Privacy notice
Our role
ExemptionFlow provides business-to-business certificate workflow software. For customer records, certificate files, reviewer notes, and related workflow data submitted by or for an ExemptionFlow customer, that customer controls why the information is processed and ExemptionFlow processes it to provide the service. We independently control account, website, billing, security, and support information used to operate our business.
Information we collect
- Account and profile data, such as name, business email, authentication details, organization, role, and settings.
- Customer and workflow data, including business contacts, customer identifiers, addresses, notes, request history, review decisions, and audit activity.
- Certificate data, which may include files, tax identifiers, signatures, names, addresses, jurisdictions, dates, and related metadata.
- Support communications and information you include when contacting us.
- Subscription and transaction details. Payment-card information is collected and processed by Stripe, not stored by ExemptionFlow.
- Technical and usage data, such as device/browser information, approximate request time, IP address in security and server records, cookies, session identifiers, and privacy-limited product events.
How information is collected
- Directly from account holders, organization administrators, support requesters, and certificate uploaders.
- From an ExemptionFlow customer that imports or enters its own customer and contact records.
- Automatically from the website and service through cookies, server logs, security controls, and product analytics.
- From service providers such as identity, payment, email-delivery, hosting, and infrastructure providers.
How we use information
- Provide, secure, maintain, troubleshoot, and improve account, request, upload, review, reminder, and export workflows.
- Authenticate users, enforce organization roles, prevent misuse, rate-limit requests, and investigate security or reliability incidents.
- Send service communications, including verification, invitation, password-reset, request, reminder, needs-information, billing, and support messages.
- Administer trials, subscriptions, payments, and customer support.
- Understand privacy-limited product adoption and onboarding friction.
- Comply with law, enforce agreements, and establish, exercise, or defend legal claims.
How we disclose information
We may disclose information only as reasonably necessary:
- To the ExemptionFlow customer that controls the relevant workspace and to its authorized members and intended workflow recipients.
- To vendors that provide hosting, databases, private object storage, email delivery, authentication, payments, analytics, security, monitoring, and support services under their applicable terms.
- To professional advisers, auditors, insurers, financing sources, or transaction counterparties subject to appropriate confidentiality obligations.
- To comply with law or lawful process, protect rights and safety, prevent fraud or abuse, or respond to an emergency.
- In connection with a merger, financing, acquisition, reorganization, bankruptcy, or sale of all or part of the business, subject to applicable law.
ExemptionFlow does not sell personal information or share it for cross-context behavioral advertising, and we do not use certificate contents to advertise to individuals.
Product analytics
- PostHog processes privacy-limited page and workflow events on ExemptionFlow's behalf to measure adoption and onboarding drop-off.
- Analytics uses opaque user and organization identifiers; ExemptionFlow does not send user names, email addresses, customer names, certificate contents, filenames, notes, or form input as analytics properties.
- Tokenized invite, verification, reset, and public upload pages are excluded from browser analytics; organization slugs, URL query strings, and fragments are removed before events are sent.
- Session replay is disabled. PostHog is configured to discard client IP data, and server analytics disables geographic enrichment. Hosting and security systems may still process IP addresses for operation and abuse prevention.
Security
We use administrative, technical, and organizational safeguards designed for the nature of the information we process. These include private object storage, organization-scoped access, role checks, signed application file routes, and hashed authentication and upload tokens. No system can be guaranteed completely secure, and you are responsible for protecting credentials and configuring authorized users appropriately.
Retention
We retain information while needed to provide the service, follow customer instructions, maintain security and audit records, resolve disputes, enforce agreements, and meet legal obligations. Some staged import and generated export artifacts are automatically removed on shorter operational schedules. Backup copies may remain for a limited period before deletion or overwrite. A customer may have its own legal retention duties for certificate and tax records.
Your choices and privacy rights
Depending on where you live, you may have rights to request access, correction, deletion, or portability of personal information, or to object to or restrict certain processing. You may also have the right to appeal a decision or use an authorized agent. We do not discriminate for exercising applicable privacy rights.
If your information was submitted to a customer workspace, contact that organization first because it controls the record. You may also email support@exemptionflow.com. We may verify your identity and authority before acting, and applicable law may permit or require us to retain certain information.
Children
ExemptionFlow is a business service and is not directed to children under 18. We do not knowingly collect personal information from children through the service. Contact us if you believe a child has provided information.
International processing
ExemptionFlow and its providers may process information in the United States and other countries where they operate. Those locations may have different data-protection laws than your location. Where required, appropriate transfer safeguards will apply.
Changes and contact
We may update this notice as our practices or legal requirements change. We will post the revised notice here and update the effective date; material changes may also be communicated through the service or by email when appropriate. Questions or privacy requests can be sent to support@exemptionflow.com.