing Leads, calendar events, messages, consent records, and settings.
- Availability: an export remains available for 30 days following a deletion request, so an Agent can retrieve their data before it is purged.
10. Processor data flows
The processors that support the Service are listed in Section 6 of our Privacy Policy,
with their purpose, the data shared, and their location. The summary below describes the direction of data flow.
| Processor | Data sent to processor | Data received back |
| Hetzner | All Service data, for hosting, storage, and backup | Hosted data on retrieval |
| Cloudflare R2 | Uploaded content assets and documents | Stored files on retrieval |
| Anthropic | Prompt and context for a draft; or, for the support assistant, the Agent's question, conversation history, and account-status facts | Generated draft or support-assistant answer text |
| Resend | Recipient email, message content, metadata | Delivery and engagement events |
| Twilio | Recipient phone number, message content | Delivery status, inbound replies |
| Google | Calendar event times; partial address text; form signals | Calendar busy times; address suggestions; bot-risk score |
| Sentry | Technical error diagnostics (no personal information) | None |
Each processor maintains its own sub-processors. Their respective privacy policies, linked in the Privacy Policy, describe those arrangements.
11. Security measures
- Encryption: TLS in transit; Fernet with HKDF-derived keys for secrets at rest; bcrypt for passwords.
- Access control: role-based access, with multi-tenant isolation enforced at the data-query layer so that one Agent cannot access another Agent's data.
- Authentication: two-factor authentication is available, using time-based one-time passwords and recovery codes.
- Audit logging: sensitive actions are logged to support accountability and investigation.
- Vulnerability disclosure: security concerns may be reported to [email protected] (currently routed to [email protected]).
- Breach response: where a breach poses a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada in accordance with PIPEDA, and we aim to notify without undue delay.
12. Exercising your rights
The operational procedures for data subject requests are:
- Access: submit a request through account settings or to [email protected]; we respond within 30 days.
- Correction: Agents can correct most data directly; otherwise submit a request, answered within 30 days.
- Deletion: follow the procedure in Section 8; we respond within 30 days.
- Regulator complaint: contact the Office of the Privacy Commissioner of Canada at priv.gc.ca. Residents of Quebec may contact the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.
Because Agents control Lead information, a Lead should ordinarily direct a request to the Agent they are dealing with; CloseFlow will facilitate it, as described in our Privacy Policy.
13. Changes to this document
We may update this document from time to time. When we make a material change, we will update the "Last updated"
date above and notify Agents through an in-application notice, by email, or both, before the change takes effect.