Privacy Policy

Last updated: March 2026

1. Data we collect

We collect information you provide directly when you create an account, add properties, or contact us. This includes your name, email address, and any property or financial information you choose to enter.

We also automatically collect certain technical information when you use Hemflow, including IP address, browser type, pages visited, and timestamps. This helps us improve performance and security.

2. How we use your data

We use your data to:

  • Provide and maintain the Hemflow service
  • Process your account registration and manage your subscription
  • Send transactional emails (e.g. confirmation, password reset)
  • Respond to your support requests
  • Improve our product based on usage patterns
  • Comply with legal obligations

We do not sell your personal data to third parties.

3. Data sharing

We share data only with trusted service providers who help us operate Hemflow. These include our database provider (Supabase), email delivery provider (Resend), and payment processor (Polar.sh). All providers are bound by data processing agreements.

We may also disclose data if required by law or to protect the safety and rights of our users.

4. Cookies

Hemflow uses strictly necessary cookies to maintain your authentication session. We do not use advertising cookies or third-party tracking cookies. Session cookies are stored as HttpOnly cookies and are deleted when you sign out.

5. Data retention

We retain your data for as long as your account is active. When you delete your account, your personal data is removed within 90 days. Anonymised, aggregated statistics may be retained indefinitely.

Organisations that are deactivated are soft-deleted and permanently removed after 90 days.

6. Your rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Object to or restrict processing
  • Data portability (export your data)
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@hemflow.com.

7. Security

We take security seriously. All data is encrypted in transit (TLS) and at rest. Authentication is handled by Supabase Auth with HttpOnly cookie sessions. We apply Row-Level Security policies so that each user can only access their own organisation's data.

8. Contact

If you have questions about this Privacy Policy, please contact us at privacy@hemflow.com.